One of several basic elements of a robust cybersecurity program is promoting security awareness throughout your organization. And not just occasionally. It requires establishing a security awareness program that can be delivered regularly to all employees and updated as new threats emerge.
Other cybersecurity program elements, such as incident response planning, risk assessment, and corrective action planning, are important. However, security awareness is rarely given the priority it deserves—despite the associated risks.
Through September 2021, the number of data breaches in the U.S. had surpassed the total number of breaches in all of 2020, and the total number of cyber attack-related data breaches was up 27%.
Healthcare continues to dominate all industries in terms of the number of data breaches and individual records affected. In 2021, more than 40 million patient records were potentially affected by data breaches through October, with the ten largest incidents accounting for more than 30 million records, according to data reported to the HHS Office for Civil Rights. Other industries are far from immune.
Organizations throughout the U.S. are under constant assault by cybercriminals, and too many are successful in their malicious endeavors. One of the reasons is poor security awareness among organization employees.
However, many organizations lack the time, expertise, or other resources to develop effective security awareness programs, which leaves them vulnerable to serious risks.
An organized, documented security awareness program is required to comply with security frameworks like NIST and industry regulations such as PCI-DSS, HIPAA, and GLBA. Financial institutions, healthcare organizations, credit card processors, merchants, and other regulated entities must create organizational cultures in which security awareness is top of mind. But these programs take time and effort to develop in-house.
A Virtual Chief Information Security Officer is an experienced professional who can assess your organization’s current level of security awareness and identify its gaps. He or she can then develop a program to enhance security awareness at all levels.
A VCISO can provide the expertise and materials necessary to develop a security awareness program that will be active, ongoing, and effective in your organization.
In addition to printed materials and electronic communications templates, employee training in security awareness is required by regulation and best practice. Training helps employees, including management staff, understand the variety of cyber risks and attacks that can occur and what they should do if they suspect something is wrong. Effective training teaches them to be aware of phishing schemes and how they work, and of ransomware plots and how to spot them. Armed with security awareness reinforced by regular security training, your employees will be able to act as part of your organization’s defensive line.
Security awareness training has the added advantage of demonstrating to others, including regulators, the value your organization places on information security. And its importance to you in protecting the interests of your clients, partners, patients, and other stakeholders, as well as your employees.
With phishing attempts responsible for more than one-third of cyberattacks in the U.S. each year, training employees in how to spot phishing schemes can be as easy as sharing the tips below. It’s an action you can take immediately and independently of any larger security awareness program.
Phishing Training Tip 1: Read your emails carefully. Look for simple grammar or spelling mistakes, which often characterize phishing emails. Be suspicious of any links in an email, especially if you do not recognize the email sender or have no business communicating with them. Also, check the URL or domain name of the sender; hover over their sending name to see the source URL. Simple errors such as spelling nextflix.com instead of netflix.com are easy to overlook—but are vital clues that something is amiss.
Phishing Training Tip 2: Be suspicious of other media. Phishing doesn’t only take the form of emails. It can include phone calls, texts, and messages on social media. If an offer sounds too good to be true, it probably is. If a request comes from someone you don’t know or seems odd or unusual, consider the email a red flag and do some research before responding. (See Tip 3.)
Phishing Training Tip 3: Be wary of requests. If you receive an email from an unexpected address that requests you to transfer funds, pay an invoice, open an attachment, or provide sensitive information, don’t do it right away. First, verify that the sender and their company are legitimate. Go to the sender’s website and look for a phone number to call; ask what the company does, and ask for the sender by name. Double-check the domain name and do an online search for the company. It’s better to be suspicious and take verifying actions than to be duped by a bogus request that can hurt your company.
Malicious email links and attachments are designed to install malware on computer networks in order to bring down servers, siphon off data, and freeze company systems. These threats are easily avoided with employee phishing training that is part of an overall security awareness program.
A robust security program encompasses a variety of activities designed to protect information and information systems from a wide range of threats. One vital component is a security awareness program, including employee training. Security awareness training must include teaching employees how to spot phishing schemes and ransomware attempts since these are common sources of data breaches. Phishing schemes account for more than one-third of all cyberattacks in the U.S. in recent years. For more information, watch our video “The Naked Truth About Phishing and Ransomware” in the Video section of our Resources page.
A security awareness program is mandated by regulatory requirements and security best practices across numerous industries. If an organization is unable to address security awareness effectively, and in an appropriate timeframe, then a Virtual CISO can serve as an expert resource to accomplish this objective.