The Four Pillars of Cyber Security Awareness
95 percent of successful online attacks against organizations require either unwitting or purposeful participation by that organization’s employees (most of the time they are unwitting / unwilling participants in something they don’t even know is happening).
This article outlines what needs to be done to secure employee behavior. In addition, it lays out the four (4) pillars of success criteria for such a plan. After all, if we cannot measure a program’s effectiveness, how do we know if it works?
Awareness is NOT (only) training
Many companies think of cybersecurity awareness measures as providing IT security training. However, this is not entirely accurate. As long as 25 years ago, NIST stated the following principle, which still holds true today:
Thus, it is about fundamentally secure behavior by all employees of an organization!
So how is Cybersecurity Awareness put into practice? Based on a combination of hundreds of awareness projects at ThriveDX along with data analysis from a global study, we were able to derive the best practices in cybersecurity awareness. Sustainable employee responsiveness and the increasingly secure behavior of employees in dealing with the Internet and e-mail is best achieved with the help of:
- Attack simulations
- IT security training
- A ‘phishing report button’ and with
- Infrastructure assessments of the workplace computer
Such simulations, often also called phishing, smishing and vishing attacks, are the most effective way of raising awareness of cyber risks. The great advantage of such simulation campaigns is their realistic nature. However, care should be taken that for example, emails of a phishing simulation are adapted to the context of the organization and are also written in the “company’s language”. Some simple phishing or smishing scenario à la ‘We give you a tablet for free’ is not paid attention to by most employees nowadays. On the other hand, phishing attempts should always remain recognizable as such. We have discovered that sophisticated phishing campaigns ensnaring many employees may have “teachable moments” but otherwise run the risk of being too clever by half and generally counterproductive.
IT Security Training
Even if IT security training presents fewer “real life” situations and is therefore less effective, the value of this training module in the market is undisputed. It builds and strengthens the theoretical knowledge of employees. Training diplomas serve as proof of training and can also be used for individual learning assessments. This is particularly useful in the GDPR legal space, where attack simulations are often conducted anonymously, implicating no one individual. Because victims are not disclosed, no conclusions can be drawn about the individual.
The 'Phishing Report Button
So-called phish buttons are a simple but incredibly effective IT security tool. In essence they provide employees with an efficient “one push” button to report suspicious emails. . These are subsequently analyzed by the Infosec Team and the employee receives a response on the criticality of the reported message. This encourages individual engagement, activating the ‘human firewall’. The IT department benefits from qualified reports of suspicious mails while weaker employees gain much more security in their daily work. It is important that the employee receives a response to his messages. If this does not happen, then the commitment and dedication of the employees slackens.
Infrastructure Assessments of Work Computers
Cybersecurity awareness is not only about the person, but also about his or her workplace computer. If you want to get a 360° view on employee awareness and security, malware simulations, mail filter and web filter tests on the employee’s computer make sense. A malware simulation answers the system administrator’s questions like ‘how far could a ransomware attack get on the possibly infected computer and in the company network’. In this way, vulnerabilities can be detected and closed/mitigated. The mail and web filter test answers the admin’s question ‘Which email attachments get through the company’s security filters?’ Here too, risk exposures can be better identified. On the basis of these findings, it is also possible to carry out file-based phishing simulations with the same file extensions in order to reduce the risk by target training the staff.
Status of the Implementation of Cybersecurity Awareness Measures in Practice
In a wide-ranging study, around 1900 specialists were surveyed on the use of awareness measures in 2022. It reveals that attack simulations – especially phishing simulations – have caught up with awareness training. Phishing incident buttons were used by less than half of the respondents and the use of infrastructure assessments is not readily apparent.
In conclusion, if you want to conduct holistic cybersecurity awareness, you have to rely on the 4 pillars attack simulations, IT security trainings, phishing button and infrastructure assessments!
At ThriveDX, we help you re-skill employees to add those saved expenses back to your bottom line. If you’re interested in learning more about how ThriveDX solutions can be customized for your business, we’d be happy to discuss in further detail.
Palo Stacho has been an entrepreneur, public speaker and thought leader in the IT industry. He holds a Swiss Federal Diploma in Computer Science and a postgraduate degree in Corporate Governance from the HSG. After spending several years working in cybersecurity, Palo joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, be it at Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s Enterprise Division and has remained on as an Advisor to the company.
Protect Your Organization from Phishing
Explore More Resources
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.