Security strategies must become more agile if businesses are to defend themselves against the risks they face now and in the future, allowing them to change their strategy based on paths taken by threat actors.
Employees letting their guard down and accessing something they shouldn’t from an unknown and unverified source is one of the top concerns for CISOs in the remote age. According to Code42’s “2021 Data Exposure Report,” 76 percent of IT security leaders report their company has had a data breach in the last year, resulting in the loss of sensitive data, and 38 percent of the time, these breaches were caused by unintended employee carelessness.
Thousands of companies have implemented security awareness training (SAT) on email security and recognizing phishing efforts to help reduce the risk of breaches caused by employees. According to the “Cyber Security Breaches Survey 2021,” phishing attacks are still the most common threat vector, with 83 percent of companies reporting an attempt in the previous year. So, how can businesses better educate their employees for when a potential phishing email arrives in their inbox?
Practicality vs. Compliance
One of the main problems with SAT is that it is built with the business goal of meeting compliance mandates and regulations. If each business is driven by compliance, training will not always address the company’s most pressing challenges.
Because of the fast-paced nature of cybersecurity, training must be continual in order to be effective. Employee turnover is also a factor to consider, since companies will need to train new employees on a regular basis. In some cases, SAT is incorporated into the onboarding process. However, because new employees are often overwhelmed when they start a new job, the training is likely to go right over their heads. And, despite screening and ongoing training, phishing emails continue to reside in inboxes, so what’s the next step?
Employees should be part of the solution
Employees are viewed as the weakest link in the traditional form of SAT. If people are made to feel that they are the problem before they start training, they will be more concerned with impressing their employer than with security. Employees frequently report more suspicious emails after receiving training, however many of these reports may be false positives. Because IT and security teams are busy maintaining the entire company’s security, additional questions from employees divert their attention away from their primary responsibilities.
Businesses need to think about how they can alter their approach to security training, so it isn’t just a point-in-time, tick-box activity, but something more meaningful that delivers results without placing an unnecessary burden on employees.
Combining Crowdsourced SAT and Inbox Security
SAT programs are ineffective as a standalone type of email protection. The combination of training and email security solutions that use a crowdsourced method to harness the collective intelligence of everyone in the enterprise, on the other hand, will be far more effective. Giving employees precise, guided information about suspicious emails, as well as the option to scan an email that has arrived in their inbox at the touch of a button, forces them to think rather than wait for the security staff to give approval on whether or not they may proceed with an email.
If the email is determined to be malicious, the employee receives praise, the SOC team’s time is freed, and the suspicious email is deleted. However, the threat isn’t merely dealt with in the inbox of the user who discovered it. Instead, this intelligence is delivered to each employee’s inbox, where it is automatically remedied if the same threat is discovered.
This method is based on the idea of giving employees access to information and visibility into suspicious emails, as well as the ability to request live consultation at the touch of a button. This will make them feel supported in the long run, rather than the stress of a one-time test that merely employs artificial emails. Teams can then use the collected data to construct a framework that takes advantage of the users’ collective understanding. As a result, security teams can use employee feedback to modify the overall security plan, in addition to increasing general awareness.