Cybersecurity awareness education: The beginnings of change
More than eight in 10 data breaches globally can be attributed to human error.
People are the weakest link in cybersecurity. And this weakness comes from a lack of awareness about our cyber risk and the behaviors that influence it. Many people see cybersecurity as an IT concern. In truth, cybersecurity concerns everyone. When our hospitals get infected with ransomware, we can’t receive care. When our organizations experience a cyberattack, we lose our jobs. Still, we tend to underestimate the importance of cybersecurity to our society and economy.
While people are the #1 risk to cybersecurity, we have the capacity to improve it with cybersecurity awareness training, our most important defense against cybercrime. Unfortunately, user awareness education only accounts for 10 percent of corporate security budgets.
What explains this disconnect and how can we resolve it? In this article, I examine the problem and crucial change we desperately need.
Cybersecurity awareness education: our progress to date
At the start of Covid-19, cyberattacks multiplied exponentially. Around this time, the government asked me to propose a solution to the crisis. My recommendation was simple: education. Starting in school, people should receive training on their cyber risks. Rather than a one-time event, this education would begin before children started using a computer, and continue in high school, university, and the workplace. My rationale was straightforward. We can’t stop people from encountering cyberthreats. We can affect what happens when they do.
Today, cybersecurity awareness education has gained popularity. Agence nationale de la sécurité des systèmes d'information (ANSII) continues to offer training to organizations of vital importance along with other assistive services. Cyber Campus, a symbol of France’s commitment to cybersecurity, serves to educate and unite students with researchers, companies, vendors, and government. Our vibrant French tech industry has embraced the need to train people in high technology about cyber risk.
Meanwhile, investment funds, such as Auriga Impact Ventures (formerly known as Cyber Impact Ventures), which I founded in September 2021, are providing early-stage funding to cybersecurity startups in France and Europe. Our objective is to accelerate innovation in cybersecurity and awareness solutions. This progress is important but not sufficient. We must accelerate it.
From awareness to vigilance: the change we need
While cyber awareness education should start at a young age, we need a more immediate solution to address the current crisis. And that solution can only come from the organizations driving our economy and society. Every business bears the responsibility to preserve its continuity of service, which depends on the integrity of information systems. That means businesses own the obligation to train users on better cyber practices.
To provide user awareness training, organizations should focus on four important initiatives.
1. Map risk across the organization.
The goal of cybersecurity awareness education is to limit cyber risk. Yet this risk is unique to each employee and depends on a variety of factors specific to that individual. Before implementing a training program, organizations must first map out cyber risk to understand the educational needs of their workforce. This risk map should identify classify risk according to four factors:
- Practice of shadow IT (use of non-approved IT applications)
- Sensitivity of activity
- Digital interactions with customers, suppliers, and partners
This risk assessment informs the level of knowledge each employee needs to strengthen cybersecurity. It provides the foundation for personalizing instruction.
2. Explain the importance of cyber risk at company-wide meetings.
Businesses should also establish cybersecurity as an organizational priority. Company-wide meetings serve as the perfect venue for this activity. Leadership should explain the importance of cyber risk and its impact on every stakeholder. The aim is to create general awareness that cybersecurity is a universal concern and employees can and must improve it. The goal is also to begin creating a culture of cyber vigilance.
3. Train people individually.
Because cyber risk varies by employee, organizations should administer training individually. Unlike generic instruction, education should teach employees based on their exposure to the four risk factors referenced previously.
For example, if employees engage in shadow IT, then they should receive education addressing this. Healthcare workers should get instruction that accounts for the extraordinary demands placed on their time and attention. Employees who click links or attachments moments after opening emails should also receive education that focuses on this behavior.
This level of personalized training exists today. At Vade, our technology uses Artificial Intelligence to assess behavior within collaboration suites like Microsoft 365. Based on this assessment, we deliver automated, personalized education to users when they need it, 24/7/365.
4. Certify their cybersecurity awareness.
Beyond education, organizations also need to certify users’ knowledge of cyber risk according to their unique profile. This depends on risk mapping and personalized education. It should occur as part of each employee’s formal annual review. Importantly, this puts cybersecurity on equal footing with other job responsibilities, encouraging employees to focus on it.
The future of cybersecurity awareness training is emerging
Cybersecurity isn’t a concern for the few, but a priority for all. Whether we acknowledge it, we all find ourselves in a cyberwar with for-profit and state-sponsored hackers, where knowledge is our most basic and important defense.
While everyone is responsible for cybersecurity, we need organizations to step up and accelerate our cybersecurity awareness. I am confident they can. At Vade, we work alongside companies across France and the globe and continue to witness their progress in this area.
We are on the right path. Now is the time for accelerating our momentum.