By Adenike Cosgrove Cybersecurity Strategist at Proofpoint, Proofpoint
There’s no doubt that the turbulence of the past year has dealt a lucky hand to opportunistic cyber-criminals. Threat actors have not hesitated to grab the chance to utilise a huge global challenge to their advantage, with both hands.
In fact, globally in 2020, organizations saw an increase in both ransomware and phishing – with around two-thirds experiencing a successful attack or infection.
It may be remiss to lay the blame of this entirely at the door of the COVID-19 pandemic and the related cyber-threats, but there’s no denying they certainly played their part. Cyber-criminals wasted no time in exploiting this opportunity, casting thousands of COVID-related lures onto perhaps more vulnerable than usual users.
According to our latest State of the Phish report, the majority (92%) of UK organizations required or requested that most employees work from home due to the pandemic, which presented its fair share of teething problems, some of which organizations are still experiencing to this day.
Organizational preparedness for remote working was by no means instant – in fact, the majority of CISOs in the UK and Ireland admitted that their employees were not well-equipped to work remotely.
In response, many organizations increased security awareness training, with positive results. Many businesses even offered specific training on how to stay secure while working remotely.
While it’s tempting to see this implementation of additional training as good news, the reality is not quite as clear cut. It should not take a global crisis for organisations to prioritize security awareness.
To be effective, cybersecurity training must take place regularly, continually adapting to address the threats of the moment. It must be a central part of an organization’s security program, all year round.
The Cybersecurity Impact of COVID-19
Peaking in March and April, cyber-criminals spent much of 2020 taking advantage of the natural interest surrounding the pandemic. With regard to phishing, the combination of themed messaging and mass distribution of attacks was unlike anything our threat research team has seen before.
While the tactics changed throughout the year, the target remained the same. Some offered cures, others promised speedy tests and priority access to vaccines. Many encouraged victims to hand over valuable credentials.
An appetite for the latest COVID-19 developments was just one factor fuelling the phishing fire. Cyber-criminals also struck at a time of significant disruption and distraction. Remote working, home-schooling and the slow-burning stress of an open-ended pandemic all made users prone to mistakes – and more vulnerable to attack.
Many organizations, recognizing the elevated risk, conducted COVID-specific security awareness training. And it worked: 80% of organizations said that awareness training reduced phishing susceptibility.
Results were good in test conditions too. Average failure rates for the most frequently used COVID-related lures ranged from less than 1% to around 20%.
But far from being a cause for celebration, this success highlights the inadequacy of security awareness training outside of or perhaps prior to, the pandemic. If focused, adaptive awareness training works, why is it not much more commonplace?
The State of Security Awareness
At first glance, you could be forgiven for thinking the prevalence of security awareness training was more than adequate. After all, 98% of organizations have a program of some description in place.
However, there is a massive difference between running a cybersecurity training program and running an effective cybersecurity training program.
As COVID-related phishing lures have shown us, it’s not enough to teach users that a threat exists. For best results, they must learn about it in the context of real-world methods of attack. When awareness of specific and relevant threats increases, behavior can start to change.
However, awareness is not quite enough. Security best practice behavior truly changes when employees are embedded in the program. For example, an employee receiving a notification to confirm that the potential phishing email they reported was in fact malicious, helps to drive and incentivise a security-first culture.
Unfortunately, this level of training is rare. Only 64% of organizations conduct formal training sessions, either virtually or in person. For almost two-thirds, training of any sort takes place no more than four times a year. And 36% only train users in certain roles or departments.
Figures like these should raise alarm bells. We know cyber-criminals increasingly target their attacks on individual users rather than infrastructure. Failure to equip those users with the knowledge to detect and deter such attacks is risky at best and negligent at worst.
Best Practice, as Standard
The response to COVID-related phishing attacks has shown that relevant, targeted, and in-context security awareness training works.
Rather than reverting to type once the pandemic subsides, organizations must use this experience to implement long-term training programs that actively seek to change risky behaviors. Programs that focus on the individual and adapt to current, real-world threats.
This is only possible by placing users at the heart of your defence. They are often the only thing standing between the success and failure of an attack. The level of training they receive needs to reflect these high stakes.
Security awareness training must go beyond jargon, definitions of common threats, and multiple-choice tests. It must leave users in no doubt about their responsibilities – and the consequences of failing to uphold them.
When you deliver this comprehensive, people-centric training regularly, you create a security culture. A culture in which your people understand how simple behaviors can put your organization at risk. In which all users know how to prevent, detect and deter cyber-attacks. And in which best practice becomes standard practice.