As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Mike Fleck of Cyren examines three keys to building a business culture with security awareness at the center.
Security Awareness Training (SAT) has long been a fundamental part of an organization’s security program. Undoubtedly, employees are a massive target and a critical line of defense when it comes to effective cybersecurity practices. If your workforce isn’t aware of their security responsibilities, there will always be a vulnerability within your security infrastructure.
Even though organizations in recent years have significantly invested in SAT, it’s still not having the desired impact on their overall security posture. In fact, account takeover is still the origin of most breaches, resulting in rising phishing attacks every year since 2017. Clearly, the current approaches to SAT aren’t enough to keep attacks at bay, let alone reduce them. It’s time organizations re-evaluate their awareness training strategy and transition towards building a sustainable culture of effective security awareness.
By implementing minor structural and attitudinal adjustments, organizations can get more effective results out of their employee training programs.
3 Keys to Building a Culture of Security Awareness
Self-Service Can Make the Difference
Organizations can elevate security success by providing users with self-service tools that aid their decision-making capabilities. Simply providing tools that can scan suspicious messages and provide warnings can increase an employee’s awareness and make them more cautious. The alternative, of course, is to expect the user to detect evasive threats without the benefit of any real-time machine analysis and data comparison.
Recent research found that a business with 5,000 mailboxes would need to detect and respond to 3,750 confirmed malicious inbox threats every month. Given this colossal number of threats arriving at employee inboxes every day, it is evident that a substantial number of threats will always go unnoticed by the employees, regardless of how skilled and conscious they are. Therefore, self-service tools can provide an initial analysis of suspicious messages, and efficiently classify emails that arrive in the employee’s inbox– thus making it easier for employees to pick up on malicious content.
Automated Inbox Security
A significant change is required in the traditional email security practice. Time-heavy manual processes are not only allowing malicious threats to creep in unnoticed, but also impacting employee productivity. Moving forward, organizations need to implement automated inbox security solutions that can continuously scan user inboxes for evasive email threats. Such solutions can identify, report, and eliminate suspicious messages in real-time, thereby resolving the inconsistencies of the traditional human-led approach.
Automated inbox security solutions constantly run in the background, and scan all inbound, outbound, and delivered emails across all user folders. Every message and metadata, including the URLs and attachments, are analyzed in real-time for threat indicators or anomalies based on the sender or recipient’s behavior.
The advanced threat detection and mitigation capabilities of such solutions can effectively reduce the human cost of email security. It can also boost employee productivity and morale by lessening the psychological burden of constantly being on the lookout for malicious emails, allowing them to focus instead on important business operations.
Empowerment Versus Training
More often than not, organizations establish SAT for compliance reasons but quickly rely on it as a compensating control for better detection of business email compromise and other targeted email threats. By doing so, they try to turn users into human detection engines and establish processes for users to report the threats the Secure Email Gateway misses. However, given the frequency of email usage on a daily basis, and the volume of threats coming into an employee’s mailbox, it is rather evident that the human mind cannot always be diligent all the time.
When users do report suspicious messages, most security teams fail to investigate every alert and even fewer provide feedback to the reporting users. Analyst feedback reinforces training and encourages continued participation as first-line security practitioners. There’s also a significant scope to outsource email threat-hunting and analytics responsibilities to external incident response teams. This approach doesn’t just save companies the cost of employing an in-house team but also provides the workforce with sufficient external support to boost their detection capabilities.
Our reliance on email as the primary channel for business communication makes it a constant threat landscape, which will continue to attract cyber-criminals. Although businesses cannot reduce the frequency of targeted attacks and breach attempts, they can surely reduce the risk factors. With a well-trained workforce, sufficient self-service resources, a proactive culture of security awareness, and automated inbox security solutions, organizations can finally look forward to reducing the risks of email threats and minimizing the likelihood of a successful breach.