The importance of security awareness
With the increasing number of cyberattacks and organizations falling victim to a cyberattack, the question is not ‘if’, but ‘when’. Especially when organizations don’t improve their IT-security. Security awareness, or workplace awareness, plays a crucial role in improving an organisation’s (online) security. In this article, you will read more about the different levels of awareness and how to apply them in practice.
Introdution – The journey towards a secure organization
More and more, the news is reporting about large organisations and companies that have fallen victim to a cyber attack. For example, the The Dutch Data Protection Authority saw an explosion in the number of data breach reports in 2021, and the number of ransomware attacks has increased by 33% in recent years, according to the annual report of the Public Prosecutor’s Office. That’s double compared to the previous year. Yet a lot of organizations lags behind when it comes to cyber security. For example, the report “Cybersecurity awareness in the European Union” showed that many employees are unaware of the risks of cyber attacks and only a small proportion of employees are trained in cybersecurity.
In this article, we explain in three steps how to better protect employees so that they contribute to the security of your organisation. Each level has its own steps, tips & tricks, but some levels will overlap here and there.
What exactly is a cyber attack?
A cyberattack refers to destroying, changing, or gaining access to (personal) data of an organization, without the permission of the organization. For example:
- Your USB flash drive with sensitive data from customers gets stolen;
- A hacker breaks into your computer network and steals (personal) data;
- Any type of ransomware.
Hackers that break into the network of an organization and acquire sensitive data are more common than often thought. To make matters worse, according to research from Cisco, about 60% of cyberattack victims go bankrupt within 3 years after the attack. Almost all organizations depend on their digital data. It has a huge impact if this data leaks or gets damaged. We often see a long-term impact on business operations from a cyber attack. This could result in immediate operational loss, claims for damages due to inability to fulfil obligations or serious reputational damage. There are also hefty recovery costs and investments involved in a cyber attack so that security weaknesses can be closed. The combination of these issues put the survival of the organisation at risk. It’s not necessarily the cyber attack in itself that leads to bankruptcy, it’s the road towards recovery and the costs involved that kill these organizations. When it comes to cyber security it’s always better to be safe than to be sorry.
What forms of cybercrime are most common in organizations and what is the damage?
For the past years a lot of us have been working from home, and the majority of business conversations have been taking place online. While this way of working had positive effects, it also opened the door for data leaks and cybercrime. Perhaps you’re already familiar with the most common types of cyber crime, perhaps not. In any case, here’s an overview:
Malware is an umbrella term for software like viruses, spyware, and Trojan horses. Malware usually ends up on a computer or network when employees click on a link or document that contains this software. Because the work traffic of many organizations has been from home in recent years, we have seen an increase in malware attacks.
Ransomware is a nasty form of malware. It prevents people within the organization from accessing important documents or processes that are essential for the organization to keep running. Often a large ransom is demanded from the organization to regain access.
Phishing is probably one of the most common forms of cybersecurity today. Both privately and professionally, we see more and more people falling victim to the psychological game hackers play during a phishing attack. They often pose as a well-known supplier or company and then ask for important details. Remote working has given a boost to the increase of phishing.
Password hacks are a little different of nature. These attacks use intelligent programs that can guess weak passwords. Another method of accessing employee passwords is keylogging. Here, common keystrokes on a computer are ‘remembered’ without permission. Employees that use the same password to get access to multiple platforms are at higher risk to get hacked.
The consequences of a cyberattack
It’s evident that the consequences of a cyberattack have a major impact. Identity theft due to a cyberattack is no joke, nor are the loss of sales or reputational damage. A few things that influence the impact of a cyberattack:
- How quickly can you recover: If the organization has the procedures in order and can recover quickly from an attack, this significantly reduces the impact. A temporary (short) disruption can often be managed well.
- Special characteristics of the organization: To illustrate, when a hospital gets attacked, the risks are a lot higher than when data gets leaked at the local newspaper office.
- Duration of the attack: Sometimes a hacker has been in for days or weeks. If this is not detected, the damage can be very targeted and even impair recovery capabilities.
How do I make my employees aware of the risks?
Cyber risks come in different shapes and sizes. They all ask for a different approach. By actively involving employees in the company’s security, many of these cyber risks can be prevented. But exactly what levels of cyber-awareness are there and what should you pay attention to for each level?
Security Awareness Maturity Model (SAMM)
The Security Awareness Maturity Model (SAMM) is a model for measuring and improving employee security awareness within organizations. Developed by the Software Assurance Forum for Excellence in Code (SAFECode), the model provides organizations with a framework for establishing, maintaining and improving their security awareness programmes.
SAMM consists of five levels, each with its own set of criteria and objectives:
- Unaware: In this level, there is no security awareness programme or the programme is immature and unstructured.
- Reactive: In this level, there is a basic security awareness programme in place that focuses on responding to specific incidents or events.
- Proactive: In this level, there is a more formal and structured security awareness programme in place that focuses on proactive risk management and incident prevention.
- Optimized: In this level, the security awareness programme is fully integrated into the business processes and culture and there is a continuous improvement cycle.
- Leading: In this level, the organisation is a leader in security awareness, with an innovative and advanced programme that goes beyond best practices and focuses on the latest threats and technologies.
Phase 1: Unaware
This phase focuses on providing knowledge about the basics of cyber security and how employees can protect themselves against it. Indeed, employees are unaware that they are targets of cyber criminals and that their actions have a direct impact on organizational security. They are not familiar with the organization’s security policies and can therefore easily become victims of attacks. In this phase, focus on the basics. This could include using strong passwords, recognizing phishing emails, keeping software up-to-date and using secure networks.
Phase 2: Reactive
This is the phase where security awareness consists merely of a list to be ticked off. Where the company just wants to meet specific compliance and audit requirements. Training only happens annually or incidentally. Employees have little certainty about the organization’s policies and their role in protecting the organization’s data and intellectual property.
Policy development and training are crucial for improving cyber security at this stage. Developing and implementing an information security policy with guidelines for secure IT use and data protection is essential. In addition, providing basic security training to employees is important to make them aware of cybersecurity principles and potential threats. These measures lay the foundation for stronger cybersecurity and promote a culture of awareness and accountability.
Organizations that reach this stage can be rightly proud, as many are already bogged down in the second stage. In this phase, the programme identifies the relevant topics to be covered in security awareness training. The aim is to create training that has maximum impact on the organisation’s mission. This goes beyond annual training; it requires continuous improvement throughout the year.
Phase 4: Optimized
At this stage, organizations have stable processes, resources and management support for longevity, including annual evaluation and optimization. At this stage, the security awareness program is an integral part of the corporate culture, current and encourages employee involvement. To achieve this level, you will conduct regular measurements and evaluations to assess the effectiveness of the security awareness program. This can be done through assessments, surveys and simulations of phishing attacks, for example. Analyze the results of measurements and evaluations and use this information to continuously improve the security awareness program. Identify weaknesses and implement targeted measures to address them.
Phase 5: Leading
In this final phase, the program is supported by statistics, making progress visible and the effect measurable. This allows the program to be continuously improved and show results. But not only measurability is important at this stage. Integrate security awareness into the broader business processes and culture. Work with other departments, such as HR and IT, to include security awareness in the onboarding process of new employees and in daily operations.
SAMM-model as a guide
At a time when cyber attacks are becoming more common and organizations are vulnerable, it is crucial to strengthen IT security. This article has shown that security awareness, or workplace awareness, plays a vital role in improving an organization’s online security. Making employees aware of the risks and involving them in security measures can prevent many of the cyber risks. The Security Awareness Maturity Model (SAMM) provides a framework for measuring and improving awareness levels, whereby organizations can strive to achieve industry-leading levels of security awareness. Preventing cyberattacks is always better than having to repair the damaging effects afterwards. By taking the right measures and engaging employees, organizations are better able to guard against the growing threat of cybercrime.
We at OpenSight believe that good preperation is more that half the battle. Cybersecurity is not a one-time activity, but a constant process, as cybercrime is constantly evolving. We strive to increase your organization’s digital resilience. To achieve this, we train people, build processes and provide technology that makes a difference.
We are here to improve the security of your business or organization. Together with our strategic partners, we ensure a complete approach so that we can provide clients with the best advice. Collaboration is essential here to arrive at the right solution for your organization. There is an appropriate solution for every challenge.
So whether you’re looking for improved manageability, optimal recovery from a disaster, or prefer to take your security as a managed service, OpenSight is your partner! Contact us for personal advice.