Cybercrime is moving at light speed.
A few years ago, cybercriminals used to specialize in identity theft, but now they take over your organization’s network, hack into your bank accounts. Organizations of every size and type are at risk. Are you the next cyber-heist victim? You really need a strong human firewall as your last line of defense.
The problem starts exactly with the human element. One of the recent examples is attack against casino and hotel company "MGM Resorts" which wiped out its entire Vmware ESXi infrastructure.
The attackers first found an MGM Resorts employee on LinkedIn which they assumed could have privileged access to the network. By impersonating the employee, they called the organization’s service desk and tricked them into obtaining access to their account. By exploiting people and processes, rather than technology, they were able to take over the account and bypass multifactor authentication.
Security awareness training as a solution
Security awareness training is used to make sure employees can recognize cyber threats, avoid potentially harmful actions, and take informed steps to protect their business.
Security awareness training can cover topics like identifying suspicious emails, ransomware, physical security for company devices, network security, or other procedures. You want to make sure that the training you provide employees covers any risks they could be exposed to online through their inboxes, social media, or other tools they frequently use for their jobs.
Why is Security Awareness Training important?
The primary purpose of information security awareness training is to reduce the risk of human errors that result in a data breach. Security awareness training is recognized as a critical method for reducing cybersecurity incidents and protecting sensitive data. Companies, security frameworks, and even government regulations may also require security awareness. It’s a frequent topic businesses get asked about in vendor security assessment questionnaires. In recent years, multiple studies have demonstrated that human error is a leading cause of most data breaches.
The terms “cybersecurity awareness training” or “information security awareness education” get thrown around in tech or corporate realms. But since cybercrime continues to get worse and cause even more severe disruptions, more and more companies are establishing and emphasizing their security awareness training programs.
NIS2 and SAT
Regulators also see the importance of technical protections deployed within organizations - reminding many how important are continuous security awareness training (SAT) aimed at all employees. Also, the upcoming NIS2 directive is explicitly mandating cybersecurity training as part of minimum risk management measures.
That is not surprising: employees are increasingly seen as the last line of defense against cyberattacks.
And even though the NIS2 directive does not apply to micro companies, there are other aspects that lead to the need to strengthen the whole security culture within the organization. For any organization to be compliant with reporting near misses or including their supply chain security – a cybersecurity culture that involves the whole organization is crucial.
Therefore, organizations in the affected sectors must develop and implement comprehensive cybersecurity awareness training programs for their employees. The training must cover topics such as identifying and reporting cybersecurity incidents, safe use of IT systems and networks, and best practices for protecting sensitive information.
The NIS 2 directive also requires organizations to conduct regular training and awareness assessments to ensure that employees are equipped with the necessary knowledge and skills to prevent and respond to cybersecurity incidents.