Over the past several years, companies have realized that cybersecurity can’t just be a check-the-box enterprise – it has to be a fundamental component of their operations, services, and cultures. Many factors have conspired to drive this shift: rapid digitization across industries and sectors, the surging availability and effectiveness of digital communication and collaboration tools, the large-scale shift to remote work, and the increasing sophistication and frequency of cyberattacks.
But amid these changes, there has been one constant: the vast majority of cyberattacks still rely on the deception and manipulation of human beings. While this is a reminder that far too many employees are susceptible to the social engineering tactics that cybercriminals use to infiltrate organizations every day, it also means the most destructive attacks can be thwarted.
This is why companies are making unprecedented investments in cybersecurity – particularly security awareness programs that help employees identify threats, understand what countermeasures are available to them, and deploy those countermeasures to keep themselves and the company safe. But if companies want to be capable of navigating the ever-shifting cyberthreat landscape out there, they need to make security awareness an even bigger focus.
Cybersecurity investments are on the rise
As cyberthreats evolve and proliferate, it’s no surprise that companies are dedicating a greater share of resources to protecting themselves. According to Gartner, cybersecurity spending has been steadily increasing, while a 2021 PwC survey found that the majority of companies are increasing their cybersecurity budgets. While the information security market was just under $124 billion in 2020, Gartner expects it to reach more than $170 billion by 2022.
Ponemon reports that the average organization spends $2.86 million per year on in-house cybersecurity personnel and resources – a number that spikes to $4.44 million when companies work with a third party. Still, a survey of cybersecurity professionals conducted by ISACA found that 60 percent of respondents believe their cybersecurity budget is lower than it should be, while 20 percent believe it’s significantly lower.
While these numbers demonstrate that companies are prepared to make cybersecurity a core focus like never before, they only tell half the story. Companies often think they can’t be safe unless they hire big IT teams and spend huge sums of money on their digital infrastructure, but this isn’t the case. If it was, how would small and mid-size businesses (SMBs) – which are among cybercriminals’ favorite targets – protect themselves? Companies need a robust, adaptable, and cost-effective cybersecurity strategy, and a strong training platform will give them just that.
Recognizing the human element
Take a look at the FBI’s most recent Internet Crime Report and you’ll see that social engineering attacks are by far the most common cybercrimes. For example, in 2020 there were more than 241,000 reports of phishing – an attack in which victims are tricked into thinking they’re interacting with a legitimate entity so they’ll divulge sensitive information – a number that dwarfs all the other categories of attacks. The actual number is far higher than that, as many cybercrimes go unreported. Verizon’s most recent Data Breach Investigations Report found that personally identifiable information (PII) is the most common type of data to be breached, and it’s often obtained through social engineering.
In the first quarter of 2020, the number of data breaches jumped by 273 percent. COVID-19 gave cybercriminals an unprecedented opportunity to exploit widespread fear and uncertainty with fraudulent information about the pandemic, government relief, remote work, etc. The prevalence of social engineering and the shift to remote work are the primary reasons McKinsey anticipates that the “market for security and training will grow. With cyberthreats to remote workers increasing, companies are motivated to boost training to improve awareness and educate them about cyber hygiene.”
It isn’t just the private sector that’s investing in security awareness training. For example, of the enterprise security services available to state agencies, Deloitte reports that the one used most frequently is security awareness training. As cybercriminals devise more and more sophisticated ways to deceive and defraud their victims, security awareness training will remain at the top of the agenda for companies that take cybersecurity seriously.
Updating security awareness for the post-COVID era
Despite the fact that cyberattacks have exploded over the past year, companies haven’t kept pace with all the changes that are making security awareness increasingly indispensable.
Half of organizations haven’t provided remote workers with cybersecurity training, while 53 percent report that they don’t have any remote work security policies. Even before the pandemic, when PwC sent artificial phishing emails to employees at financial institutions, 70 percent of the emails were opened while 7 percent of recipients clicked on what would have been malicious links. While 45 percent of cybersecurity professionals say they have adequate budgets, there also needs to be a shift in emphasis: just 43 percent of companies have implemented programs that inform employees about the risks posed by remote work.
Although many employees will be heading back to the office soon, we’re about to witness a widespread transition in the nature of remote work. A significant proportion of the employees who are now working from home will soon be working from anywhere – coffee shops, airports, and so on. This will introduce a whole new range of cyberthreats, from physical security concerns to fake WiFi hotspots.
As COVID-19 has demonstrated, a key element of any successful cybersecurity platform is adaptability – circumstances can change drastically overnight, and companies have to be equipped to respond. There’s no information processing tool more agile and resourceful than the human brain, but human error remains the culprit in the vast majority of breaches. This is why awareness training will remain the most important cybersecurity resource companies have.
Written by Zack Schuler.
Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine. Follow CEOWORLD magazine on Twitter and Facebook. For media queries, please contact: firstname.lastname@example.org