Intelligent CISO Issue 13 | Page 42

E R T N P X E INIO OP to educate your employees in a way that changes behaviour. Your employees are your last line of defence. What is the best way for businesses to be protected from email-based attacks? Cyberattacks are evolving so quickly and have become so sophisticated that no matter how advanced your security system is, there’s no guarantee that a new attack method won’t make its way into your organisation. The entire IT infrastructure needs to be protected with effective and layered security solutions. And with email being the number-one vector used to execute cyberattacks like malware delivery, phishing, Business Email Compromise, and for spreading threats that are already internal to an organisation, protecting this vital business application is non-negotiable. A defence only approach is no longer sufficient, and organisations need to adopt cyber- resilience. This includes having: • An understanding of emerging threats and how companies are remediating • The right security services in place before an attack happens – focused on prevention as well as those focused on adapting after an attack happens • A well trained, cyber aware workforce • A durability plan to keep email – and business operations dependent on email – running during an attack or failure • The ability to recover data and other corporate IP after an incident or attack occurs How does cybersecurity awareness training create a strong cybersecurity culture? One of the key elements of cyber- resilience is having a well-trained, cyber aware workforce. The ability to adapt to continually evolving and escalating cyberthreats is critical, but cybersecurity needs to be a shared responsibility across the organisation. Human error is involved in over 90% of today’s 42 cybersecurity breaches. Sometimes it’s carelessness, sometimes it’s maliciousness and sometimes it’s things going wrong with the best intentions. No matter what, users need robust, comprehensive awareness training around cybersecurity. By having a strong awareness training programme, you extend your team and prevent incidents from happening when technology and processes fail. Employees are also always coming and going and the only way to keep cybersecurity awareness alive is to provide continuous training, so cybersecurity is top of mind. Without that regular training, your culture will suffer, and people will then assume everything is fine with no reinforcement of vigilance. What is the best method to educate employees about cybersecurity? Persistent, short bursts of training that are tightly focused on a big idea in corporate cybersecurity is the best approach. Security training typically fails because it doesn’t reflect how people work and learn today. It’s delivered too infrequently, it’s long, dry and boring and employees often feel targeted, rather than supported. When training is unengaging and unenjoyable, people don’t learn. If they are not armed with the knowledge of what to look out for and what to do when the situation arises, they will make mistakes. Organisations should consider a solution like Mimecast Awareness Training. The programme uses a continuous, virtuous cycle that changes behaviour and lowers risk. The foundation of the platform is engagement through humour, which is the key to improving awareness and knowledge. Only by getting employees to understand both what’s at stake and what to do about it can you change their attitudes and drive a lasting, positive shift in security culture. The awareness training should be easy, short and supported by the leadership team. This should come with regular KPIs on participation rates and effectiveness with testing of click-through rates. Are the employees of enterprises complacent when it comes to email security? Mimecast recently surveyed more than 1,000 people who use company-issued devices (i.e. mobile phones, desktop computers or laptops) in the workplace. This allowed us to get a better sense of their behaviour. Feedback from the survey would suggest that, yes, they are complacent. The report found that nearly one-in- four employees aren’t aware of the most common threats plaguing today’s organisations, such as phishing attacks, impersonation attempts and ransomware. Additionally, 15% of respondents said they could either be more cautious or Issue 13 | www.intelligentciso.com