Organisations’ second biggest concern is their employees’ lack of security awareness, according to CyberEdge’s 2018 Cyberthreat Defense Report.
This is the first time in five years that poor security awareness hasn’t topped the list – with ‘lack of skilled personnel’ nabbing the top spot. However, as CyberEdge notes, the gap between first and second position is so small that both should be considered a top priority.
The report states: “Stepping into our proverbial soap box for a moment, we want to reiterate our shock and disappointment about IT security organizations’ not doing enough to train company personnel about how to minimize cybersecurity risks through safe computing.”
It adds: “Suffering from a shortage of high-quality security talent is completely understandable. But failing – year after year – to invest in your company’s “human firewall” is both inexplicable and inexcusable.”
How is poor awareness affecting organisations?
Employees who aren’t aware of their cyber security obligations are prone to ignore relevant policies and procedures, which could lead to unintentional disclosures of data or successful cyber attacks.
There is also the threat of phishing and ransomware (which is often delivered through phishing emails). CyberEdge’s report found that spear phishing – sending malicious emails that claim to be from a legitimate source – dominates traditional phishing scams.
Commenting on the likelihood of being infected with ransomware, the report said: “It’s like flipping a coin twice consecutively – once to determine if your organization will be victimized by ransomware (55% chance), and then, if you decide to pay the ransom, flip it again to determine if you’ll get your data back (49.4%).”
This is why we recommend never paying ransoms; there’s no guarantee that crooks will keep their word. Another problem with paying ransoms, which the CyberEdge report didn’t address, is that once an organisation pays a ransom, it becomes susceptible to future attacks.
The good news is that 86.9% of infected organisations didn’t pay up, and instead got their data back from backups or other sources. Of course, it would be better if fewer organisations were infected with ransomware to begin with. The first step is to educate employees about the threats they may face, which is where our Phishing and Ransomware – Human patch e-learning course comes in.
This e-learning course introduces employees to phishing and ransomware, and explains how they work. Armed with this knowledge, they will be much more likely to avoid such attacks.