In today’s digital world, businesses are increasingly dependent on technology, making them vulnerable to cyberattacks. According to a recent study by IBM and the Ponemon Institute, in 2023, the average cost of a data breach stands at around $4.45 million.[Source] This cold reality marks the critical need for a robust security awareness program. Such a program not only equips employees with knowledge about cybersecurity threats and best practices but also empowers them to identify and mitigate these risks in the early stages.
The benefits of a well-designed security awareness program extend beyond the immediate protection it offers. It reduces the organisation’s vulnerability to cyberattacks, safeguarding its finances and market reputation. Furthermore, by increasing employee awareness, the program enhances productivity and reduces the likelihood of costly errors leading to data breaches. A study by Osterman Research found that security awareness training can have a ROI of up to 562%. The study looked at data from over 1000 organizations and found that those with effective security awareness programs experienced a 60% reduction in phishing attacks and a 70% reduction in malware infections.[Source] In fact, an uninformed employee can pose a greater threat than even the most sophisticated cyber-attack. Here at Picnic, we have developed such a program and I want to share it with you.
The impact of a security awareness program on employee behavior
A security awareness program greatly impacts employee behaviour. It educates employees about cybersecurity threats and best practices, allowing them to identify and prevent potential cyber dangers. This will affect how our employees experience their daily work, and it will also help spread this culture throughout the entire organisation.
There is a direct connection between improved security practices and reduced incidents. Tailored security practices directly correlate with fewer security incidents. When employees are well-informed about cybersecurity, they are less likely to make errors leading to data breaches. For instance, Ponemon Institute research found a 60% lower rate of phishing attacks in organisations with highly-aware employees.[Source]
The main question is what steps can be taken to build an effective security awareness program? Let me explain what we did at Picnic Technologies :picnic-heart:
Security-awareness workshops at Picnic
The Picnic security team tailored the workshops to the specific needs of the different teams. To do this, we created different questionnaire forms to ask about teams’ preferences, protocol stack, programming language, communication channels, current team security background, etc. This allowed us to create more tailored and relevant content for each team.
The security awareness program at Picnic has been running for two years and has had a number of positive outcomes. One of the most important ones was the creation of a strong collaboration between the security team and the rest of the organisation. This collaboration has made it easier to identify and respond to security threats.
Another positive outcome of the program was the increase in security awareness among employees. A survey conducted after the program found that employees were more aware of security threats and best practices. Proactive measures and improved awareness have resulted in a significant increase in security reports, such as during a phishing campaign, showcasing a notable rise from 10 reports in the 2022 phishing exercise to 40 reports this year.
These workshops explore the attacker’s mindset, offering a deep dive into their techniques and strategies. This can be done through an attack analysis or a live demo of a credential-stuffing attack. By understanding the attacker’s motivations, tactics, and techniques, participants gained a clear overview of why security is a MUST at Picnic.
The security awareness program at Picnic is an ongoing effort. The team is constantly looking for ways to improve the program and make it more effective. We believe that by continuing to educate employees about security threats, they can help to create a more secure organisation.
Exploring the human aspects
The human element is often overlooked in cybersecurity, but it is one of the most important factors. People are the weakest link in the security chain, and they are often the target of cyberattacks.
During security programs and workshops at Picnic, the security team discusses the psychological factors that influence employee security behaviors. For example, people are more likely to click on a phishing link if they are feeling rushed or stressed. They are also more likely to fall for social engineering attacks if they trust the person who is trying to trick them.
It is also important to learn how to tap into human psychology to create effective security awareness strategies. For example, people are more likely to remember information if it is presented in a way that is relevant to them or if it is emotionally charged.
It is crucial to address the “people” element in the cybersecurity triad: people, processes, and technology. This means creating a culture of security within the organization and ensuring that employees have the knowledge and skills they need to protect themselves and the organization from cyberattacks.
Enhance your security programs and workshops by using real-world examples, discussing psychological influences on employee behavior, and promoting engagement through humor and interaction. Encourage questions, offer feedback, and follow up to reinforce learning.
Gamification and interactive learning
In the context of security awareness programs, gamification can be used to make security training more engaging and interactive. This can help to improve employee retention of security knowledge and skills.
There are many different ways to gamify security awareness training. Some common techniques include:
- Using quizzes and games to test employee knowledge
- Offering rewards and badges for completing security training
- Creating leaderboards to track employee progress
- Using storytelling and role-playing exercises to make security training more immersive
Interactive learning can be done through activities such as simulations, and discussions that help to make security workshops more engaging and effective.
In the security awareness program at Picnic, gamification is used in a quiz competition to test the attendees’ security knowledge. The quiz is designed to be challenging but fair, and the winners are awarded prizes. This helps to keep the participants engaged and motivated to learn. The “open table” discussion format is also used in the program. This allows the participants to share their ideas and perspectives on security threats and risks. This helps us to identify security gaps and encourage more accurate threat modeling.
A successful security awareness program should cover GDPR and privacy topics to help employees understand their responsibilities under the law. This includes understanding what personal data is, how it can be processed, and how to protect it. Employees should also be aware of the consequences of violating GDPR, such as fines and penalties.
In addition, security awareness programs and security workshops should also empower employees to be responsible data custodians. This means giving them the tools and knowledge they need to protect personal data in their day-to-day work.
By covering GDPR and privacy in the Picnic security awareness program, we learn to protect ourselves from data breaches and fines as well as customer data protection. It also helps in building a culture of data privacy within the organization, protecting the personal data of individuals and customers. This can be done through a collaboration with the legal/privacy department or DPO (Data Protection Officer).
An effective security awareness program starts with understanding your teams’ and employees’ needs. Tailoring content to their specific requirements is a key step to achieving the best results. Using gamification and interactive learning, along with establishing a follow-up, feedback, and collaboration pipeline, are also important steps in achieving optimal outcomes.