Security awareness: the value of people in corporate security

In recent years, we have witnessed an evolution in the way hackers operate, increasingly focusing on social engineering and phishing techniques to hit their targets.

Paradoxically, while companies equip themselves to respond to new needs by implementing technology, cyber attacks tend to get around this by hitting the last weak link, the people. The human factor, in fact, is increasingly important in maintaining security within companies, especially considering that technology can do little in the face of inadequate or irresponsible behaviour by a worker.

Most computer security incidents are due to a lack of awareness. An update of the Clusit report shows an increase of attacks exploiting phishing and social engineering techniques by 26% in the first half of 2020. In this context, the theft of a single employee’s username and password can have serious repercussions on the security of the entire network, allowing corporate defences to be breached.

One of the most effective ways to counter the threat of phishing is through training and awareness of all employees, which, coupled with specific technologies, can be the real added value for organisations.

Some of the most common risk behaviours are:

  • The inadvertent sharing of documents with parties outside the company
  • The use of unauthorised devices (such as USB keys)
  • The use of external services such as social networks and private webmails
  • Opening attachments without sender verification
  • Clicking on malicious links

The objective of security awareness is training at every level, creating a horizontal process capable of bringing about a cultural change on the subject of security.

But what are the best practices for raising awareness within organisations?

Training carried out annually cannot be sufficient to maintain the knowledge learned, which is why it is now necessary to develop real coordinated campaigns that combine training with phishing simulations. In this way, it will be possible to obtain data on the propensity to open malicious e-mails, which can be used to determine the effectiveness of the campaign.

Simulations should be carried out randomly, in order to minimise the drop in the opening rate of malicious e-mails and thus obtain more accurate estimates of the likelihood of falling victim to phishing.

Monitoring trends on a regular basis could have a significantly positive impact on the organisation, reducing risks and consequently increasing employee awareness through a methodology free from the limitations imposed by traditional training, using an interactive approach balanced towards practical application.

Organisations, in order to cope with the new types of threats, must once again demonstrate a willingness to change, showing a spirit of adaptation and adopting all the latest methods available to ensure corporate security.