“Cyberattacks are increasing exponentially every single year.”
Forrest Senti made this statement on a recent episode of Formstack’s Practically Genius podcast. As the Vice President of Programs and Operations at the National Cybersecurity Center, he knows quite a bit about cybersecurity threats and how to protect against them.
You may think securing your organization against hackers and cyberattacks is IT’s job. But the truth is that cybersecurity is everyone’s responsibility. IT lays the security groundwork through training, education, and best practices, but if employees don’t follow through, it puts an organization at massive risk. Getting hit by an attack isn’t about if, but when, as Forrest explains:
What exactly are the risks? Let’s take a look at some cybersecurity statistics that prove why we should all be concerned about protecting our data, passwords, and systems. I’ll then provide some creative security training ideas that can help your organization better engage employees—and avoid becoming a statistic.
Listen Now: Get all of Forrest’s best tips and advice now by listening to his episode Why Cybersecurity Is Everyone's Responsibility.
Cybersecurity Statistics and Trends
All organizations are at risk for cyberattacks, no matter the size, location, or industry. In fact, ThoughtLab’s 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World, found that security breaches went up 20% from 2020 to 2021.
Here are just a few cybersecurity statistics that explore the risks of poor security practices and the impact of data breaches, cyberattacks, and hacking.
The Cost of Data Breaches
According to IBM’s Cost of a Data Breach Report 2022, it takes an average of 277 days to identify and contain a data breach. The average cost of these breaches in the U.S. was $9.44M, which is over twice the global average of $4.35M.
IBM’s 2021 report found that during data breaches, customer personally identifiable information (PII) was the most common type of record lost. This type of information was included in 44% of breaches and cost businesses around $180 per record impacted.
Most Common Cyberattack Types
In the U.S., phishing attacks are the most common form of cyberattack. This includes phishing, vishing, smishing, and pharming. According to the FBI’s Internet Crime Report 2021, phishing attacks were reported 323,972 times in 2021—nearly 100,000 times more than in 2020. Victims reported these phishing attacks cost businesses a total of $44,213,707 in losses during 2021.
If you look at just ransomware attacks alone, the number of organizations impacted globally more than doubled in the first half of 2021 compared with 2020. According to Check Point Research (CPR), more than 1,000 organizations are impacted by ransomware every week.
These are some of the most costly types of attacks. IBM estimates ransomware attacks cost an average of $4.62 million. These costs include escalation, notification, lost business, and response costs.
Data breaches are at an all-time high. According to the 2021 Annual Data Breach Report by the Identity Theft Resource Center, the overall number of data compromises grew by more than 68% from 2020 to 2021. In fact, data compromises increased year-over-year in every primary sector but one, the military.
Data breaches happen when an unauthorized individual gains access to internal data. A recent Positive Technologies test found that 93% of organizations would fall victim to an external attacker trying to breach an organization's network to gain access to local network resources. In their testing, they found it took an average of two days to perform this hack, and 71% were due to credentials being compromised, generally through password vulnerabilities.
Creative Cybersecurity Training Ideas
One more statistic for you: According to Verizon’s 2022 Data Breach Investigations Report, 85% of data breaches involve a human element, including social attacks, errors, and misuse. This is why cybersecurity training is crucial to protecting your organization from cybercrime.
As Forrest stated, “95% of all the cyberattacks that happen can be prevented just by individual people paying attention to what they're doing.”
But getting people to pay attention takes work. Many employees don’t live and breathe security protocols and best practices. It’s easy to get lax and forget even the basics of security training. That’s why it’s so important to make cybersecurity training either exciting or enticing.
“Oftentimes people just buy these off-the-shelf security training programs, and then they say, ‘Hey, you gotta do this for compliance.’ And compliance doesn't necessarily mean excellence. It just means that they're checking a box,” Forrest explained. “So oftentimes for most people, when you take your annual security awareness training in an organization, you're just clicking through this thing, and you're listening to this video, and then you take a test at the end, and you're done.”
The problem with this strategy is that it usually doesn’t stick with the employee. They’re in and out in a short amount of time, with limited engagement and long-term resonance. If you want better security training results, you’ll need to invest in creative security training strategies. Here are some ideas to try.
1. Give Employees Phishing Assignments
Engaging training is the name of the game, and nothing is more engaging than getting employees in on the action. One way to do this is through phishing exercises. Forrest explains how to go about this:
This type of exercise helps employees be better prepared against phishing attacks in multiple ways. First, the employee tasked with the phishing assignment will need to do some initial research on what phishing is and how it works. This will help the employee get a better understanding of what to be wary of in their own inbox.
Second, employees who get phished will have a very strong memory of the event. If they fall for the phishing experiment, the memory will stick even more. Whether they get a “Gotchya!” email response or click onto a dummy website with a “You Got Phished!” message, the learning moment will be well established and cemented in their memory.
The more aware you can make your employees of the sophisticated phishing scams out there, the less likely they are to fall for them. If this type of exercise is part of a quarterly or bi-monthly cadence, your employees are very likely to become much better at identifying common phishing tactics.
2. Spread Out Trainings and Offer Incentives
One cybersecurity training issue is most organizations run their training as a one-off program. Employees spend a few hours one day a year jamming quite a bit of knowledge in their heads, which impacts their ability to really soak it in and learn from the content.
To combat this problem, consider spreading out your security training over time. Instead of a single two- or three-hour-long training session, break it up into a few hour-long sessions or multiple 30-minute sessions. Think about how this security training can become a part of your culture versus something you have to check off the to-do list. Bring it up in all-company meetings, set reminders or quizzes in Slack channels, and infuse some fun into the content. “You can make these things exciting and make it a part of your culture to improve the organization through security,” Forrest stated.
Once you define how security training can be better spread out and embedded into your company’s culture, the fun part comes: deciding on prizes and incentives. Forrest encourages organizations to think about how they can empower managers to make security training impactful through both content and incentives. Whether it’s a food budget to use during group training sessions or money to buy prizes for security quizzes, find ways to make employees want to engage with the content—and maybe even get a little competitive.
3. Provide Real-Life Examples
Some out-of-the-box security training videos include silly storylines that really don’t make much sense. What kind of security issue is it if an alligator eats your jump drive that fell into a lake? (Yes, that was a storyline in a training I’ve watched.) Although the scene is quite memorable, I couldn’t really tell you the security lesson it was teaching.
To make those lessons truly stick, try infusing real-life examples into your training. Many of us have an “it can’t happen to us” mindset when it comes to cybersecurity. But when you bring real-life examples of the damage that can happen when employees are lax on security, it can really hit home.
Here are a few ways to bring real-life examples into the fold:
- Research competitors and highlight any security breaches they’ve encountered
- Track security keywords relevant to your industry in Google to get new stories
- Have employees store phishing emails in a shared drive
- Ask customers about their security concerns and best practices
Forrest believes the more real you can make security training, the better. Providing employees with stories and situations that “could have been us” makes security training much more realistic and impactful. “Sit down with your team and tell them why it's important and tell them how you impact the organization when these things go wrong,” Forrest advised.
Improve Security at Your Organization
It’s clear that data breaches and cybersecurity attacks are becoming more prevalent by the minute. With so much on the line, all organizations must begin creating cultures of security. Infusing a bit of creativity and fun into your security training is a great place to start.
Looking for more tips on how to better protect your organization from cyberattacks and other security threats? Listen to Forrest’s episode Why Cybersecurity Is Everyone's Responsibility now.