Why security awareness matters

In this interview, Paulo Pagliusi, CEO at MPSafe Cybersecurity Awareness, talks about the value of security awareness and how it influences the overall security posture of an organization.

Why does security awareness matter?
It matters because cyber security threats have being pointed out as one of the most critical risks for the industry, since a single cyber breach can significantly drive down companies’ earnings per share (EPS), and multiple hits could cause their EPS to collapse. Sooner or later, every corporation will be hit with a cyber crisis.

Today’s business leaders and the entire corporate staff chain need to understand both business risks and cyber risks. They must have security awareness in order to own the company’s cyber risks (it is no longer enough for the CEO to tell the CIO or the IT team to go and “fix” cyber threats). Otherwise, they are simply not up to the job of running the business day-to-day.

In fact, developing a good cybersecurity awareness training program makes a lot of sense and will be more cost-effective than risk waiting for your company to be hit by attackers who will take advantage of the lack of security awareness of the company’s managers and employees. Security awareness training should the first line of defense.

Recent research shows that 56% of employees still receive no security awareness training. How does that influence the overall security posture of an organization?
Over and over again, people have been found to be the weakest link in organizations’ defense chain. Businesses that fail to train their people in security awareness are doing themselves, their workforce, and even the Internet as a whole a lot damage – their employees will not only make deplorable security decisions at work, but at home, as well.

Every company should make security awareness training a part of its cyber defense strategy. In Brazil we just released a Cyber Manifesto seeking changes that will improve the cyber security posture of the entire Brazilian society. This campaign aims to stimulate and create a shared vision of how we can better protect our country from cyber attacks, and to increase the security awareness of business and government leaders. This includes cybersecurity awareness, as one of the fundamental principles of modern and proper corporate governance.

What are the pros and cons of outsourcing security awareness training instead of doing it in-house. Based on your research, what brings better results?
When deciding whether to use outside or in-house security awareness training programs, we must first determine what the return on investment (ROI) is. Still, we must also take into consideration which program will truly support a company’s business objectives, and other variables such as future plans, the costs associated with them, and the availability of each training option.

The process of selecting the right outside experts is tough, often expensive and will sometimes take as much time as it would take for the company to hire their own personal staff for the training. On the other hand, people tend to believe and give more value to what outside experts say. In Brazil, we have a saying that roughly translates to “a saint from home does not perform miracles”, i.e. no man is a prophet in his own country.

Regardless of the final decision, what really matters is that the cyber security training program be a continuous and ongoing process, not an isolated action (e.g. one talk per year) that will only temporarily raise the level of awareness of employees who, as time passes, tend to relax and forget what was taught. Moreover, due to the dynamic nature of cyber threats, it is essential to constantly update the security awareness training program, and a 100 percent dedicated and specialized security awareness team can bring better results to any company.

How do simulated attacks improve security awareness training?
Simulated attacks are a great security awareness training strategy. More often than not, spear-phishing is the modern cyber criminals’ weapon of choice to gain a foothold in an organization in order to be able to exfiltrate data and intellectual property at a later time, so it’s extremely important to train employees to recognize and resist social engineering tactics directed at them. Simulated attacks also allow trainers to measure and monitor the effectiveness of various training approaches.