What You Don" t Know Really Can Hurt You - Practical Reasons For Security Awareness Training
I was 16 years old when I realized the old clich, "what you don't know can't hurt you" was utterly and unequivocally false. I was that age when a police officer pulled me over for speeding on a newly developed stretch of interstate. While the officer wrote out the ticket, I performed a mental calculation; based on the standard fine of $10 for every mile over the limit, I estimated the fine to be a hundred and twenty bucks. Pretty steep for my shallow pockets, but he did bust me fair and square.
After the officer handed me the carbon copy of the ticket, I was stunned to read the fine would be $360 - triple that of my mental computation! Confident the officer made a grievous mathematical mistake I disputed his calculations and demanded an explanation. He calmly informed me of the recently enacted law which mandated all speeding fines be tripled within construction areas. Despite being surrounded by orange barrels and concrete partitions, I began to protest earnestly that I had no way of knowing about the law and shouldn't be held accountable.
Suppressing an obvious snicker at my lame argument, the officer slowly leaned forward to meet me at eye level. In a clearly rehearsed manner, he offered this gem of advice. "Son, ignorance is no excuse."
Had I been aware of the law and the relevant consequences, I likely would have been more aware of my surroundings, kept my speed in check, and moved through the construction zone without incident. So, what I didn't know really did hurt me.
Without proper security awareness training, most front-line employees at financial institutions will be just like my 16-year-old persona: ignorant of the rules, unaware of their surroundings and oblivious of the consequences. It is impractical, imprudent and quite dangerous to assume that regular employees will be able to identify and respond to fraudulent activities without first being educated on how to recognize social engineering techniques.
Fortunately, financial institutions can mitigate their risk exposure from fraud and social engineering tactics in much the same way I was able to mitigate the cost of my speeding fine: training. Attending an 8-hour defensive driving class allowed me to get a reduced fine, a less severe impact to my insurance, and several life lessons that remain ingrained in my memory. But financial institutions don't get off as easy. Several years of evidence and comprehensive research around data breach trends have proven that financial institution have too much at stake to wait for an incident to occur before addressing security awareness training.
The recent 2011 Verizon Data Breach Investigations Report not only provides extensive details on every aspect of data breach, but also offers compelling evidence that a comprehensive security awareness program is essential to protecting an institution from opportunistic social engineers. The report claims that of all the breaches stemming from social engineering methods documented in the study, 83% were "opportunistic attacks" on institutions that exhibited a weakness or vulnerability that the attacker could exploit. The report indicates that the majority of these attacks originated in the form of classic social engineering tactics, including pre-texting, counterfeiting/forgery, phishing, hoaxes, and "trusted authority" influence tactics. Like the police officer in the anecdote above, social engineers simply wait patiently for nave, untrained employees to come along and fall into their trap.
The two most alarming conclusions that should influence an organization's attitudes toward security awareness training are that (1) frontline employees/end users were the targets of 80% of these attacks, and (2) 78% of the attacks involved in-person contact! In light of these dramatic results, it is no wonder that numerous independent studies show that nearly two-thirds of the organizations who suffer a breach rank security awareness training as their top priority for post-breach remediation. The same studies consistently indicate that over 75% of these organizations claim that employee education is the most effective way to prevent fraud.
The facts above should be enough justification for most organizations to either implement an intensive security awareness training program, or at least rethink their current approach. For those still not convinced, consider that the costs related to data breaches involving social engineering tactics are estimated to be around $315 per record, over $100 more than estimated per record costs for incidents resulting from other causes.
What your employees don't know can hurt the entire organization. The good news is that security awareness training is not only a proven method to combat social engineering and fraud, but it is a relatively inexpensive endeavor. It is certainly much less expensive than an actual security breach.
2011 VERIZON DATA BREACH INVESTIGATIONS REPORT: A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. PDF available at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
After the officer handed me the carbon copy of the ticket, I was stunned to read the fine would be $360 - triple that of my mental computation! Confident the officer made a grievous mathematical mistake I disputed his calculations and demanded an explanation. He calmly informed me of the recently enacted law which mandated all speeding fines be tripled within construction areas. Despite being surrounded by orange barrels and concrete partitions, I began to protest earnestly that I had no way of knowing about the law and shouldn't be held accountable.
Suppressing an obvious snicker at my lame argument, the officer slowly leaned forward to meet me at eye level. In a clearly rehearsed manner, he offered this gem of advice. "Son, ignorance is no excuse."
Had I been aware of the law and the relevant consequences, I likely would have been more aware of my surroundings, kept my speed in check, and moved through the construction zone without incident. So, what I didn't know really did hurt me.
Without proper security awareness training, most front-line employees at financial institutions will be just like my 16-year-old persona: ignorant of the rules, unaware of their surroundings and oblivious of the consequences. It is impractical, imprudent and quite dangerous to assume that regular employees will be able to identify and respond to fraudulent activities without first being educated on how to recognize social engineering techniques.
Fortunately, financial institutions can mitigate their risk exposure from fraud and social engineering tactics in much the same way I was able to mitigate the cost of my speeding fine: training. Attending an 8-hour defensive driving class allowed me to get a reduced fine, a less severe impact to my insurance, and several life lessons that remain ingrained in my memory. But financial institutions don't get off as easy. Several years of evidence and comprehensive research around data breach trends have proven that financial institution have too much at stake to wait for an incident to occur before addressing security awareness training.
The recent 2011 Verizon Data Breach Investigations Report not only provides extensive details on every aspect of data breach, but also offers compelling evidence that a comprehensive security awareness program is essential to protecting an institution from opportunistic social engineers. The report claims that of all the breaches stemming from social engineering methods documented in the study, 83% were "opportunistic attacks" on institutions that exhibited a weakness or vulnerability that the attacker could exploit. The report indicates that the majority of these attacks originated in the form of classic social engineering tactics, including pre-texting, counterfeiting/forgery, phishing, hoaxes, and "trusted authority" influence tactics. Like the police officer in the anecdote above, social engineers simply wait patiently for nave, untrained employees to come along and fall into their trap.
The two most alarming conclusions that should influence an organization's attitudes toward security awareness training are that (1) frontline employees/end users were the targets of 80% of these attacks, and (2) 78% of the attacks involved in-person contact! In light of these dramatic results, it is no wonder that numerous independent studies show that nearly two-thirds of the organizations who suffer a breach rank security awareness training as their top priority for post-breach remediation. The same studies consistently indicate that over 75% of these organizations claim that employee education is the most effective way to prevent fraud.
The facts above should be enough justification for most organizations to either implement an intensive security awareness training program, or at least rethink their current approach. For those still not convinced, consider that the costs related to data breaches involving social engineering tactics are estimated to be around $315 per record, over $100 more than estimated per record costs for incidents resulting from other causes.
What your employees don't know can hurt the entire organization. The good news is that security awareness training is not only a proven method to combat social engineering and fraud, but it is a relatively inexpensive endeavor. It is certainly much less expensive than an actual security breach.
2011 VERIZON DATA BREACH INVESTIGATIONS REPORT: A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. PDF available at http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
