Security Awareness Training (SAT): Why you and your suppliers need it
Your users are your first AND last line of defence and it is up to you, with regular security awareness training and testing, to ensure they keep your organisation as safe as possible. But, did you know, you also have a responsibility to ensure your supply chain is secure?
6 Reasons you and your suppliers need Security Awareness Training
Security Awareness Training significantly reduces your staffs overall susceptibility to phishing and other human-centric cyber attacks. This slashes your organisation’s chances of falling victim to a successful data breach, an attack which can be devastating to even large-scale enterprises.
By routinely testing your staff with simulated phishing campaigns then educating them via targeted and relevant online training, your organisation reduces it’s attack surface from day one.
Organisations providing their staff with security awareness training win more contracts.
Following discussions with multiple private, public and not-for-profit organisations we know a majority had made cyber security precautions part of an existing contract or part of the RFP process in order to win the contract.
An increasingly large segment of business customers now understand the reasons behind large-scale data breaches. These customers recognise the importance, the necessity, for security awareness training.
To build a culture of security is the ultimate aspiration for Chief Information Security Officers (CISOs) worldwide.
Until now, this culture has been very difficult to achieve.
With the aid of targeted security awareness training, organisations are moving towards their security goals faster than ever.
Being able to measure the susceptibility to attack (click-prone %) of your staff is essential in any platform. This can then be monitored over time, giving a visual representation of how your staff are becoming more security aware.
Advanced technology, such as firewalls, automated spam filters and virus scanners are all valid and valuable defences against breaches.
However, they all suffer in varying degrees from the same problem, they require input from humans.
Firewalls require configuration (and switching on). Security warnings require acknowledgement. Operating systems and virus scanning software require regular updates.
The technology is just one part of the information security triangle: People, Process AND Technology.
Without security awareness training, the most advanced technological defences can be unwittingly unlocked by their ignorant human counterparts.
Imagine a security guard at a bank vault never being told who is allowed in…
For this reason, attackers rarely bother attempting to penetrate businesses via their technological weaknesses alone. Modern attackers target humans, as they provide a far easier route into a protected network.
…Why try to break down the door when you can simply ask for the key?
Under the GDPR you have certain supply-chain responsibilities of which you must assess as you may be liable for a third-party breach involving your data.
Once you have identified the sources of risk along your supply chain, you should ensure that the data gathered is protected in line with the GDPR and your suppliers are following cyber security best practices. This will involve working with any suppliers to ensure that they are also adhering to the new regulations, including appropriate technical and organisational measures.
Despite the complexities and questions surrounding GDPR regulations, companies cannot afford to sit back and do nothing. Supply chains, while essential to most businesses, are already susceptible to cyber attacks, and this will only get worse if companies do not begin bolstering third-party accountability and security awareness training with GDPR compliance for each and every vendor.
Please speak to us about supply-chain incentives.
Regulators from various sectors across the world are rapidly demanding the implementation of security awareness training.
“Over the next year, we will strengthen our supervisory assessments of the highest impact firms to better understand their current and planned use of technology, resilience to cyber-attacks and staff expertise. We will also review how governance, strategy, systems architecture, risk management and culture contribute to firms’ data security.”
Financial Conduct Authority, on shaping future policies
Compliance should never be the only reason to introduce security awareness training. Organisations should treat it as a core requirement for their staff. When implemented correctly it effectively kills two birds with one stone, further safeguarding the organisations safety, and meeting regulatory requirement.