Recent analyzes of the complex world of cybersecurity have brought attention to the importance of training and awareness of issues related to information security for all company operators.
In fact, the evolution of threats, which make the digital ecosystem complex and varied, increasingly requires awareness at the highest levels to avoid exposure of corporate infrastructures. Despite growing investments in the sector, the adoption of specialized and dedicated teams, the implementation of defense technologies and systems in 2022, over 80% of companies suffered one or more than one violation. Managers and supervisors are aware of the incidence of the human factor and believe that greater awareness would significantly reduce the occurrence of successful attacks. In fact, most of the attacks suffered last year would have been aimed at employees, considered the first line of defense in this sector, but too often, in concrete facts, they proved to be the weak link.
While there are many organizations today that offer training and awareness programs in the field of information security, their effectiveness is not adequate and the actual knowledge of the vast digital landscape is still scarce. Thus, between social engineering and phishing techniques, cybercriminals still find open doors and easy access. In fact, if malware seems to be the most used threat, phishing remains the most insidious, often aimed at obtaining private data and access information. Personalized e-mails often from a known (previously hacked) address, camouflaged links, ad hoc created internet pages necessarily require operator-level attention, an awareness of attack techniques and basic defense methodologies.
According to most CISOs, the human factor is the number one risk. In a few cases, fraud emerges, mostly due to carelessness and superficiality in sharing confidential information with sources outside the company or not controlled, or the use of company devices outside the workplace. At the end of last year, important actions emerged both in terms of training in password management and account security and in the identification of suspicious emails, but it seems that current schemes are in fact ineffective, while four fifth of companies it does not adopt specific protocols.
Cybersecurity awareness and training programs are widely recognized ways to strengthen a cybersecurity culture in employees, yet more than half of all leaders surveyed are still concerned that their employees lack cybersecurity awareness, according to the Fortinet report. . A critical evaluation in this sense can reveal opportunities to address the fragility of the human factor, with greater effectiveness of programs and consequent reduction of total risk.
Taking specific steps to ensure that programs cover a sufficiently wide range of topics in a practical way, and to ensure that learning is consolidated with reminders and checks, should help improve training outcomes.