Why does security awareness matter?
It matters because cyber security threats have being pointed out as one of the most critical risks for the industry, since a single cyber breach can significantly drive down companies' earnings per share (EPS), and multiple hits could cause their EPS to collapse. Sooner or later, every corporation will be hit with a cyber crisis.
Today’s business leaders and the entire corporate staff chain need to understand both business risks and cyber risks. They must have security awareness in order to own the company’s cyber risks (it is no longer enough for the CEO to tell the CIO or the IT team to go and “fix” cyber threats). Otherwise, they are simply not up to the job of running the business day-to-day.
In fact, developing a good cybersecurity awareness training program makes a lot of sense and will be more cost-effective than risk waiting for your company to be hit by attackers who will take advantage of the lack of security awareness of the company's managers and employees. Security awareness training should the first line of defense.
Recent research shows that 56% of employees still receive no security awareness training. How does that influence the overall security posture of an organization?
Over and over again, people have been found to be the weakest link in organizations' defense chain. Businesses that fail to train their people in security awareness are doing themselves, their workforce, and even the Internet as a whole a lot damage - their employees will not only make deplorable security decisions at work, but at home, as well.
Every company should make security awareness training a part of its cyber defense strategy. In Brazil we just released a Cyber Manifesto seeking changes that will improve the cyber security posture of the entire Brazilian society. This campaign aims to stimulate and create a shared vision of how we can better protect our country from cyber attacks, and to increase the security awareness of business and government leaders. This includes cybersecurity awareness, as one of the fundamental principles of modern and proper corporate governance.
What are the pros and cons of outsourcing security awareness training instead of doing it in-house. Based on your research, what brings better results?
When deciding whether to use outside or in-house security awareness training programs, we must first determine what the return on investment (ROI) is. Still, we must also take into consideration which program will truly support a company’s business objectives, and other variables such as future plans, the costs associated with them, and the availability of each training option.
The process of selecting the right outside experts is tough, often expensive and will sometimes take as much time as it would take for the company to hire their own personal staff for the training. On the other hand, people tend to believe and give more value to what outside experts say. In Brazil, we have a saying that roughly translates to "a saint from home does not perform miracles", i.e. no man is a prophet in his own country.