The Week in Breach: Security Awareness Fatigue is Real

Make sure to add us or contact us for the latest news

Real-Time Service Alerts



a yellow post it note with a password to show security upgrades from automated password resets

Selling Your Employees on Security Awareness Training


6 Points to Hammer Home


Businesses of every size in every industry are facing more cybersecurity risk and pressure than ever before. Every day, their employees are being inundated with cyberattack threats, and just one misclick could be the start of an expensive, devastating nightmare. That means that teaching employees how to avoid those threats and maintain good security hygiene should be a top priority.


Training Neglect is Real


But all too often, it is not, and it can be challenging to explain to employees why they are making a mistake by neglecting security awareness training. A survey of IT professionals showed that while over 95% of them said that their companies had security awareness training programs, only 30% of them said that employees had actually completed any training. That’s coming back to haunt them.

Findings recently released in the  2021 Data Security Report by GetApp illustrate the possibilities:


6 Data Points That Show Customers the Value of Security Awareness Training


However, companies may have trouble seeing the value of less concrete security tools like a security awareness training program, especially non-tech savvy decision-makers who are focused on the bottom line instead of cybersecurity risk. These six data points help  demonstrate that when companies are looking to make short and long-term improvements in security affordably, security awareness training is the perfect place to turn a small investment into a major security upgrade.

1. It Prevents Phishing, Their #1 Data Breach Risk

Security awareness training is proven to improve employees’ ability to detect phishing if it is carried out regularly. Researchers in a UK phishing simulation study discovered that the improvement is fast and significant. At the beginning of the study, 40 – 60% of the employees surveyed were likely to open malicious links or attachments. But after about 6 months of security awareness training, the percentage of employees who took the bait in every industry dropped 20% to 25% – and after 3 to 6 months of more security awareness training, the percentage of employees who opened phishing messages plummeted to only 10% to 18%.

2. To Get Everyone on the Security Team 

Chances are that employees who aren’t directly in IT don’t even know that they’re supposed to worry about cybersecurity and that is an enormous danger for their employers. Here’s a shocker: 45% of respondents in a HIPAA Journal survey said that they don’t need to worry about cybersecurity safeguards because they don’t work in the IT department. That’s a recipe for disaster in any business. Employees are the number one vector for a company to have a security problem. Negligent employees create over 60% of security incidents. Security awareness training makes sure that every employee understands that they are responsible for maintaining security or damaging it through their actions.

3. They’ll See Immediate Security Improvements 

Here’s an example of a direct, easy-to-understand improvement: security awareness training helps reduce the chance that bad actors will obtain or crack a company’s passwords. Password misuse, hacking or theft is the second most common way that companies have a data breach. It was the culprit in an estimated 60% of data breaches in 2021. In a study of employee password generation and handling behaviors, researchers determined that security awareness training improved overall password security by an estimated 30 – 50%.


4. Security Awareness Training Has a High ROI 

Security awareness training is a smart investment that packs a lot of bang for the buck. It’s a small outlay with little upfront cost that offers an excellent ROI. Small and mid-sized businesses (SMBs) get an ROI of 69% and larger organizations see an ROI of 562%. Plus, it provides ROI by enhancing a company’s cyber resilience, making them less likely to be crippled by a cyberattack. Cyber resilience is an important asset for companies to build in today’s ransomware-heavy cyberattack landscape. No company wants to be completely hamstrung by a cyberattack, losing time and money because no one can work. 84% of leading organizations in the IBM Cyber Resilient Organization Study 2021 cite security awareness training as a key building block of cyber resilience.

5. If There is an Incident, It Will Cost Less 

Security incidents are punishingly expensive, but security awareness training chops incident costs in half. The cost of phishing attacks has almost quadrupled over the past six years, with large US companies losing an average of $14.8 million annually (or $1,500 per employee) to phishing. Security awareness training reduces the cost of phishing by more than 50%. Even a modest investment in security awareness and training will do the trick. Any investment in security awareness training has a 72% chance of significantly reducing the business impact of a cyberattack.

6. It Helps Avoid Expensive Compliance Failures

Being proactive about meeting security awareness training requirements can save companies a fortune. With regulations growing more complex in the wake of public pressure following the Colonial Pipeline incident, there’s been a blizzard of regulatory activity around the world that impacts organizations in many industries. By implementing security awareness training programs now, organizations can reduce their chance of experiencing a security incident that could jeopardize their compliance status. Companies that engage in regular security awareness training have 70% fewer security incidents.

Dark Web ID’s Top Threats This Week


Advocates

https://www.scmagazine.com/analysis/breach/68k-affected-by-data-theft-sophisticated-network-hack-of-nonprofit-advocates

Exploit: Hacking

Advocates: Health & Social Services Non-Profit

cybersecurity news represented by agauge showing severe risk

Risk to Business: 1.727= Severe

Advocates announced that it had been the victim of a cyberattack. A hacker gained access to the organization’s network in mid-September 2021. The attacker gained access to data tied to 68,000 clients served by Advocates and likely copied the data. The Massachusetts-based non-profit provides a range of services for individuals with autism, brain injuries, mental health, addiction, and other health conditions. Advocates is cooperating with the ongoing FBI investigation.

cybersecurity news represented by agauge showing severe risk

Individual Risk: 1.603= Severe

Current and former clients of Advocates are at risk of having their data exposed in this incident. The stolen data included names, contacts, Social Security numbers, dates of birth, client identification numbers, health insurance information, diagnoses and treatments. All impacted individuals will receive free credit monitoring and identity theft protection services.

Customers Impacted: 68,000

How It Could Affect Your Business: Companies that store large quantities of personal or medical information are prime targets for the bad guys.

IntegraMSP to the Rescue: Cybersecurity horrors lurk around every corner, lying in wait for unwary organizations. Learn how to defeat them in the eBook Monsters of CybersecurityDOWNLOAD IT NOW>>


Senate of Puerto Rico

https://abcnews.go.com/International/wireStory/official-puerto-ricos-senate-targeted-cyberattack-82495236

Exploit: Hacking

Senate of Puerto Rico: State Legislative Body

cybersecurity news represented by agauge showing severe risk

Risk to Business: 2.223 =Severe

Puerto Rico’s Senate announced Wednesday that it was the target of a cyberattack that disabled its internet provider, phone system and official online page Senate President José Luis Dalmau said in a statement that there is no evidence that hackers were able to access sensitive information belonging to employees, contractors or consultants, although the incident is still under investigation.

Individual Impact: No specifics about any consumer/employee PII or financial data loss were available at press time.

Customers Impacted: Unknown

How It Could Affect Your  Business Cyberattacks of government agencies have been ramping up in recent months without the impetus of added tension in Eastern Europe.

IntegraMSP to the Rescue:  The Computer Security To-Do List to help find vulnerabilities  DOWNLOAD IT>>


Kings County Public Health Department

https://portswigger.net/daily-swig/california-public-office-admits-covid-19-healthcare-data-breach

Exploit: Misconfiguration

Kings County California Public Health Department: Local Government Agency

cybersecurity news represented by a gauge indicating moderate risk

Risk to Business: 2.711= Moderate

Kings County, California announced that the security flaw in its public webserver made limited information on COVID-19 cases available on the internet. The misconfiguration has been chalked up to a negligent third-party contractor. Discovered in mid-November 2021, officials say that the flaw was in place starting on February 15, 2021, and was corrected on December 6, 2021.

cybersecurity news represented by a gauge indicating moderate risk

Individual Risk: 2.701= Moderate

In a statement, the county said that names, dates of birth, addresses and COVID-related health information for county COVID-19 cases was among the data that was available to view. They’ve set up a dedicated call center to answer questions from the public.

Customers Impacted: Unknown

How It Could Affect Your Business Misconfiguration incidents due to employee or contractor negligence are just as expensive and damaging as cybercrime when regulators get finished with companies that have them.

IntegraMSP to the Rescue:  Building cyber resilience helps insulate organizations from trouble like this. Learn more about why cyber resilience is the ticket to a safer future for your clients. GET THIS EBOOK>>


1 – 1.5 = Extreme Risk

1.51 – 2.49 = Severe Risk

2.5 – 3 = Moderate Risk

Risk scores for The Week in Breach are calculated using a formula that considers a wide range of factors relted to the assessed breach.