I am one of the one hundred million people affected by the March 2019 Capital One data breach. A misconfigured Amazon server gave a criminal access to my name, phone number, date of birth, and social security number, among other personal information. With that one technical oversight, the data breach became part of the 46 percent of cyberattacks made possible by employee error—and a mistake that could cost Capital One up to $500 million in fines.
My unhappy relationship with the Capital One fraud department began the same week I conducted an interview with the director of the Kogod Cybersecurity Governance Center, Heng Xu, about the 2019 SANS Security Awareness Report. Entitled “The Rising Era of Awareness Training,” the report includes data analysis conducted by the center and recommendations to help organizations increase the effectiveness of employee cybersecurity awareness trainings. “Cybersecurity breaches are happening every day,” explains Xu. “One of the most important factors is the employees and their own security awareness.”
When people hear the term “cybersecurity breach,” they often picture a scene reminiscent of the wildly inaccurate (though imaginative) film Hackers—a shadowy computer mastermind racing through firewalls to grab some virtual loot before the authorities track him down. In reality, cybersecurity criminals frequently use mundanetactics to gain access to valuable information, anything from stealing written passwords employees leave on their desks to spoofing emails from the company CEO.
According to the report, most cybersecurity breaches in the workplace can be avoided with regular and engaging employee-focused cybersecurity trainings and awareness campaigns, but many companies aren’t dedicating enough time to implement them. The report found a direct correlation between the maturity level of workplace cybersecurity programs and the amount of time devoted to the programs. Only 25 percent of employees dedicated to cybersecurity awareness trainings work full-time, even though data shows that companies need at least two full-time employees to educate and change employees’ behavior.
Compounding the problem is the fact that information technology departments often handle trainings and don’t always possess the full set of communication skills needed to successfully convey their messages. The report emphasizes hiring employees who can communicate complex information in clear and simple—yet engaging—ways, utilizing tools like social media, blogs, videos, printed materials, and workshops for awareness education.
“Technical security experts don’t do employee trainings well,” Xu says. “They may think a lot of technical terms are common sense. They know the technology well, but they lack the communication skills to speak in a way that allows everyday people to understand on their own terms. In order to promote effective cybersecurity awareness training, you need people with strong communication and marketing skills.”
This year’s SANS report also demonstrates how far many industries have to go when it comes to implementing effective cybersecurity awareness programs for their employees—the finance, banking, and insurance industries have less developed awareness programs than the entertainment, hospitality, retail, and transportation sectors. I had expected banks to take information security the most seriously, but considering Capital One, Bank of America, and TD Bank have all leaked my information in the past, I shouldn’t have been surprised. “A lot of companies nowadays, without appropriate training programs, without appropriate resources and leadership support for cybersecurity, are probably having breaches without their awareness,” Xu says.
The credit card fraud that I experienced in July may have been remedied, but the fear that someone can steal my identity is still there. I scour my bank statements and Credit Karma account multiple times a day to reassure myself that no one is impersonating me…yet. Employee education is key to averting the next data breach, and I hope that organizations like the SANS Institute and Kogod Cybersecurity Governance Center will continue to promote the awareness and proactivity required in the workplace to keep our identities secure.