If we were to auction off last year’s typical data breach, what would it go for? Try about $4.45 million. How many people were impacted by data breaches last year? No less than 422 million, over a third more than the year before.

And what was the most common attack vector leading to these breaches? The Verizon 2023 Data Breach Investigations Report discovered that 74% of breaches involved the human element, including social engineering attacks, misuse, and mistakes. That’s certainly the vast – vast – majority. And these stats come as absolutely no surprise to anyone.

However, in my opinion, that’s not singularly depressing. It’s encouraging. That means at least 74% of breaches can be prevented by relatively simple, affordable means. An ounce of prevention. And what does that cost? Just a little time and investment in employee security training. (Easier said than done, I know, I know.)

Low-hanging fruit

The CIS Controls are an excellent place to start. Formerly the SANS Top 20, or SANS Critical Security Controls, they’re now the CIS Critical Security Controls, and there are 18 of them. However, since each is extensive in scope, Implementation Groups (IGs) are used to prioritize how you should implement them. IG1 covers basic security hygiene and is where you want to begin. Just like the website states, “IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.” Phishing and other access-based threats are some of these “common attacks” that yield high returns in data breaches.

Every single Safeguard in CIS Control #14 is marked as IG1, and for good reason. Control #14 – Security Awareness and Skills Training – states that organizations should “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.” So, set up a program to train your employees. And it doesn’t take a huge, sophisticated SOC to do that. As CIS states, “an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise” and one that can’t tolerate a lot of downtime.

Maybe you’re a city, municipality, or school district that needs daily student access to grades and assignments or a local credit union. The kind of data you’re trying to protect is typically financial or employee-based, and implementing IG1 protections will shore up your defenses against the most common, non-targeted attacks. We’re talking brute force, phishing, credential stuffing and those myriad of other low-hanging fruit campaigns that seem to get the best of us. Remember, even though sophisticated, targeted attacks are out there, malicious hackers don’t want to work harder than they have to, so they’ll typically try the easy approach first (with an 82% chance of success). You can block these by implementing the CIS Controls in IG1.

And, when you’re looking for a training program to set up, don’t reinvent the wheel. Companies like KnowBe4, Terranova, and Curricula offer out-of-the-box employee security awareness training.

Attitude is everything

I just want to mention that the attitude of security professionals towards users and trainees has come a long way since the early days. It used to be blame and shame, a bunch of user error jokes and a large hint of “you should have known better.” Maybe some exasperated sighs and air of superiority. No more.

We now ascribe to a new way of thinking, and we even coined a term for it: Summed up as the “Golden Vector”, it has a lot more to do with teamwork and a lot less to do with finger-pointing. Namely, it emphasizes achieving buy-in, gaining budget approval from the C-suite, and establishing trust and relationships with those you serve – namely customers (your users). This type of mind shift is critical for any sort of security awareness training to work because these programs rely on trust.

Investing in these Golden Vector principles ensures you play the long game and establish a program that’s here to stay. A program with longevity is a program with the power to make a significant change in the security education (and culture) of your organization. A one-and-done awareness exercise is a waste of time and talent on both sides.

Become a Trusted Ambassador

You need to be a department, consultant, or vendor that clients (again, your users up and down the org chart) can trust and feel safe being cyber-vulnerable around. Not everybody knows this stuff, even the basic stuff, and that is a fact painfully obvious to the criminals who constantly reap the rewards of this naiveté. We need to know this, accept it, and not shame users for not knowing the basics because the fact is – most don’t. Siding with the user against external threats is better than making enemies in both camps. That should be equally obvious.

Being a trusted advisor that anticipates their questions, understands their concerns and hits them at their level (whatever that may be) will do wonders for company-wide buy-in for security awareness training and other top-down programs. Remember, these are professionals in their fields, not ours.

Working with remote work

At the risk of overstating it, I’ll just put in my plug for remote work. The average network environment (thanks to that, cloud workloads, IoT devices and more) just isn’t what it used to be, and attackers have discovered all those new attack vectors. Employees (and management) can’t be in the dark about the risks they bring to an organization by bringing their own laptop, using their phone to log into Salesforce, or downloading unapproved apps in the spur of the moment.

A few well-placed policies in the right areas, a few access controls and some additional employee training can tamp down bad behavior faster than you think. People know remote work is new, they expect some changes, and in a lot of ways, they are looking for direction, so get them before the newness wears off.

It shouldn’t be hard to get buy-in for security awareness programs that support this new normal. Zero trust means zero trust in network safety, cloud workloads, physical asset security and access management. You can’t have complete network security without educating those users that exist on, behind, or connected to the network’s “edge.” Given how long we’ve been adjusting to this new digital work context, fresh employee security training is nowhere near overkill – it’s overdue.

Defend from within

And yet, we know it’s not a catch-all. Zero trust means zero, right? So that means that even if a malicious actor does dupe your best players and somehow skirts past your defenses, you need to be prepared to defend from within. You can integrate every available network security tool (and training implementation) and still suffer a data breach. So implement CIS Controls. Secure endpoints and BYODs and the door to your server room like your livelihood depended on it. And perhaps most importantly, train those employees.