As cyberattacks become more prevalent and sophisticated, companies must put more faith in their employees to make sure they don’t put data at risk or fall victim to ransomware. One of the best ways for an organization to reduce cyber risk is to build a culture of cybersecurity. This entails creating a mindset in employees that the risk is real, and their daily actions impact that risk.
Employees: The Weakest Link in the Security Chain
According to security expert and American cryptographer Bruce Schneier, security boils down to your worst employee. And, keeping employees up to speed on the importance of security can be a challenge.
It’s only human to get caught up in daily workloads without giving much thought to security. Even before the age of ransomware, rampant malware and sophisticated threats, training employees on cybersecurity best practices was a challenge. Many chief information security officers and security professionals still find the same concerns exist today. However, many companies are in a better position to build a cybersecurity culture throughout their organization.
In discussions surrounding awareness and culture, the best methods for promoting security awareness internally seem to include interesting, relevant, and engaging programs that are promoted from the top down.
Why your employees are targeted.
There are numerous resources available to businesses to protect IT systems and data, from managed IT services to cybersecurity software solutions. That’s why hackers and fraudsters are increasingly using tactics like spear-phishing and social attacks to get the information they need to infiltrate your systems from an unsuspecting party. In fact, nearly half of data breaches are the result of human error and system glitches.
Organizations must take responsibility to ensure employees have the necessary training and knowledge to avoid attacks rather than placing blame on that individual. It’s up to your business to create a strong cybersecurity culture and provide consistent training to your staff so everyone knows how to spot and avoid cyber threats.
Why you need to focus on employee cybersecurity training.
Currently, the most underspent sector in cybersecurity is employee training despite the critical role it plays in the protection against threats. That also means an investment in employee training represents your best opportunity for cost-effective, meaningful improvement.
For cybersecurity software and solutions to do their job, they must be constantly updated. The same is true for employee education. Since new viruses and attacks are developed daily, your employees require consistent and regular training and updates from a trusted source. Consider these statistics from Chubb’s Third Annual Cyber Report:
70 percent of respondents say their company has excellent or good cybersecurity practices but only 31 percent receive annual company-wide training or updates.
More than two-thirds of employees learn about cybersecurity protection from mainstream media or family and friends. Only 19 percent of employees learn about cybersecurity protection through their employer.
Training For a Culture of Cybersecurity
Cybersecurity culture is important as it helps protect company assets from hardware to data. It needs to be part of a broader corporate culture of day-to-day actions that encourage employees to make thoughtful decisions that align with security policies. A security culture is more than just cybersecurity awareness. It requires the workforce to know the security risk and the process to avoid that risk. It’s the building and enforcement of following an operating process of tasks that keeps the firm safe. Most organizations have spent years and countless resources to acquire and create their data asset, and if it is lost, stolen or corrupted, it could impact their bottom line for years to come.
Enterprises spend millions of dollars on hardware and software but neglect the simple act of properly training their employees on security practices. Teaching employees to recognize threats, curb poor behavior and follow basic security habits can be the best return on investment. However, it can be difficult to measure and therefore justify the expense. Trying to quantify the return on investment in employee training and building a culture of security can be difficult to sell to upper management. In many cases, management does not believe that just training their employees can reduce their exposure to cyber losses.
Cybersecurity Culture Do’s and Don’ts
If you’re unsure where to get started, the National Institute of Standards and Technology (NIST) has a great framework that can inform cybersecurity training and awareness.
Additionally, here are 10 do’s and don’ts to follow:
Do use constructive and collaborative criticism to deal with users or employees who don’t adhere to your training program.
Do test your employees more than quarterly, and preferably monthly. Monthly tests like a mock phishing campaign can reap large security rewards.
Do report program results to the C-suite (with easily digestible decks and graphs) as often as necessary.
Do allow for a simple process for employees to report suspicious emails.
Do use interactive training before testing your employees on anything.
Don’t be overly forceful or overbearing with the program.
Don’t forget to include managers, key stakeholders, and relevant IT teams in the process.
Don’t use the same phishing test for each user or always send on the same day.
Don’t start your awareness program with complicated concepts.
Don’t forget to remind everyone in your organization that a robust security culture extends beyond the office to help employees keep safe at home as well.
Establishing strong security policies and create a culture of shared attitudes and actions to drive success is a critical step to securing your company. Remember, cybersecurity is a team effort. Put your employees in a position to succeed by providing regular cybersecurity training and updates that protect them and your organization. Supplement that with periodic simulated phishing campaigns to give employees the opportunity to test their knowledge learned while not putting the company at risk. Remedial training for those that fail the campaign will give them an opportunity to learn more about what to look for from cybercriminals.
If you are anyone would like to discuss this or other cyber topics please feel free to reach out to us here.