Cybersecurity Awareness: a Top Priority in Staff Training
Brought to you by WBR Insights
There is no question that the age of technology in which we find ourselves is bringing amazing opportunities for businesses to perform their roles better than ever before. However, an unfortunate side effect of this is that it is providing similar opportunities to cybercriminals as well.
20 percent of organizations have stated that they were hit by six or more cybersecurity attacks in a single year, with a massive 80 percent saying they'd had one so severe in the last twelve months that it had required a board-level meeting. Perhaps more worrying is the fact that over a third of breaches involved an insider within the target company and over 90 percent took the form of malware delivered by email.
With 68 percent of security professionals stating that they lack the skills to effectively stay on top of cybersecurity issues, it could be that your company needs to invest in some training. However, while training for security staff is good, you should also be focusing on creating a culture of cybersecurity awareness throughout your entire organization.
#1 Identify Risks
This is arguably the most important phase of developing your security awareness training program as it will inform every other facet. There is no one-size-fits-all approach to security training, and you will need to craft it around the specific threats relevant to your sector and the specific technologies your company employs.
For example, Internet of Things devices are notorious for having poor security. Some hackers claim they can break into an IoT device within a few seconds. So, if your business includes an Industry 4.0-enabled factory or anything similar, you are going to need to focus on building security awareness in this area.
However, one area which is universal is the threat of malware or phishing scams sent in by emails. You might think that most people these days know not to open suspicious emails and their attachments, but this is still where the vast majority of attacks gain a foothold. Educating your staff on how to identify fraudulent emails and what to do with them should, therefore, be a top priority.
#2 Make Training Engaging for Maximum Impact
The problem with most traditional security awareness training programs is that they're boring. Classroom-based training is treated as no more than a box-ticking exercise and something which must be signed off for compliance reasons.
The problem with this approach is that all the information your staff needs might be contained in the program. But if it isn't engaging, they will fail to absorb the material and return to their jobs having gained nothing from the training, ready to carry on making the same mistakes.
For your training program to resonate with your staff, it needs to be role-specific, tailored, enjoyable, and address the challenges staff face on a day to day basis. Deploy a range of different tools and techniques - videos, roleplay with realistic scenarios, quizzes, policy reviews, etc. - to make sure your people don't get bored and they stay engaged with the material.
#3 Ongoing Refreshers
Once the training is finished, you need to make sure that your staff is kept up to date with all the latest developments and new policies which may arise. Obviously, it's not practical or productive to have new training sessions every week, but that doesn't mean you should give up on the idea altogether.
You can use communications and marketing techniques to keep your staff up to date. Blogs, awareness graphics, and case studies can all be sent out on a regular basis. The world of cybercrime is a rapidly shifting and evolving one and a lot can change between annual, or even bi-annual training sessions. Delivering regular content to your staff is a great way of keeping them informed without disturbing the day-to-day running of your business.
Don't forget that criminals are often more active during seasonal periods, such as Thanksgiving or Christmas. They rely on companies being too busy to act with the usual due diligence and use that opportunity to make their move. Therefore, it may pay to have refreshers around these periods to make sure staff know that, even though they're busy, they need to stay vigilant.
Finally, you need to make sure you're measuring the effectiveness of your programs all the time. Get feedback from your staff and see where you can make improvements in terms of both engagement and information retention. As we've already said, cybercriminals are constantly evolving, and your company needs to do the same.
Training and awareness are set to be hot topics at InfoSec Connect 2020, taking place in March at the Rancho Bernardo Inn, San Diego, CA.
Download the agenda today for more information and insights.