If we look at security breaches over the last five to seven years, it’s clear that people, whether it’s through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities. In the past, companies could train employees once a year on best practices for security. Most organizations roll out an annual training and think it’s one and done, but that’s not enough.
Instead, organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.
Your people are your assets, and you need to invest in them continually. If you don’t get your people patched continually, you’re always going to have vulnerabilities. Even in a company with hundreds of employees, it’s worth training them as opposed to taking on the risk of a breach.
Here are some tips to help your employees understand cyber risk and best practices.
The best training today is “live fire” training, in which the users undergo a simulated attack specific to their job, Schwartz said.
Maybe they become a victim to an attack that’s orchestrated by a security department or an outside vendor, and then they’re asked to understand the lessons they’ve learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it. And then they’re asked to share that experience with their peer group.
May companies performs regular phishing tests, in which the IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.
If this is something you’d like to implement in your organization Contact Us, our team of Cybersecurity professionals can tailor a program that exactly fits your needs.
The first-time employees come through the door, start building the mindset as all new hires go through security training from day one. That way they hear from the time they start that cyber is important, and that they are going to get continuous training. It’s a great way to set the culture and set good habits from the beginning.
Don’t be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack. Until you do that, you won’t know how bad or well your security posture may be. ETS offers a complimentary vulnerability assessment of 1 to 5 of an organization’s publicly facing IP addresses. This assessment is a snapshot of a small portion of your environment. It presents a high level of insight and will help you assess and identify areas of weakness and modify your security posture to address them. http://etssecureme.com/
Create a plan for how best to communicate cybersecurity information to all employees, to get all departments on board with training and learning best practices. It will help break down siloes—it creates alignment, and people working on it together.
IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks.
Tech leaders should appoint a cybersecurity culture advocate in every department at their organization. These advocates can act as an extension of the CISO and keep employees trained and motivated. That’s something that’s often overlooked—use the resources you already have in the company beyond the IT team.
Cybersecurity training should continue throughout the year, at all levels of the organization, specific to each employee’s job. If you’re an end user, there must be training associated with the types of attacks you might receive—for example, attacks on your email or attacks that are oriented on the type of job you hold. If you’re in IT, the attacks may be more technical in nature in terms of the attacks you might be seeing.
Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home. Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a ‘what’s in it for me’ they can apply all the time, not just at work.
While these tips can help, education is not a perfect solution. Even in the most advanced and most current education scenarios, there still are a percentage of attacks that will get through, and even in the most enlightening and useful educational programs, there still is anywhere from a 4-6 percent success rate, even after all the training is done. Training is just one aspect of defending the environment from advanced attacks.