Employee Security Training: The Basics
2018 witnessed a slew of cyber attacks affecting enterprises like Whole Foods, Macy’s, Uber, Facebook, Google+, Under Armour, and many more. According to the Ponemon Institute's 2018 Cost of Data Breach report, the average total cost of data breaches rose from $3.62 million in 2017 to $3.86 million in 2018—an increase of 6.4%.
The report also indicates that 27% of data breaches occur due to human error. Many well-intentioned employees inadvertently make judgment errors—like reusing their passwords or skirting IT protocols—and leave their organization at risk of an attack.
Many employees also fall for phishing scams, a tactic used by cyberattackers to prompt people to click unsafe links, send money to fake vendors, or download malicious files. Studies show that phishing attacks are becoming more prevalent and bolder as time goes on. These and other malicious attacks cause 48% of breaches, making them a major priority when determining how to protect your organization.
With cybersecurity experts predicting an increase in the number of enterprise data or network breaches caused by employee negligence, it’s imperative that organizations develop comprehensive training programs to mitigate these attacks.
Where to start
Here are some actionable best practices to help you implement a successful training program.
Make training part of your onboarding process
Cybersecurity training should be a core part of employee onboarding. This will allow you to set up your new staff with the security practices they need to know as they navigate their new position and will reduce the likelihood of noncompliance with your existing policies. When trained effectively, employees constitute an important first line of defense against potential data breaches.
Be aware of the most common threats
As indicated in the Ponemon Institute report, phishing scams and other social engineering practices are among the most common types of attacks that users fall prey to. Part of the reason these are so successful is that employees are rarely trained on what to look for when they receive a potentially suspect email. Do they trust the sender? Does the email address match the name? Do they know where the link will lead? Equipping employees with the judgement to identify potential risks is vital.
To support employees, organizations can also implement tools like comprehensive firewalls and anti-phishing toolbars on their browsers that alert users if they reach a malicious site.
Make every employee part of your security team
Cybersecurity training should be made available to all employees (including your interns) and mandatory for everyone (even your executives). As such, the language used in training should be relatable and understandable to everyone. Avoid using technical jargon that might get in the way of comprehension. On top of that, keep your employees engaged by detailing the business benefits of secure data, rather than just focusing on the risks and consequences of a breach.
As you enable employees to protect the perimeter, consider rewarding employees that report suspicious emails or other activity. By gamifying the process, you can keep users engaged in amplifying the organization’s security layer.
Personalize training by department
When planning your organization’s training program, consider prioritizing the departments that might be higher-value or easy targets for attackers. This would include teams that handle financial or personally identifiable information (PII)—such as your HR or finance team—teams that manage vendor relationships, and individuals like executive assistants that have access to your C-suite.
Each of these teams should have their training customized to address how they can mitigate attacks during everyday tasks. You can teach your recruiting team to look out for malicious resumes; have payroll ensure there are secure processes in place before sending PII; and ensure your finance team knows how to verify they are transferring funds to the appropriate vendor.
Make training an ongoing process
Training your employees on how to protect your organization should not be a one-off event. A reassessment program that evaluates how users engage with potential phishing attacks on a regular basis can provide insight into the security health of your organization. Departments that handle sensitive information may need a more regular testing cadence (e.g. quarterly or monthly) than the rest of the organization.
Equipping employees with current knowledge around how to proactively spot the latest security threats like suspicious emails, phishing scams, and ransomware is essential—especially considering the continued rise of the mobile workforce, stricter government and industry regulations, and the pervasiveness of BYOD policies that can compromise a company’s security if not followed.
Enterprises that invest modestly in security awareness and training reduce their security-related risks by 70% and have a 72% chance of significantly reducing the business impact of successful cyber attacks. According to research by Ponemon Institute, even the least effective cybersecurity training programs yield a seven-fold ROI while a well-planned and executed program will deliver a ROI that’s 37 times greater than the initial investment.
What else can you do?
Beyond delivering comprehensive training initiatives to your employees, there are other things you can do to further mitigate the effect of employee negligence on your organization’s security. As a general practice, make sure that you
- Develop, review, and update internal cybersecurity policies and processes
- Ensure that employees maintain robust password hygiene
- Implement single sign-on so that employees have just one set of credentials
To learn what else you can do to protect your organization, check out our data breach risk assessment checklist.