The threat of a cyberattack against your business is, unfortunately, not a new phenomenon in 2019. One survey reports that 43 percent of businesses fell victim to a cybersecurity breach over the last 12 months. What might be a bit more of a new phenomenon, however, is the role that your employees play in protecting your firm’s data. Your staff can be your greatest defense to thwart attacks; but they can also be your weakest link. Training your staff on basic cybersecurity risks and best practices can help ensure a better defense for your business. In this post, we present our top five cybersecurity training tips you should provide to your staff to help ensure that your company’s data remains safe and secure.
5 Cybersecurity Training Tips
1) The Right Way to Educate your Staff on Cybersecurity
Research suggests that the “vast majority” of cyberattacks are designed to exploit “the human factor”. At the same time, nefarious actors are continually developing new tactics to compromise personal and business data. Even if your employees have a baseline understanding of safe data practices, it’s more important than ever to get everyone at your firm on board with clear and effective cybersecurity training. We recommend the following general approaches when educating your staff on cybersecurity:
Remember, cybersecurity is everyone's responsibility. Include every employee at all levels of your organization in your training, from entry-level hires to your C-Suite and leadership team. If you work with independent or remote contractors, consider an ancillary training that speaks to their particular risks and needs.
Train early and often. Consider holding regular IT security training sessions to keep employees informed and educated on the latest security threats and best practices. This could happen monthly as well as on an as-needed basis. While you can incorporate cybersecurity training into your on-boarding plan for new hires, make sure that long-term staff also complete the training.
Make cybersecurity training holistic and impactful. In addition to offering concrete tactics and best practices, help your employees make a connection between risk and the impact a breach could have on the company and your operations. How might an incident impact their specific job or responsibilities?
Make the training enjoyable. Don’t treat the training as a punishment, even if you’re doing it as a result of a recent attack. Blame no one person or team for any past breach. Rather, position the training as a fun, informative, and positive opportunity to learn together as a team. (Though do discuss lessons learned from any past attack and the solutions you’ve implemented as a result.) Present the training in clear language with user-friendly terminology.
2) Be Careful What You Click
One key topic to include in any cybersecurity training is how to avoid clicking on phishing lures in emails and on the web. More than 90 percent of cyberattacks and data breaches originate with a spear phishing email, according to a 2016 report. This means that nearly all attacks begin when an employee clicks on something bad.
The use of robust anti-virus software has made many employees complacent in terms of what they click on. However, phishing attempts can still evade this software; links in a work email, for example, could still contain malware. A great way to teach the concept of phishing is through examples. Show your staff several examples of actual malware or phishing attempts. This Phishing.org site has a library of popular and real phishing examples, including emails, attachments, social media exploits, and CEO fraud scams.
One effective and engaging approach to help your staff recognize phishing and malware attempts is with a series of “tests”. Show your staff several examples and ask them to click or not click, depending on how safe they think the message is. After each example, pause to discuss their rationale and why they did or did not make the right decision in each case. This could be done at a large gathering or in small groups.
Another reason to spend time on this topic? Phishing happens quick. Proofpoint research shows that about half of clicks on malicious emails happen within an hour of receipt; one-third of the time, it happens within 10 minutes. Attacks aren’t always in emails, either; make sure you explain in your training that attacks also come via attachments, unsecure websites, and even over the phone.
3) Use Secure Passwords (and Perhaps a Password Manager)
Another must-teach topic is on password security. We’re far from good at passwords these days. One report found that 65% of people surveyed reused the same password on multiple sites. Further, half of respondents kept track of passwords on paper, 61% wished for a better way to track multiple passwords, and less than a quarter of people reported using a password manager. On top of that, many employees use short or predictable (read: guessable) passwords for work-related login sites.
As such, plan to educate staff on how to create secure passwords. Better yet, you could also take this moment to implement and train staff on a password management tool across your business for even greater security. A password manager is an application that stores and organizes information like usernames and passwords that your team relies on to access various applications and sites. The right password management tool can help your business practice airtight security, mitigate cyberattacks, drive efficiency, and improve processes.
4) Avoid Unknown Networks
In today’s business environment, chances are you have at least some employees who work outside of the office from time to time, either in home-based offices or from the field. You might also work with independent or remote contractors who need access to your data and systems to perform their job. While this offers great flexibility for your staff, it also presents a particular risk to your data. Every time an employee moves their computer from one location to another, they may be exposed through insecure WiFi connections, such as those in public places like coffee shops. Criminals can leverage this network to access information from the device; they can even use it to take the device over.
In your training, let your staff know that unknown or unsecure WiFi networks can open them up to man-in-the-middle attacks, which increases your company’s chance of getting hacked. In your training, be sure to stress the point that staff should only use secure networks when performing work-related tasks. Educate your staff that if a network looks suspicious, they should avoid connecting to it no matter how mundane their task seems. The same is true for staff who use their mobile phones to complete work-related tasks, such as checking email or logging into various project management or time tracking tools.
5) Stay Alert
Lastly, remember that cybersecurity training never ends, especially since nefarious actors continually find new ways to attack businesses and your data. Encourage employees to stay atop relevant security threats. A few creative ideas to encourage this include:
Hold regular “open” training sessions and advertise these to your entire staff so that everyone knows the time, date, topic, and whether that session is mandatory or not.
Create monthly communications, like a newsletter, to help keep employees educated on emerging topics. You could gamify the training a bit and offer rewards or redeemable points for employees that engage with these materials.
Prepare and distribute info sheets after every training. Consider also placing signage around the office that reminds your employees of the basics.
Host an “IT Open House” or “Tech Office Hours” for your staff to ask questions of your IT team. If you establish open and transparent communication with your in-house or vendor experts, your staff may feel more inclined to ask questions now, versus waiting until it’s too late.
In addition to training, make sure that all staff know what to do and who to contact if they suspect a breach. (A good rule of thumb for your training sessions is to make sure your staff always knows what to do before, during, and after an attack.)
And, as mentioned above, keep it fun. Engaging content and a fun presentation might help your staff to retain and recall the training topics. For example, we read about how one business developed a cybersecurity training program in conjunction with comedy writers – a little laughter might make password management and network security a little more engaging!
We hope this post helps you recognize why your staff is your front line of defense for data security; we also hope it inspires you to start your own cybersecurity training program for your employees. We’d love to hear your ideas and help you think through some of your topics and strategies. After all, while we’re cybersecurity experts at N8 Solutions, we’re also all about relationships. We focus as much on the people using the technology as we do on the technology itself.
Please get in touch with us today to talk about cybersecurity training and other ways we can help you keep your data safe this year.