Why is cyber security training for employees necessary?

The number of ransomware attacks on businesses has increased significantly during the pandemic. As more people work from home and organizations rush to update their infrastructure to accommodate for remote working, often there are lapses in security. Businesses are more vulnerable to cyber-attacks and according to KPMG the chances of a ransomware attack being successful are much higher when people are working remotely. The attack on the Colonial Pipeline Company in the US, the $50 million ransom demanded from computer maker Acer, and other high-profile ransomware attacks have made it clear, that businesses need to act. Part of the reason why ransomware attacks are more successful with remote working is weaker security on home IT systems but a significant reason is also human vulnerability. Ransomware attackers are taking advantage of the anxiety surrounding the Covid crises to trick unsuspecting employees into clicking on links and engaging with harmful malware. By using information about vaccines, masks and hand sanitizers, bad actors are able to lure employees into taking their desired action. The best way to protect against such attacks it to educate and empower employees. This is why businesses need to invest in cybersecurity awareness training for employees.

See also: 'Ransomware Task Force' Formed to address increasing attacks

The need for cyber security awareness

There are three main components to an organization's cybersecurity: technologies, protocol/policies, and people. As threats evolve so do security technologies. Having the right policies and security protocols in place, organizations can prevent cyber attacks and minimize damage caused by successful breaches. The people components of cyber security are perhaps the most important and ironically often the most neglected. The best security technologies and policies will fail if the people working in an organization are not properly trained and aware of the risks to cybersecurity. A fort may have the best defenses like a strong gate and a moat filled with crocodiles, but that will be of no use if the soldiers on guard unknowingly lower the drawbridge and let attackers in. Understanding human behavior is crucial for understanding the need for awareness. Human beings can be negligent and careless. They will be particularly vulnerable if they do not know what an attack might look like and do not have information about the threat landscape. This is why organizations must create cyber security awareness training for employees that focuses on how employees can impact the business's security and what risks they need to be on guard against.

Best practices for security awareness training

1. Keep learning bite-sized

When designing the training program, break the topics down into chunks. Within each chuck create bite-sized content that is easy to consume. This will make the training more effective. Breaking information into smaller pieces will keep employee's from feeling overwhelmed. Studies show that after one hour, people only retain half of the information that was presented to them [1]. You can increase retention and recall by reinforcing training. Bite-sized information can be consumed multiple times without the need for employees to invest a lot of time. Let's take phishing emails as an example, you can start your training with a simple video explaining the concept and the potential dangers, shared with all employees. After some time you can send out fake phishing emails to your workforce and see who makes the mistake of clicking on the links. You can provide more detailed training to the people who need it and then rinse and repeat. This way you are only giving employees the amount of training that they need. If an employee retains the information shared in the video and does not fall for the phishing email, then there is no need for that employee to invest more time in detailed training.

2. The highest risk for the highest reward

Focus on the biggest risks to your cybersecurity. There is a lot of different malware, ransomware, and threats out there. Which are the ones that your business is most vulnerable to? What would cause the biggest impact? Which employees pose the greatest risk to cybersecurity? Answering these questions will allow you to create a training program that delivers the highest ROI. When it comes to organization-wide training your focus should be on sharing your company's goals and vision with employees and encouraging designed behavior. Remember that not everyone needs to be trained on everything.

3. Don't be repetitive

There is nothing more frustrating and annoying for employees than sitting through training for things they already know. Often organizations will repeat their training because they are worried about retention loss and recall. A good way to address this issue is to test employees on their knowledge. Employees that score well in the test need not sit through the training program again. For a complex or long training program, you can conduct a sectioned evaluation, and employees only need to attend the parts of the program they performed poorly in. This is a good way to improve the efficiency and effectiveness of your training programs. Tests can also create a sense of internal competition among employees and create an incentive for them to retain what they are learning so that they do not have to repeat the program.

4. Password Storage

Customer data, employee data, project details are all sensitive information that needs to be protected for an organization to be successful. The use of strong and secure passwords is essential in this regard. Good passwords will prevent unauthorized access to devices and information. Sometimes organizations overlook password hygiene when it comes to security awareness training, because they assume that employees are creating strong passwords as instructed by the tool or platform they are using, however, this need not be the case. Training employees on password hygiene is important. Sometimes employees make the mistake of writing down their passwords and leave the information unattended. Or they may save all their passwords in an unsecured file on their desktops. These are oversights that hackers can take advantage of to access a system. 

5. Continuous training is essential

The threat landscape of cybersecurity is continually changing and hence security awareness training should also be done on a continuous basis. As new threats and attacks are identified, employees should be trained on how to identify and guard against these threats. Organizations should regularly test employees to see how much information they know and if any retraining programs need to be conducted.  Since many employees are working from home, businesses should update their existing programs so that they can provide online security awareness training to employees. If possible work with an instructional designer to create a program that is comprehensive but concise.

The current state of cybersecurity & training

95% of cybersecurity breaches are caused due to human error[2]. Human intelligence and comprehension are the best defense against the most common phishing attacks. Remote workers will continue to be a target by hackers in 2021, and an increase in remote working will result in higher chances of cloud breaches. Recently there has been an increase in the number of cyberattacks on small businesses. This is no longer an issue that only large-scale organizations need to worry about. The cost of a successful attack can be devastating for businesses that do not make investments in their cybersecurity. 45% of employees do not receive any cybers ecurity training from their employers [3]. This is a gross oversight because most successful ransomware attacks are a result of phishing scams that can be avoided by creating awareness among employees.

Many executives do not know what they should do in the event of a security incident because the business does not have policies in place. It is imperative for businesses to create these policies and communicate them to all employees. The policies should be readily available for reference on multiple channels like the employee handbook, the company's internal communication tool, etc. Policies are a great way to inform employees what is basic hygiene required for security. For example, they can be used to inform employees that they should not open any links sent from unknown ids, any unusual requests from reporting managers should be reported to the IT team. Quick response is crucial when hackers get access to a business's systems. By educating your employees you are increasing the chances that security attacks will be prevented and in the worst case, promplty reported to your security team so that they can take the necessary countermeasures.    

When designing cyber secrutiy training for employees, look beyond awareness, it is important for employees to also implement what they learn. Hence, programs should also have testing and practical components. Make the program engaging and reward employees that perform well in testing. The goal should be for employees to stop thinking of the training as an obligation or an annoyance. Security should be part of your organization's culture and all employees should understand what role they play in protecting against threats. Human intelligence is still the best protection businesses have against cyber attacks.

Subscribe to whitepapers.online for quality white papers, ebooks, and news coverage from the world of technology.   

Featured image: Background photo created by rawpixel.com - www.freepik.com

Sources:

1. June 2017, M. Bingham, "10 Stats About Learning Retention You’ll Want to Forget", Bridge, [available online] available from: https://www.getbridge.com/en_gb/blog/10-stats-about-learning-retention-youll-want-forget/ [accessed May 2021]

2. Dec 2020, D. Milkovich, "15 Alarming Cyber Security Facts and Stats", Cybint, [available online] available from: https://www.cybintsolutions.com/cyber-security-facts-stats/ [accessed May 2021]

3. May 2018, M. Williams, "Infographic: 10 statistics that show why training is the key to good data protection and cybersecurity", Pensar, [available online] available from:  https://www.pensar.co.uk/blog/cybersecurity-infographic [accessed May 2021]