Cybercrime is on the rise.
In an ever evolving threat landscape, fostering a culture of forward-looking cybersecurity awareness to protect your network and assets is vital to the success of your business. You’re only as strong as your weakest link, which is why cybersecurity awareness training is a must-have for your organization.
Phishing scams have increased dramatically as criminals seek to prey on employees working remotely because of the Covid-19 pandemic. And KnowBe4’s 2020 Phishing By Industry Benchmarking Report suggests that 38% of employees who don’t undergo cybersecurity awareness training will fall victim to phishing scams.
Your team members must:
- Be aware of potential cybersecurity threats
- Be able to recognize those threats in the real world
- Know how to prevent incidents from occurring
- Know what to do when prevention proves impossible
Creating a program of regular cybersecurity awareness training should be a key part of your information security program. Without that and an effective cybersecurity governance plan, you run the risk of falling victim to threats and vulnerabilities caused by a lack of adequate prevention or incident response.
Creating a Training Program
When developing your cybersecurity awareness training program, start by looking at your risk management assessment and what systems you have implemented — or plan to implement — to protect your organization. Your risk assessment should give you a good idea of the threats and vulnerabilities you’re facing as well as an understanding of how security savvy your staff is.
Your training program should cover these five fundamental facets of cybersecurity to limit the likelihood of your employees contributing to a breach.
Your sensitive information and infrastructure must be protected from unauthorized physical access. It’s important for your staff to understand physical security policies whether they are working in the office or remotely. Policies can include:
- ID badges/swipe cards/biometrics
- Guest logging
- Alarms and surveillance
- Device lockup
Measures to secure your systems physically can appear inconvenient when they’re first introduced, so it’s crucial that your team understands the value of and reasons for the policies. Team members who believe in a system are far more likely to maintain it than those who only see it as a nuisance.
We all know that frequently changing complex passwords — especially when they can’t repeat — can get annoying. It seems like a lot of hassle, especially when we don’t think anyone would likely want to use our access for unauthorized activity. It’s important to educate your staff on the risks related to easily-cracked passwords and teach them best practices for credentials management.
- Create strong passwords that include uppercase and lowercase letters, numbers, and symbols.
- Avoid obvious passwords like birthdays, children’s names, or things like “password” or “12345.”
- Two-factor authentication using email or text can help protect systems when passwords are compromised.
- Don’t reuse passwords. Always use a different password for each account you access.
Make sure your team knows that every new device or bit of infrastructure needs new secure credentials, no matter how non-critical a component of your network it may seem.
Your team cannot manage threats that they cannot identify. Be sure your cybersecurity awareness training includes examples of all the risk types that could affect your business:
- Phishing — a new phishing site goes live every 20 seconds
- Social engineering — 33% of hacks in 2018 relied on social engineering
- Malware and viruses — 60% of breaches involve a vulnerability that could have been patched
- Physical intrusions — 42% of security professionals have concerns about their company’s ability to secure physical spaces containing critical data
If you don’t have a network security specialist on your team who can properly demonstrate what to look out for, consider using a contracted part-time information security officer to fill the void.
To ensure your information risk management program is effective, your team must be able to connect with cybersecurity officials and leadership in a rapid and flexible way. Regardless of the type of communications system you use for reporting cybersecurity incidents, make sure your team understands how and when to use it, and who to notify if an incident occurs.
Open communication is key here. Your team must feel safe and empowered to tell someone if they detect an issue (past, present, or future), even if it’s just a suspicious email.
Once your team knows how to recognize and communicate about threats, it’s time to talk about your incident response plans.
This part of your cybersecurity training for employees should include practical scenarios in addition to instruction on documented policies. Staff should understand exactly what their responsibilities are for:
Make sure you include some real-life examples of possible incidents. You’ll get insight into how your staff responds in a crisis and identify areas that need improvement.
Do You Need Cybersecurity Awareness Training?
Depending on your company’s specific cybersecurity needs and goals, you may want to pursue certification for your organization (or for individuals). Or, if certification doesn’t seem like something you need right now, you may prefer to work in-house on something simpler.
Cybersecurity instructors can be from your own team, external experts, or a combination of both. There are some areas of cybersecurity awareness training that are best taught by a certified external instructor, while others can easily be taught by team members.
If you need assistance developing or implementing a cybersecurity training program for your employees, the experts at AISN can help. Contact us for more information.