It’s a harsh truth: your employees may be the biggest threat to your company’s cybersecurity. We’re not saying they’re bad people; still, it’s been shown time and time again that employees tend to be far too casual and unguarded in their work habits, creating unnecessary vulnerabilities for their companies. According to CompTIA’s “Trends in IT Security” study, half of all security breaches result from human error and bad habits — such as using public Wi-Fi access for work.
The same study found that the vast majority of employees are still using public Wi-Fi accounts on mobile devices and laptops, to access sensitive company data. Employees are prone to creating low-security passwords, sharing them, and updating them infrequently; worse yet, sometimes even leaving their work machines entirely unlocked while they’re away. Thirty-seven percent of employees studied only refresh their work passwords yearly (at best)!
These statistics highlight just how important it is to provide comprehensive cybersecurity training to your employees. It’s not likely that your staff members are maliciously trying to bring harm to the company — in most cases, they simply haven’t been taught how to use secure methods, or how important their day-to-day habits truly are.
At its core, your cybersecurity training program should cover these three essential topics:
1. Cybersecurity Risks
There’s no use explaining how to craft a secure password if you haven’t first explained why a secure password matters. Providing employees with the “why” behind the “how” is an important foundation for training.
Although most people are familiar with the concepts of hacking and cybersecurity risks, they may not be well-versed in how these risks spell out trouble — for instance, how a low-security password makes your laptop easier to access, and the various ways in which hackers can breach the company’s systems from your individual computer. Perhaps your employees have heard warnings about avoiding suspicious-looking emails, but have never understood what a phishing email truly looks like, or how it’s designed to create confusion.
Be sure your training includes an overview of what cybersecurity is, how security is breached, what technologies are involved, and what the different forms of cyberattacks look like. It’s especially important to explain how an individual employee’s behavior can contribute to an increase or decrease in the company’s overall cybersecurity.
2. Methods of Protection
Teaching the foundations of cybersecurity and how cyber threats work, should lead you naturally into the next topic — the methods in which companies can protect themselves against such dangers. Your training should provide employees with a solid knowledge of antivirus software, encryption, firewalls, and other cybersecurity tools.
What does it look like when an end user runs into a firewall? What might it look like if a firewall was breached, or vulnerable? When employees understand how these tools keep sensitive information safe, they are also better prepared to identify when these tools aren’t doing their jobs. Explain how individual users can keep an eye out in their own company’s systems, to recognize when protective measures may be under-utilized or compromised.
3. Why Participation Is Crucial
There’s no benefit to educating employees on cybersecurity if they don’t understand why their own behaviors and habits matter. Even once your employees know the steps it takes to be secure, what motivation will they have to follow those steps?
Every cybersecurity training program should end with a takeaway that includes clear expectations, and explains how employees’ security habits affect the entire business. Using personal devices for work tasks, setting low-security passwords, and lacking knowledge of the company’s evolving security practices all pose a risk.
Social engineering penetration testing can help your business assert the importance of employee participation in cybersecurity practices. Proving to employees just how vulnerable they may be to social engineering can open lines of communication, and create powerful teaching moments. This type of evaluation can be easily performed by contractors — who have the added benefit of presenting themselves as a separate entity. Having no prior relationship with the employee (which could compromise the intention of the exercise), third-party penetration testing can be a best-fit solution for your business.
A good cybersecurity training program is strategically designed to not only educate users on best practices but also motivate them to commit to secure habits. Each employee should leave training with a solid understanding of his or her role in keeping the company safe, and a dedication to upholding that duty.