Cybersecurity Awareness for Employees: Best Practices
Human error causes approximately 85 percent of data breaches, often because they don’t know how prevalent the threat is or what they should be looking for. Cybersecurity awareness can help businesses stop many attacks by arming their employees with the knowledge they need. How can businesses ensure that their employees don’t fall for cyber threats? Here are some of the best practices for employee cybersecurity awareness.
Make Security Awareness Training a Regular Event
Cybersecurity is a constantly changing industry, and as new threats emerge, businesses will need to communicate that information to their employees. At the very least, cybersecurity training should be conducted once per year, but even that infrequently can put companies at risk. If a business holds their training one week and a new threat comes out the next, then they might wait another 50 weeks before telling their employees about it.
“The traditional approach of a once-a-year compliance training is out of date, and inherently higher risk than building a culture of security through consistent training programs and modules, paired with things like phishing simulators and scenario-based training,” says Jack Koziel CEO and founder of InfoSec Institute. “We’re running monthly security awareness training, annual tabletop exercises, and bi-weekly phishing campaigns to ensure our employees have the knowledge they need to not only detect potential cyber threats but also respond.”
Additionally, regular training doesn’t have to involve regular meetings. Nicole Moore, Senior Analyst at DTEX Systems, says, “We recommend sending an all-staff email 1-2 times per month highlighting specific security topics alongside relevant current events, and the key takeaways to be learned from each.”
However, not everyone reads emails as carefully as they should, so businesses should follow these emails up with short quizzes or simulations.
Free Training Resources
Valecia Stocchetti, Senior Cybersecurity Engineer at the Center for Internet Security, offers several free resources that businesses can take advantage of. “The Cybersecurity and Infrastructure Security Agency (CISA) is well known for providing several resources for cybersecurity training and workforce development. The National Cybersecurity Alliance (NCSA), a nonprofit, is also a great place to obtain cybersecurity awareness and education resources,” she says.
“Additionally, for U.S. State, Local, Tribal, and Territorial (SLTT) governments, FedVTE is a great resource full of free online cybersecurity training. Whatever resources your organization invests in, paid or free, ensure that they are engaging and informative.” Paid cybersecurity awareness tools may also include simulations businesses can run with their employees and video resources to engage more users.
Gamify Cybersecurity Training
In order to keep cybersecurity awareness interesting and engaging, companies should gamify it, rather than just giving a lecture. “Performing regular simulation-based training allows them to be immersed in live cyber attacks, enabling them to increase their awareness and understanding of what might happen in the future,” notes Debbie Gordon, CEO and founder of Cloud Range Cyber. “This creates muscle memory and allows the company to be more prepared to detect and respond to an attack.
“It works similarly to flight simulators that pilots use to practice their skills in real-world conditions,” she explains. “A cyber range simulation program builds on education and skills that are learned in individual lab environments to allow people to practice cyber defense in a simulated environment with real attack scenarios.”
Identify the Biggest Risk Factors for Your Organization
Not all cyber threats are going to apply to every organization. Businesses that take payment information on their website are more prone to DDoS attacks than those that don’t, for example. Once security teams know the types of threats their business is most likely to encounter, they can structure training programs to focus on those attacks, rather than conducting generalized training.
“To find out where your vulnerabilities are, carry out an audit on your network assets,” advises Jason Stirland, CTO at DeltaNet International. “Do everything from monthly penetration testing to updating known bugs out in the wild and keeping updated on Patch Tuesday announcements. To save time on resources, prioritize patching the vulnerabilities at the highest risk of exposing your organization or applications.”
Moore discusses the importance of real-time feedback when identifying risk factors. “One of the ways we supplement general security training is with DTEX’s Teachable Moments feature, which sends an email notifying a user or manager of negligent behavior in near-real-time. This notification can be configured to alert the desired recipient of activities like accessing inappropriate sites (or any site that breaches corporate policies),” she says. “Not only does this help organizations quickly confront risky behaviors, but it helps to reinforce what the real areas of risk are and can be used to push for additional cybersecurity training for your workforce.”
Also read: Is Cybersecurity Insurance Worth It?
Get Everyone Involved
Buy-in from every part of the organization is critical for cybersecurity awareness. Kev Breen, Director of Cyber Threat Research at Immersive Labs, explains that cybersecurity training can no longer solely consist of organizations teaching their employees not to fall for social engineering. “Organizations need to ensure a fundamental understanding of how each role contributes to cybersecurity across the workforce,” he says. “To do this, cyber skills must be continuously measured in any area of the business where risk is present and the development of knowledge, skills, and judgment kept up to date in a way which keeps pace with the dynamic pace of risk.”
Breen says organizations have to broaden the responsibilities to more than just their cybersecurity team, giving the examples that “developers need to be aware of their role in building secure software and executive teams need to prepare for crisis response.”
Leaders need to gain a deeper understanding of the ‘why’ behind these incidents to define better business practices that could benefit others in the organization
Nicole Moore, Senior Analyst at DTEX Systems
Cybersecurity must start at the top and trickle down, so businesses also have to have buy-in from their executive team to make the training successful. “Leaders need to gain a deeper understanding of the ‘why’ behind these incidents to define better business practices that could benefit others in the organization,” says Moore. She recommends that managers lead security conversations with their staff, rather than a member of the security team, to help reinforce the importance for their team specifically.
Also read: A Guide to Introducing Security into DevOps
Don’t Punish Employees When They Make Mistakes During Training
Training is meant to give employees a safe space to fail, meaning you shouldn’t punish employees that don’t perform well on the training. Instead, have a one-on-one conversation with them about the mistakes they made and how they should handle those scenarios in the future. Then, you can provide the training again to see what they’ve learned. Clear dismissal or willfully risky behavior should be met with disciplinary action, but these are unlikely.
For the most part, employees won’t purposefully do anything that would hurt your company, but you have to give them the tools they need to know what to look out for. Additionally, put protections in place that can reduce the number of chances they have to make a mistake, like email security software and password managers.
