Cybercriminals are becoming more sophisticated in their tactics, and companies need to take note if they want to protect themselves. By increasing security awareness, an organization can reduce its chance of having a cybersecurity incident by up to 70%. But, cybersecurity training can be cumbersome, meaning companies, and its employees, might not prioritize it, or at the very worst, not do it all. That is a huge mistake that can cripple a business if its succumbs to a cyberattack. Companies can face lost revenues, damaged reputation, compromised data, operational disruption, and possibly even lawsuits. So, what can organizations do to engage their workers in cybersecurity training?
The first step is to realize that cybersecurity training is everyone’s responsibility. People are the first line of defense so training must start from day one of employees joining a company and include everyone who uses email. Onboarding should always incorporate security awareness training, and after that, phishing campaigns should be carried out regularly, once a month. While that may seem excessive, research shows that trained employees start losing what they learned at 4 – 6 months after each session. With hybrid workplaces more commonplace post-pandemic, about 55% of remote workers rely on email as their primary form of communication, driving home the importance of security awareness training.
Training needs to be comprehensive
There are several types of cybersecurity training available for employees that target various aspects of security. Training for protecting passwords may include topics such as clean desk policy, strong password practices and how to avoid phishing scams while training for data privacy could cover privacy risks and secure connections. Mobile security training is equally important, showing employees how to secure mobile devices and educating them about Wi-Fi security, device management and backups as it pertains to mobile. Other training topics include physical security, industry compliance and cybersecurity threats such as Ransomware, account takeover, business email compromise (BEC) and phishing, among others.
Changing the mindset around cybersecurity training
There needs to be a mindset shift around this topic. As both cyber threats and attacks continue to rise, it’s more important than ever for companies to have security plans in place that are regularly revisited and updated as needed.
When seatbelts were first introduced in the 1980s, only 14 percent of Americans regularly wore them despite the fact that the National Highway Traffic Safety Administration (NHTSA) required them in new cars as of the late 1960s. Even though seatbelts could save lives, they were met with tremendous resistance and the belief they were an infringement on personal freedom. Eventually, drivers and passengers alike accepted the life-saving device and no one questions wearing them today.
Companies can do their part to engage employees in the training, so they don’t see it as a chore or task. First, make it personal. Most employees view cybersecurity as IT’s job, but it needs to be made clear to them how their actions could impact the security of the business and cause financial and reputational damage if there’s a breach. Next, make it simple for them. Deliver training in bite sizes through easy-to-communicate material or videos. Research shows 15-30 minutes is ideal for maximum retention of the training content. Compliance with certain regulations may require longer trainings so in those cases, it’s helpful to deliver training in two or more segments. Training should also be short and focused on one main idea. And finally, engage them. Describe a simple scenario and ask questions to test their knowledge of best practices.
Stay up to date on latest threats
With cyberattacks, specifically phishing attempts, constantly evolving, companies need to be aware of the latest threats and provide training around them. Research shows that security awareness training reduces phishing expenses by more than 50 percent, on average. Email subject lines should prominently instruct them to watch, or read, about the new threat, and be followed by simulation of the phishing attack. The ones who fall for the simulated attack, should receive the training again in real-time after the failed test. And finally, remind employees to always be skeptical of suspicious emails and when in doubt, report it to IT!