Employee Education Is the Best Cyber Security Investment
Reduce your employee-driven risks while meeting your risk and compliance requirements
Despite growing investment in cyber security technologies, the human factor continues to be a common point of failure across breaches. The 2017 Verizon Data Breach Incident Report found that “1 in 14 users were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once.” The report also revealed that “80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.” Yet with the proper education, employees can be your greatest line of defense. For example, in the recent SWIFT banking hack, in which nearly $81 million was stolen, the impact of the attack was minimized by a bank employee who noticed a misspelling, saving losses of over $850 million.
Most regulations and frameworks require a documented cyber security training plan for your employees. The NIST CSF Protect Phase, Awareness and Training control (PR.AT) emphasizes the importance of providing cyber security awareness education and training so personnel can perform information security-related duties in line with related policies, procedures, and agreements. By investing in a cyber security education program for your employees, you can reduce employee-driven risks while meeting your risk and compliance requirements.
Start from the beginning – include cyber security training in your new hire program. Ensure security is top of mind from the start and demonstrate the organizational commitment to keeping data and other resources safe. Be sure to clearly articulate policies and emphasize the need for cyber hygiene both at work and at home.
Educate with consistency and frequency – annual or one-off trainings are not enough to build a cyber security aware culture. With the evolving threat landscape, consistent and frequent trainings are required to ensure employees can identify and appropriately respond to the latest threats.
Keep it real – employees are more likely to buy into the need for cyber vigilance if you can demonstrate real-life impact of breaches with examples or case studies. Avoid scare tactics, though, which can often appear disingenuous.
Keep it simple – while technology may pervade every corner of the business, not all users understand it. Keep your training and communications simple, enabling employees to digest and respond to what’s being asked of them without being overwhelmed or confused.
Follow-up and reinforce – as with any type of training, retention is best achieved with follow-up and reinforcement from management. Ongoing communication and tactics such as quizzes, games, contests, and even real-life exercises can help fortify learning and drive a cultural shift.
Build a system of advocates – extend the reach of your IT and HR staff by building a team of business-based advocates who can continue communication at a local level and drive a dialogue about cyber security in their area.
Have empathy – it is important to remember you’re asking employees to change the way they do their jobs. Injecting fun and upbeat communications can help ease tension. Celebrate successes and avoid blame in the event of an incident. It’s likely that one or many other security measures failed before your user clicked on the phishing link.
TalaTek can strengthen your policies and procedures governing your employees’ cyber practices. Contact us to learn how we can help your organization apply a sound information security strategy across your organization. Contact us at email@example.com.