No matter how strong a company’s defense systems are, it’s critical that they include comprehensive employee training for all employees.
Imagine that you’re an entry-level employee in a new job. You get a call from a service technician. “We’re doing a regular update of your scheduling software,” the technician explains. “Great,” you think, “What excellent service.” “I’ll just need your password to log in,” he adds. Do you stop and ask someone if it’s OK? Or do you hand it over without thinking?
Enterprises invest enormous resources in cybersecurity, hiring experienced CISOs, and implementing cutting-edge technologies. They spend so much on cybersecurity that the global cybersecurity market is expected to reach close to $420 billion by 2028.
All but the most experienced threat actors know that they don’t stand a chance against sophisticated defense mechanisms, and for the most part, don’t bother trying. Instead, they look for weak links to penetrate a company’s defenses, and the weakest link is often an untrained employee.
By unwittingly sharing a password, clicking on an unsafe link, opening an email attachment, or failing to secure an endpoint device, an employee can open a penetration window to a threat actor. In fact, Cybint estimates that a whopping 95% of cyberattacks are the result of human error.
Therefore, no matter how strong a company’s defense systems are, it’s critical that they include comprehensive employee training for all employees.
Cover your bases from day one
Employees are vulnerable to attack from day one, so cybersecurity training should be a compulsory part of the onboarding process for all employees, even if their positions have nothing to do with IT.
Onboarding training usually includes a review of organizational policy for password management and sharing, general organizational security protocol, and covers the importance of using two-factor authentication (2FA) to log on to company systems, especially from endpoint devices.
If the company uses an app for 2FA, employee training during onboarding should include practice with the app to make sure that the employee is comfortable using it.
Likewise, employee training during onboarding should cover common attack tactics like phishing through Facebook, to raise awareness and minimize the chance that new employees will fall victim to them.
Training should explain the type of information phishing attacks usually target—things like user names, passwords, personal information, or financial information, to immediately raise the employee’s suspicions when they are asked to give that information.
Try to provide as many examples as possible. For example, make sure that employees know that malicious software isn’t only sent through email—a virus can also be sent in social media messages, like an innocent-looking LinkedIn ‘invitation to connect’.
Stay up to date
Cybersecurity is extremely dynamic, and new threat vectors pop up every day, especially with the introduction of new technologies like 5G. Therefore, even with the best onboarding training, new attack vectors are created, and new security technologies and procedures are adopted to fight them.
Likewise, the onboarding process can sometimes be overwhelming, and employees may not be able to properly process so much information at once. That’s why reinforcing the content taught in onboarding in later stages is always a good idea.
The good news is that technology has made employee training easier than ever. Employers can utilize numerous platforms and strategies for ongoing employee training in cybersecurity including:
- Micro-training: “Bite-sized” training modules to deliver practical information as needed
- In-app training: Software tutorials that offer automated instruction inside the application
- Personalized training: Individual learning modules designed to meet a specific employee’s needs
- Online training: Remote training by employees, experts, or from an automated training platform.
Make sure that you’re hitting your targets
A key element of any type of education is testing how well the student has internalized the information that was taught. That’s why it’s a good idea to follow up on employee training with cyberattack simulations and testing to ensure that employees remember what to do and aren’t cutting corners.
Simulations are a great way to see what isn’t working and help your employees learn from their mistakes—it’s better than the mistakes that happen in the drills, and not in an actual attack. And like with fire drills, the more practice employees have in dealing with an attack vector in the middle of a busy workday, the better they’ll perform in a real attack.
Don’t forget to give employees positive feedback to build their engagement and commitment to fighting cybercrime. If an employee does a great job in a simulation or flags an incoming attack, give them a shout-out. Make fighting cybercrime a team effort, and not the sole responsibility of the IT department.
Include employee training in your cybersecurity plan
Employees of all levels can be targeted in cyberattacks, and no amount of technology can protect them from social engineering attacks. Thorough and effective training, both during onboarding and throughout their tenure, is critical to company safety.