Cybersecurity Training – Back to School for Employees

Cybersecurity Training – Back to School for Employees

It’s back-to-school season and a good time to think about how your company is educating employees about cybersecurity. TECHPol has discussed the high incidence of cyberbreaches related to employee errors and the importance of training your staff. See blog posts: Employees — The Weak Link in Your Company’s Cybersecurity and What’s the Biggest Cybersecurity Threat? Employees.  We thought it would be worthwhile to review some tips to train your employees so they are equipped to defend against cybercriminals rather than opening doors for them.

Why is Cybersecurity Training Important?

Just to provide a little reminder and some urgency around why employee training is important, let’s consider some recent statistics:

  • Over 95% of cybersecurity incidents investigated involved human error according to the 2014 IBM Cyber Security Intelligence Index.
  • Experian Data Breach Resolution estimates that about 80% of the breaches they service can be traced to employee negligence.
  • A Ponemon Institute poll of 600 IT professionals revealed that 55% had experienced a security incident due to a malicious or negligent employee.
  • About 50% of all security incidents — compromising confidentiality, integrity or availability of an information asset — are caused by people inside the organization according to Verizon’s 2015 Data Breach Investigations Report.

How to Train Employees

Employees need to be aware of your organization’s security-related policies to adhere to them. While it’s great to put your policy in the employee manual and ask for a signature to verify the employee read it, that’s likely not sufficient.  In addition to a security primer as part of the on boarding process, effective training will require an ongoing effort to review and discuss the company’s policies, why they are important, and expectations for compliance as well as consequences for noncompliance. An ongoing discussion about cybersecurity across the organization — at all levels — will garner better results than a one-time conversation.

Options and opportunities for training are many:  review of written policies, “classroom” training, online training, quizzes, discussions of new threats or policy changes at staff meetings, after-action reviews of security scares or breaches. Companies will need to tailor training to their organization and employees, but it’s important that it is not one dimensional.

What Should Cybersecurity Training Cover?

Consider these important topics as you put together your organization’s cybersecurity protocols and train your employees:

Passwords —  Employees should use strong passwords that are not shared and regularly changed.

Phishing — Employees should not trust emails asking for sensitive information even if an email appears to come from a reliable or authoritative source.  Sensitive information can be relayed verbally to a person you know and who you’re certain has authority to have the information. Employees should not click on links or download attachments from emails that are not solicited.

Software —  Install security patches in a timely manner. Don’t download unauthorized software on company computers.  For more on apps, see blog post:  Are Apps Safe? Tips to Protect Your Company’s Mobile Devices and Data.

Hardware — Unattended machines and devices should be locked.  Employees should take precautions to avoid theft. USB and other non-company devices should be prohibited or screened for security issues before being plugged into a company machine.

Wireless Connections —  Employees should know the dangers of unsecured networks and limit their use of public Wi-Fi.  See blog post: Staying Connected on Vacation — Is Public Wi-Fi Safe?

Data Security — It should be made clear to employees what data they are permitted to access and share, as well as the parameters for doing so.

Personal Activity — Employees should be aware of how sharing information on social media can help cybercriminals engage in effective spear phishing campaigns.  Use of company email for personal matters should be limited.

Reporting Problems — It’s important to encourage employees to report suspected problems immediately — whether their computer is acting up, they are victim of a theft, or they are aware of a breach.  The.protocol for reporting issues should be clear.

An investment in employee cybersecurity training is a wise one that can save you the loss of dollars, reputation, and business.