Your employees are on the front line when it comes to cyberthreats, but many of them are unprepared. When cybercriminals strike, employees may not recognize the risks and red flags. Data breaches cost on average $4.35 million, so providing your employees with training is crucial.
Current Cybersecurity Battlefield
According to a recent study by the Ponemon Institute, a technology consulting firm, employee negligence is the leading cause of data loss incidents. In fact, nearly 60% of businesses suffered data loss in the last 12 months due to employee email errors.
Also worth noting is the shift to remote work that is becoming more common. A Ponemon study found a strong correlation between the number of remote workers in an organization and the cost of a data breach. However, the study also found that certain factors, such as employee training, were associated with below-average breach costs.
Key elements of cybersecurity training
Risks vary by organization, but cybersecurity training should cover at least the following:
Passwords. Believe it or not, even though the importance of hard-to-crack passwords seems to have been hammered into our heads for decades, many people still have bad password habits. Year after year, 123456, 123456789, PASSWORD, and 12345 are the most common passwords.
When employees use such simple passwords, the system becomes vulnerable to attack. Teach your employees to create strong passwords (12 characters including numbers, symbols, and a mix of upper- and lower-case letters). You should also change your passwords at least every 90 days and avoid reusing passwords across apps, devices, and software.
Social engineering. In social engineering attacks, including phishing attacks, cybercriminals use social skills to obtain or compromise an organization’s information and computer systems. Phishing accounts for 16% of data breaches, according to a Ponemon report. But phishing is just one example of the social engineering threats employees can face.
For example, “Vishing” uses voice communication. Combined with other types of social engineering, it can trick victims into calling specific numbers and divulging sensitive information. “Smishing” exploits SMS messages containing malicious links. Training should teach employees to recognize and resist different types of fraud so that they do not fall victim and endanger their data.
Mixing business and entertainment. When employees mix work and personal accounts, information and devices, it can lead to disaster. Explain why personal devices should not be used for business activities (such as accessing an organization’s bank account or sending confidential information), gaming, or watching videos on company devices.
Similarly, USB devices, hard drives, and other external hardware should not be shared between work and personal devices. Also, do not download any software or apps from unknown sources. For example, downloading malware onto a personal phone used for business communications could expose that communication to hackers.
“Safe Browsing.” Building a culture of safe browsing is especially important because a lot of work is done remotely. In addition to alerting employees to suspicious attachments and links, you can also require employees to use a virtual private network (VPN) when accessing your system. A VPN establishes a secure encrypted connection, hides the user’s IP address, and acts as a filter to protect your data from cybercriminals. Remote workers can access your network and exchange data securely.
READ MORE: Does Your Business Need Cybersecurity Insurance?
Training Beyond Lectures
The content of your cybersecurity training is important to your employees, but don’t forget the format too. A one-page lecture or slideshow is unlikely to captivate or be memorable for your audience.
If you want your employees to be able to put the lessons into practice, make the training interactive. It’s one thing to administer a quiz at the end of training. It’s another — and a more effective approach — to create simulations during or after training that allow trainees to put what they’ve learned to the test.
Some companies run simulations during working hours to see how their employees react. These real-time assessments provide much better insight than paper quizzes on whether employees retain working knowledge. However, quiz questions also have a role. These will help you quickly identify those who need additional training.
Keep Cybersecurity Training Going
Effective cybersecurity training is not a one-time or annual event. Make training an integral part of your employees’ work lives as threats continue to evolve. You don’t need an hour-long session every week to make a difference. With employee cybersecurity in mind, micro-training with short videos and email reminders can be very helpful. Contact us with any questions about cybersecurity.
© 2023