We are excited that you are viewing our blog post on this topic.
Please subscribe to our mailing list to receive more great "How To" tips.
Training Employees on Cybersecurity
When it comes to fighting hackers, we need all the power we can collectively find. Educating employees is the key to preventing cyberattacks as humans are considered the biggest problem and weakest link in cybersecurity.
Should every company train its employees on cybersecurity? Let me put it to you this way, if your staff is unaware of the latest types of cyberattacks and basic rules of information security, your company is practically powerless and extremely vulnerable to data breaches. Cybersecurity training is no longer an extra to be dismissed until the time is better. The time is now and the best defense is to make sure you are taking the steps to protect your business. If you had a high chance of getting hit by lightning, you wouldn’t go around carrying a metal rod. But with chances of getting hit by a hacker rising every day, having uneducated employees running your business is essentially the same thing.
So, Where to Start?
To minimize careless cybersecurity mistakes and encourage employee vigilance, you should talk with your employees on cybersecurity regularly. Regularly means at least once a month. Security issues should always be on the top of employees’ minds. Inform your staff about the latest techniques and penetration methods that hackers use.
Employees should know what impact a breach could have on a company as a whole and on each staff member separately; they also should be aware of the danger posed by social engineering, phishing, malware and ransomware attacks, etc.
To ensure your security training is making your networks more secure, it should include these essential components.
Education on Spotting Phishing and Ransomware Attempts
Phishing and ransomware have become the most rampant form of cybercrime and an exponentially increasing threat to organizations. Many of organizations have been targeted by phishing or ransomware. Ransomware, a form of malware designed for the sole purpose of extorting money from victims; and phishing, a form of social engineering by which cyber criminals attempt to trick individuals by creating and sending fake emails that appear to be from an authentic source, such as a business or colleague. The email might ask you to confirm personal account information such as a password or prompt you to open a malicious attachment that infects your computer with a virus or malware.
It is common for phishing emails to instill panic in the recipient. The email may claim that your account may have been compromised and the only way to verify it is to enter your login details. Alternatively, the email might state that your account will be closed if you do not act immediately. Teach your employees to take the time to really think about whether an email is asking something reasonable. If they are unsure, they should contact the company through other methods.
Making Password Management Mandatory
A strong password policy is the front line of defense to confidential user information. A password policy is a set of rules which were created to improve computer security by motivating users to create dependable, secure passwords and then store and utilize them properly. A password may follow the traditional guidelines yet still turn out to be a weak password. Users who can’t remember their strong passwords and end up writing them down or constantly having to reset their passwords undermine the benefits of a strong password policy. This is why educating uses to manage their strong passwords is so important. Having a password like “eup*^O67)QBY$19@B” is VERY secure. It contains most every element of a strong password. But how many users will remember a password like this? Chances are a strong password like this is written down on a piece of paper taped to the user’s monitor, underneath their keyboard, or sitting in top their desk drawer. It might be even hidden among the random items on the user’s desk. This is not ideal to encourage employees to create strong passwords. Teach users to relate their passwords to things they can easily remember, like a favorite sport or hobby. For instance, “I enjoy playing basketball” can be “IEnjoiPlay!ngB@$k3tb@ll11”. This version is secure and easily remembered by users.
How do I Implement Cybersecurity Training Into My Normal Employee Training?
1. Perform "Fire Drill" training exercises
Training is best when it’s LIVE. In this type of training the users should undergo a simulated attack specific to their job function.
Maybe they become a victim to an attack that's actually orchestrated by a security department or an outside vendor, and then they're asked to understand the lessons they've learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it. Have them share that experience with their peer group.
Here at navitend we perform regular phishing tests, in which a fake phishing email will be sent to all employees across the organization We gauge how many people click on it. We can then see our problem areas and what employees and departments may need additional training.
2. Get buy in from the top
Upper management needs to take on the responsibility to make the entire company aware of the ramifications of a potential breach. They have to buy into that having a good cyber plan means you have to have line items in your budget for people, hardware, and software, year over year. This means getting the CFO, CIO, and CEO on board."
3. Start cyber awareness during the onboarding process
The first time employees come through the door, start building the mindset as all new hires go through security training from day one. That way they hear from the time they start that cyber is important, and that they are going to get continuous training.
4. Conduct evaluations
Don't be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack. Until you do that, you won't know how bad or good your security posture may be.
5. Communicate
Create a plan for how best to communicate cybersecurity information to all employees and get all departments on board with training and learning best practices. It will help break down siloes--which creates alignment, and people working on it together.
6. Create a formal plan
Your IT Staff or MSP should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on cyber attack threats and other potential risks.
7. Appoint cybersecurity culture advocates
Tech leaders should appoint a cybersecurity culture advocate in every department at their organization. These advocates can help keep employees trained and motivated. Possibly your HR Department. We sometimes see this step overlooked. It’s important to use the resources you already have in the company beyond your IT team.
8. Offer continuous training
Cybersecurity training should continue throughout the year, at all levels of the organization, specific to each employee's job. If you're an end user, there has to be training associated with the types of attacks you might receive--for example, attacks on your email or attacks that target the type of job you hold.
9. Stress the importance of security at work and at home
Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home. Especially now during the pandemic with the “work from home” environment. Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a "what's in it for me" they can apply all the time, not just at work.
10. Reward employees
Reward users that find malicious emails, and share stories about how users helped avoid security issues. IT leaders should also empathize with employees who make mistakes. We are all living in a landscape where we all receive hundreds of emails per day. But the training goes a long way and employees will not feel as if they are alone or the only ones having to deal with these issues.
While these training tips can help, education is not a perfect solution. Even in the most advanced and most current education scenarios, there still are a percentage of attacks that will get through, and even in the most enlightening and useful educational programs, there still a chance that an attack may take place even after all the training is performed. So training is just one aspect of defending your business environment from advanced attacks.
Looking for a well-developed training curriculum based on the latest evolution of cyberthreats for your company? We can train and test your employees and give you regular reports on their progress.
navitend can help you. Call 973.448.0070 or setup an appointment today. Book Now
Make your life easier …….
Contact us at 973.448.0070