Think your company can withstand a cyberattack? Think again. Cybersecurity confidence is falling — this year, an annual survey of cybersecurity found global cybersecurity confidence had dropped from a C to a C- — and it’s no wonder.
2016 saw some unprecedented attacks, such as the denial-of-service (DOS) attack that shut down websites worldwide, including Airbnb, Etsy, and the National Hockey League. Ransomware attacks escalated, too, holding hostage the data and IT systems for universities and businesses.
As tempting as it is to view cyberthreats as something from out there, external to your company, the truth is human error is responsible for the worst breaches. Not convinced? Look at the data. In the 2016 Cyber Security Intelligence Index, IBM found 60% of attacks involved company insiders. Approximately three-quarters of these attacks were motivated by malicious intent, while the remaining quarter was the result of an employee making a mistake.
Your company must stay vigilant in protecting your employees and systems from an attempted hack — and a large part of that protection includes a comprehensive cybersecurity training program. This post will go over what your training program should cover and why this knowledge is necessary.
Educate Staff On What “Cybersecurity” Means
Of course, your company’s IT team needs to have a more technical understanding of cybersecurity, but it’s important all staff have some level of knowledge, too. Not everyone will have the same understanding of what cybersecurity is, so start with some of the basics:
- Social engineering attacks
Define these popular types of cyberattack and offer examples of how individual employees can play a role in helping protect the company. Your staff also need to understand the different technologies, computer networks, and how they interact with each other. We recommend you identify some best practices.
Are your staff regularly backing up their data and work? Do they know how to protect their passwords? Do they understand what two-factor authentication is and how to use it?
Too few people are aware of the risks of connecting to free Wi-Fi hotspots. Employees need to know that if they’re connecting to a company-issued device, they’re opening the company up to cyberattack.
Similarly, not enough people appreciate the malware risk of plugging in an unknown USB drive. Numerous experiments have found roughly half of dropped USB drives will end up plugged into the computers of people who come across them. This is concerning. One study found 66% of lost USB keys were infected, and these keys ending up in your company’s computers could wreak havoc on your entire computer network.
All employees need to understand the risks of:
- Disabling or ignoring corporate security measures like anti-virus software and firewalls
- Clicking on links in phishing emails (and how to tell what a phishing email looks like)
- Opening email attachments from unknown senders
- Downloading files from questionable sources and sites
- Disclosing credentials such as usernames and passwords online
Taking the time to thoroughly educate staff on cybersecurity will be more effective than merely handing them a handbook of security policies. Your employees are more likely to take the policies seriously if they understand the why behind them.
Inform Employees About The Risks Specific to Your Industry
While healthcare, manufacturing, financial services, government, and transportation are among those industries most likely to be targeted, each industry faces its own risks. Your cybersecurity training should focus on the risks specific to your company and industry.
For example, utilities companies are uniquely at risk of being targeted by state-sanctioned hackers, as part of cyber warfare. In contrast, healthcare organizations are more vulnerable to cybercriminals who want to sell valuable patient information to the highest bidder on the black market.
The particular threats your company faces will shape your cybersecurity training program. Review case studies from other companies in your industry that experienced a security breach. Similarly, be honest about any past breaches at your company, and explain how the company addressed them. This type of information sharing could help businesses take more proactive cybersecurity measures.
Make Employees Aware Of Policies, Standards, and Legislation
Every company and industry is different and has different security policies and standards in place. The compliance requirements the Health Insurance Portability and Accountability Act (HIPAA) places on healthcare organizations, for example, are different from the compliance requirements of other industries.
It’s important your staff understand not only your company’s security policies but also the regulations and legislation that govern your company. In particular, your employees need to know how to handle sensitive customer information they use in their roles.
By providing this education on policies, standards, and legislation, your company will be more successful in maintaining compliance.
Review Protocols In Case Of A Security Incident
Obviously, it’s much better to avoid a security incident altogether. But if something happens, your employees need to know how to react. You don’t want them to make it up as they go — or worse, react as though nothing has happened. Make sure they know to:
- Report any suspicious activity. As well as who to report it to so it is addressed in a timely manner.
- Avoid panicking. Security incidents can be stressful, but it’s important to stay calm.
- Look to a designated staff member for guidance. It may be your Chief Information Officer (CIO) or even your CEO, but everyone should know who will communicate with them in the event of a cybersecurity breach.
Cybersecurity training is essential in today’s vulnerable digital environment. Make sure all the staff at your organization, not only your IT department, understand their role in preventing a damaging cybersecurity attack on your company. Yes, it takes time and resources to ensure your company is informed and protected, but there’s no question the benefits outweigh the costs.