How to Train Employees on Cybersecurity
Imagine that you’ve just installed a state-of-the-art security system in your home — there’s no way that anyone can enter the house without setting off an alarm. Of course, this security system is useless if your teenage son was never told how to engage the system and leaves without turning it on.
Most cyberattacks are blamed on outsiders, but employee unawareness or carelessness often opens the door. In addition, some employees with malicious intent can do far more damage than any hacker could from the outside. It’s important to recognize and protect against these threats.
In this article, we will look at how to train employees and avoid costly data breaches.
It’s easy to blame cyberattacks on outsiders, but negligent employees account for nearly 70 percent of cyber incidents.
Employees Are a Leading Risk Factor
The majority of cybersecurity incidents can be traced back to ignorant, negligent, or criminal employees. Among 874 incidents analyzed by the Ponemon Institute, 568 were caused by employee or contractor negligence, 85 by outsiders using stolen credentials and 191 by malicious employees and criminals.
These incidents can be extremely costly for small businesses. The same report found that the average cost of an incident involving a negligent employee or contractor was over $200,000, while the cost of an attack with stolen credentials was nearly $500,000 — enough to put some companies out of business.
In addition to employees, it’s important to extend cybersecurity training to management and IT personnel. IT staff often turns a blind eye to management, despite them having greater risk exposure given their elevated privileges. This is especially true for public WiFi when traveling.
Cybersecurity Training Topics to Cover
Cybersecurity training should cover common attack vectors and include actionable advice. In addition, it’s important for businesses to invest in technology solutions that makes it easy for employees to protect themselves from these threats rather than relying on them to change their behavior.
Let’s take a look at some of the most common attack vectors.
Download a sample employee training curriculum to see how a cybersecurity training should look.
Spot & Avoid Phishing
Many employees are aware of blatant phishing emails, but modern cybercrime has become more nuanced. For example, many cyber crimes begin with a phone call from someone posing as a customer asking innocent sounding questions to gather information about the company and its operations.
Active network protection is a great way to proactively prevent phishing emails from reaching employee inboxes. By training employees to ask the right questions, you can reduce the likelihood of a data breach through phone calls and other communication mediums that are more difficult to police.
Some phishing tips to keep in mind include:
- Never provide sensitive information over phone or email, including financial accounts, passwords or other data.
- Verify the identity of anyone that you do not recognize before providing them with any information.
- Never open email attachments or download files from the Internet without proper verification.
- Report any suspicious behavior to a boss or colleague to help others avoid similar phishing attempts.
Better Manage Passwords
Employees should be forced use different strong passwords for each account that change on a regular basis. At the same time, you must make it convenient for them to manage these passwords to prevent them from writing them down or engaging in other insecure patterns of behavior.
Password managers are a great way to solve these problems. In addition to automatically generating strong passwords, many password managers make it easy for employees to share passwords within an organization for common resources and track the usage of passwords to identify any issues.
Some password tips to keep in mind include:
- Ensure that passwords are strong, different for each service and change on a regular basis.
- Don’t store passwords on paper, spreadsheets or other unprotected mediums that can be compromised.
Reduce Human Error & Crime
Nearly one-third of staff-related email breaches were due to sensitive information being sent to incorrect recipients, according to Verizon’s 2015 Data Breach Investigations Report. In addition, the 2017 Insider Threat Report found that nearly three quarters of companies felt vulnerable to insider threats.
The best way to prevent these issues is to limit employee privileges and ensure that remote employees, subcontracts, third-party vendors and other partners adhere to proper security protocols. For example, all remote employees should use a VPN when accessing a company network from public WiFi sources.
Some other tips to keep in mind include:
- Limit the privileges of current employees and ensure that terminated employee accounts are disabled or removed.
- Limit the sharing of credentials between employees where possible and change passwords on a regular basis.
- Setup processes to monitor your network for suspicious behavior and take any action immediately.
Come Up with a Plan
Cybersecurity training should occur at least twice per year to keep employees updated on the latest threats. Each training should include practical and actionable tips covering specific cases with real-life examples. You may also consider holding training over lunch to keep employees attentive.
Don’t forget to download a sample employee training curriculum to see how a cybersecurity training should look.
Practical tips covered in trainings should be tested with fake phishing emails or phone requests. By regularly testing employee knowledge and compliance, they will always have cybersecurity risk on their mind. You can also make it fun by rewarding employees with the fastest response.
The Bottom Line
Most cybersecurity incidents can be traced back to negligent employees or contractors. Fortunately, many of these incidents can be avoided with better employee education and the right technology solutions. The key is regular and consistent training with real-life examples and active testing of knowledge.
Jungle Disk’s cybersecurity suite is specifically designed for small businesses with two to 250 employees to be a cost-effective solution that enables these best practices.