As we come to the end of cyber security month – we must admit to ourselves that to err is human. You can employ the latest technology at your company to bolster defenses but you cannot always keep employees from making stupid and unintentional mistakes. This lone fact is why cybersecurity training, and repetitive training, is so important.
An incredible 95% of all cybersecurity incidents involve human error. This can include clicking on a malicious link, entering personal information into a supposedly friendly account, opening an unknown attachment or falling victim to an impersonation email—among other social engineering tactics. And employee mistakes can have large corporate impacts if successful.
It’s important to recognize that this isn’t about blaming employees—social engineering, after all, is about hackers taking advantage of human behavior to pull off a scam or attack. Rather, companies need to work with employee to be cybersecurity aware via cybersecurity training and re-training.
As even the smartest employees can be caught off guard by new techniques, I’ve included some tips for successfully training employees:
Cybersecurity training starts at the top
Concern for cybersecurity is often lower for managers inside the C-suite than managers outside of it. Unfortunately, the C-suite needs to be just as aware of potential consequences of a breach, if not more, and involved in cybersecurity. They need to ask the relevant questions: Are security functions in all systems up-to-date? What cybersecurity training programs are in place?
Only if the C-Suite is on board with cybersecurity protocols, will a culture of cybersecurity importance be present at every level of the company.
Training should be continuous
Cybersecurity training isn’t an event that happens once a year, it should be ongoing within the company. All new hires should go through training, setting a security mindset from day one. Do regular evaluations to make sure systems and employees are up-to-speed.
Make sure the trainings are relevant to each employee’s job and organizational level. There are many kinds of trainings—for example, you might use gamification to train employees. As an example, Salesforce piloted a security awareness gamification that focused on positive recognition, which significantly reduced the likelihood that participants would click on a phishing link. Be creative. Employees must take security seriously and must be enrolled in protecting organizational data as if it were their own.
Studies have indicated that employeed are much more likely to be cybersecurity aware if they learn by doing, rather than by listening. Simulations are a great way to train employees and teach them to recognize potentially malicious situations.
Cover the Basics
There are certain basic mistakes people make all the time that should be covered in cybersecurity training. These include:
- Discussing sensitive information over an unsecure channel, like email or text
- Failing to report a lost device
- Sharing passwords
- Reusing passwords
- Leaving documents with sensitive information on desks
- Failing to report suspicious emails
A good rule of thumb for employees: if an email, text or a link doesn’t seem right, don’t open it—report it to the IT department.
Use the Right Tools
It’s important that employees have access to the right tools to help maintain security. These should be tools that are easy-to-use, making security easier for employees. One such example are passwords managers, which can be used to maintain password security; another example are secure messaging platforms to communicate sensitive information.
Communication is one of the key areas where employees might accidentally compromise private corporate data. We’re so used to text and email these days that many people don’t think twice about sending sensitive information over these channels—even though they’re often unsecure. Secure messaging platforms like Vaporstream mimic the look and feel of SMS—making them easy to use—without compromising information security or compliance.
Tools like these assist cybersecurity training because they can be easily used by people without asking them to change their regular behaviors too much. Here at Vaporstream, we strongly believe in the importance of combining cybersecurity training with the right tools in the office. To learn more about our secure messaging platform, download our data sheet Doing Business at the Speed of Business or contact us to speak to a security expert.
Contributor: The Vaporstream Team