As risks rise, most organizations short-change security training, basics
For some inexplicable reason, organizations regularly eschew cybersecurity training for their employees. When observed objectively, this sounds staggeringly absurd. While it’s perfectly understandable that every organization has to operate on a specific budget, it’s very odd that, when the money gets tight, IT almost exclusively gets the short end of the stick.
Statistically, proper cybersecurity measures always pay dividends in the long run. However, many CEOs work under the illusion that investing in cybersecurity is nothing more than buying air. As a result, the companies these CEOs run become sitting ducks in hackers’ eyes. Operating like that makes little sense, especially in today’s environment, where the average data breach costs $3.8 million and happens every 40 seconds or so.
Of all cybersecurity measures, training employees is definitely one of the most important. The fact is that cyber criminals hack organizations through employees, not by cracking through firewalls. That’s how many of history’s biggest data breaches took place, after all. All too often, a hapless employee opens a phishing email, exposing the organization to fatal financial and data losses.
Ignorance isn’t bliss: The ubiquity of undertrained employees
To make matters even worse, a security report conducted by Wombat revealed that about 30 percent of employees have no idea what phishing even is. Given the fact that 76 percent of businesses found themselves falling victim to phishing, this is hardly an acceptable state of affairs. And I won’t even mention how many of them leave their computer turned on or passwords written on paper notes just lying about in the office.
At some point, you have to face the facts. One organization is just as likely to be attacked as the next. When a hacking attempt takes place, you’ll want employees to be able to identify the common trappings of such attempts. To be sure, it will cost you some money to properly train them. But it will ultimately save much more money by preventing cyber attacks from devastating your organization, rather than trying to pick up the pieces after a successful hack.
So, you realize that employees require some enlightening on cybersecurity. But what do they need to learn?
While they don’t need to be full-blown experts, employees really ought to know the basics of cybersecurity. Here are the most relevant points a good cybersecurity course should cover.
Different kinds of cyber attacks
Employees need to know what kinds of attacks can come their way. This means they should learn about phishing, ransomware, social engineering, malware, spam--all the types that people fall for the most. The more they know, the smaller the odds of something malicious seeping through the cracks.
They need to know it’s very common for social media to also contain spam and therefore malicious software. They should be informed about how to spot a suspicious email. It’s a good idea to provide real life examples of these kinds of successful attacks. Bringing these concepts closer to them with the use of examples and exercises helps them solidify their existing knowledge.
Dangerous Internet habits
More often than not, people have low awareness of the consequences of their online activities. Good training would address this issue by explaining what the most common pitfalls of surfing the internet are and to how much risk they expose both themselves and the organization.
This entails the promotion of safe browsing. In other words, your staff should watch out for links they need to avoid. Mostly, this is a matter of staying away from links that the antivirus program flags as unsafe and links in phishing emails. Safe conduct on social media while using organization devices is also vital.
One of the most common passwords in the world is “password.” With that in mind, it’s easy to come to the conclusion that people have a pretty reckless attitude about passwords. This is something in dire need of rectifying to minimize the chances of a hack in an organization.
There are two key takeaways employees need to gain from training. One is the importance of password strength, specifically having numerals and symbols in long passwords. The other is how crucial it is to have a different password for every account or profile they make. With this knowledge, their passwords will be almost impregnable. And even if one does get compromised, it cannot be used to access other sensitive accounts.
Reporting potential attacks
After a staff becomes proficient at detecting dangers, they need to put that knowledge into practice. With so many people working on so many different devices, they will probably detect an attack pretty quickly. When they come across a likely hazard, they need to know the proper reporting procedure.
That’s to say they should know how to spot a problem, who to talk to when they do, and where and how to report it. After that, an organization's IT experts can do what needs to be done to resolve the issue.