Published in Fall 2023
Organizations are attacked by cyberthreats daily. They disrupt operations, tarnish reputations and cost companies millions of dollars. As of 2023, the average cost of a data breach globally amounted to $4.45 million, according to IBM. It’s no wonder that every organization, no matter how big or small, needs cybersecurity awareness training to help combat cyberattacks.
Below are seven cybersecurity tips to help keep your company safe from threats.
1. Train Everyone, Including Executives, at Least Twice a Year
Your cybersecurity team and prevention technologies are separate layers of protection. Your employees play another equally important role in protecting your data, so annual training is not enough.
Cyberattackers target everyone in the organization, including C-level executives, to steal their login credentials and then log into their email accounts. After attackers obtain an executive’s login credentials, they may send an email from that person’s email address to employees — often in finance — instructing them to take immediate action, such as paying an invoice to a bank account (which is controlled by the hacker). No matter where employees sit on your organization chart, everyone is a target.
The training should provide examples of situations in which employees need to make decisions about the proper action that should be taken. Training videos should quiz employees intermittently and prohibit them from proceeding to the next part until they answer correctly. The video should then explain the rationale for the proper answer.
2. Ensure Retention
Organizations that engage and train their workforce only annually or on an ad-hoc basis cannot effectively change behavior. The SANS Institute 2022 Security Awareness Report recommends that organizations communicate to, interact with and/or train their workforce at least once a month. Ensure the training program you provide is up to date with the latest recommendations for responding to suspicious activities.
3. Allow Flexibility in the Training
While a course may only last 30 or 45 minutes, people get interrupted and often don’t have time to finish a course at once. Make sure that if they have to leave in the midst of the training, they won’t lose their place and have to restart the program. They should be able to continue where they left off. And if they feel the need to go back and review an earlier section, they should be able to do so without having to start from the beginning.
4. Continually Test Employees
Your cybersecurity team should periodically conduct phishing tests to see which employees fall for the ruse. For example, the team could create fake emails purportedly from the HR department to ask people to update their home contact information. Attackers often send bogus emails asking people to update their personal contact information. It’s not their contact information that attackers are after.
When people go to update their information, they first are asked to log into the human resources (HR) system, and those login credentials are exactly what the attackers track, allowing them to sign in as an employee. These tests can show you which employees are likely to fall for scams and serve as teaching moments. When they fall for a phishing email, the employee should be sent an automatic notice that this was a test that they failed and cite the behavior the employee should have taken. Employees need to learn that even though an email may seem as if it is coming from someone within the company, it’s essential to double-check with the actual sender.
Rather than replying to an email that appears suspicious, employees should use the email address in their directory to send a new email to the purported sender questioning them about the suspicious email.
5. Make Cybersecurity Awareness Part of the Company Culture
Cybersecurity must be a part of the company culture and discussed regularly in meetings so that it’s always on people’s minds. Whether you use Outlook or another email application, there should be a tool for suspicious emails. When receivers are not sure whether an email is authentic or fake, they should be able to click that icon to automatically forward it to the cybersecurity team to review it and respond that day, whether or not it was a threat. Make sure employees understand there should be no sticky notes near their desks with passwords, even if they work from home. In the office, display cybersecurity posters on the walls and cybersecurity articles on the intranet and in company newsletters to ensure cybersecurity is always top of mind.
6. Teach Executives About Fines and Penalties for Data Breaches or Non-Compliance With Security and Privacy Laws
The Payment Card Industry Data Security Standard (PCI DSS) fines vary from $5,000 to $100,000 a month for non-compliance. In September 2022, the Securities Exchange Commission (SEC) announced that Morgan Stanley Smith Barney LLC (MSSB) agreed to pay a $35 million penalty to settle the SEC charges for failures to protect the personal identifying information of customers.
Non-compliance with federal laws can cost your organization dearly. As with other training-related business areas, sometimes the surest route to real change is to demonstrate the real impact on your bottom line that cybersecurity awareness can have.
If you want to do business with state or federal agencies, you may need to show that all your employees must undergo annual cybersecurity compliance training. If you have contracts with federal agencies and aren’t in compliance, you could lose the business and the ability to bid on other federal work.
Different job roles may need different training. For example, sales and marketing people may need to know privacy laws like the General Data Protection Regulation (GDPR) and people who work in legal and compliance will need to know about incident response protocols and the process for notifying clients after a breach. Training requirements may vary based on roles and levels of responsibility. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. The best way to keep track of who has taken your training and passed the test is with a learning management system (LMS) or a learning experience platform (LXP).
7. Provide Additional Cybersecurity Training for IT Professionals
While everyone at an organization needs basic cybersecurity training to be wary of possible threats like social engineering and malicious links, information technology (IT) professionals need special training to secure your network and the data you hold in the cloud. Even if they don’t work in cybersecurity, the IT team needs special training. For example, web developers need to be able to ensure that they are using best practices to write code. If there are holes in the code, attackers can enter your network.
There are a number of vendor-neutral industry certifications that are focused on cloud security that cover cybersecurity for a wide range of technologies, tools and platforms. The Computing Technology Industry Association (CompTIA), Certified Information System Security Professional (CISSP), CCSP and Certified Information Security Manager (CISM) are some of the more popular vendor-neutral certifications.
Organizations will also need special cybersecurity training to protect their data in their public cloud. Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and Oracle Cloud Infrastructure (OCI) all have different security protocols. Optimal Azure cloud security looks different than optimal AWS security, which in turn is different from the best solution for a multicloud environment. Understanding the different security practices associated with each cloud provider makes it easier to develop a solution that keeps your data secure.
In Closing
Cybersecurity is everyone’s responsibility. Humans are the weakest link in your cybersecurity chain: Ensuring everyone takes cybersecurity awareness seriously can enhance an organization’s overall security posture and create a resilient defense against evolving cyberthreats. The most mature awareness programs are those that have support from leadership. To effectively engage leadership, explain the importance of continual cybersecurity awareness training and effectively managing your organization’s human risk.