It’s often said that employee training and awareness are a key component to any successful cyber security program. In today’s blog, we’ll explore why this holds true, and how to improve your programs.
For the most part, employees know where data is, how it’s used, and how to access it. With rare exceptions, they’ve also got good incentives to protect it, making them the key to your corporate security. However, they’re often the weakest link when it comes to best practices and being at the front lines of attacks.
Organizations are exposed to any number of cyber risks on a continuous basis. These include ransomware, phishing, insider threats, and an ever-changing cyber threat landscape. Cyber security training aimed at top threats today will likely be outdated tomorrow.
An old boss of mine once said, “never let the facts get in the way of a good story.” In this case, the facts more than support a not-so-good story, and they’re only getting worse. Despite the growing rate of cyber crimes, companies are only expected to spend about 9 percent on average per employee on cyber security training each year, according to a 2018 report from Juniper Research.
There were 8,854 recorded breaches between January 1, 2005 and April 18, 2018, according to the Identity Theft Resource Center. These breaches account for millions of records, with the price per record ranging anywhere from $120-$600. If we average these out at $360 per record, then the total price of these breaches is in the billions. Leadership will often talk about the cost of cyber security, but they seldom think about the cost of not having it.
Statistics show that a poor, or worse yet, total lack of a cyber security training and awareness program can have devastating results. Communicating a few best practices can go a long way in getting your employees up to speed with your cyber security program.
So how can you design cyber security training and awareness programs to keep employees up to date on the latest threat vectors, but also teach them basic security principles so they’re better able to respond when they occur? Let’s dive in.
Creating a Successful Cyber Security Training and Awareness Program
Start at the Top
A successful program always starts with the support and advocacy of senior leadership. Without support from the top, the program will be a shell, with no accountability or consequences for poor behavior.
Executives often recognize the need for cyber defense but have no idea what it entails, what it’s comprised of, or how to implement it. In cases like this, it’s usually senior IT leaders that have to “manage up” to ensure proper funding and resources to secure the organization’s business objectives. Security is often seen as a matter of compliance and not a genuine business function.
Make Security Part of Your Corporate Culture
One way to improve security is by building it into the corporate culture. A cyber-aware culture can make all the difference in whether your program is a success or just another task. “Setting the tone” can be accomplished in several ways. One of the most effective ways is to train users as part of the onboarding process.
Setting expectations and effectively communicating them goes a very long way. Doing this not only supports your cyber security program, but also reduces cyber incidents. To adequately defend from threats, employees should live and breathe security.
An effective cyber security program should not be based on blame and fear. This is a dead end that certainly limits the success of any program. Additionally, a culture of blame encourages poor security. When employees fear reprisal they’re less likely to come forward when there is an incident. This could ultimately put the corporate infrastructure and its data at risk.
The security manager-employee relationship should be fostered in a way that employees will feel comfortable reporting issues or mistakes. Creating a culture where staff are rewarded for stepping forward is much more effective.
Develop a Security Policy and Update it Regularly
Another key tenet is having a policy to guide the effort. Policies are high-level edicts and aren’t meant to be technology or solution dependent, but they’re paramount for getting, and keeping employees on track with security. Many small businesses don’t even have a security program, so the thinking often is ‘what’s the need for a policy?’
However, in order to effectively establish and maintain a program, the organization should have a modicum of governance and a policy, or two, or three, in place. Without them, there are no guidelines for where you need to go when an incident does arise.
Unfortunately, even with cyber threats being front and center in the news these days, many employees still believe that cyber security is something for the IT guys to worry about. While this is true to a degree, the adage “it takes a village” is a much more appropriate stance.
If your workforce is 1,000 strong, then 2,000 eyes are certainly better at watching for events than just the few dozen in the IT department. Employees can form a sort of human network which supports a host of security activities from patching, to reporting suspicious email, and even unwanted clicks.
Next, all employees, particularly senior management, should be involved in cyber security training. As always, leading by example is the most effective way to establish compliance with the rest of the employee base.
As IT consultant and author Anthony R. Howard said, “Bottom line: it doesn’t matter what firewall or intrusion detection or VPN you use if your employees don’t understand the significance of data privacy and protection.”
At the end of the day, the effect boils down to dollars and cents. Cyber crime is costly. The average cost to an organization is estimated to be $13 million per year, according to Accenture’s global study. In most cases, it takes anywhere from 50 days to a half a year to detect a data breach. What must that cost a business? It should be pretty clear-cut that businesses need to invest in cyber security and the people that help defend them from attacks.
Without question, today’s cyber criminals present a threat to companies, organizations, and governments. Critical threats to organizations stem from a lack of adequate defenses and employees who are ignorant about cyber security principles and best practices.
Security should come from the top down and should be an integral part of the business operation. It’s a team effort, there’s no way around it. The IT staff might be the ones to do the heavy lifting, but it takes everyone to be onboard from the CEO to the cleaning staff. Having a well-established cyber security strategy, and a cyber security training and awareness program to accompany it, are key to the security of modern-day businesses. Without an effective cyber security training program, your employees can’t be expected to help defend your business from cyber threats.