Your Guide to Cybersecurity Training for Your Employees

An employee clicks on an email from their bank — they need to download new credentials. Suddenly, their system is frozen. And just as suddenly, your system is frozen. The new credentials were malware, sent by a cyberattacker, intended to look like an authentic banking email. Since your employee’s device was plugged into your network, your entire network has fallen prey to ransomware.

What’s your next step?

If you’re like many ransomware victims, you’re now in the position of having to either lose much of your data or pay tens of thousands of dollars in ransom.

Cybercrime is currently costing the Australian economy $1 billion a year and is expected to cost $6 trillion globally by 2021. The costs aren’t the ransom alone: it’s also going to take time to recover your data. 

Employees can make mistakes. They are more likely to make mistakes if they aren’t aware that they’re making them. Cyber awareness has to be baked into a company from the top down, and cybersecurity training has to be thorough, consistent, and up-to-date. 

If employees don’t know what to look for, they can’t identify threats — and there’s only so much a cybersecurity solution can do.

Here’s why security awareness training is so critical. 

The Business Case for Employee Cybersecurity Training

Often, training is only completed as employees are on-boarded or sporadically when security events occur. This is not frequent enough. There are many benefits to regular employee cybersecurity training. 

Through regular cybersecurity training, employees can both identify and react to threats. Reaction time matters: the faster a threat is identified and mitigated, the less damage it can do.

Employees will feel a greater level of awareness regarding safety and security measures. They will be more confident in managing their security because they know the company’s security protocols.

This will improve the way employees relate to their computer systems. Rather than shying away from computer-intensive tasks, they will feel confident and capable. 

Ultimately, regular cybersecurity training has the following impact on business:

• Achieve better uptime. Data breaches and disruptions can take your business down for hours. A single data breach disruption can cost a company millions of dollars in lost revenue, depending on how reliant the company is on its network to continue processing transactions and information. The fewer data-related events, the more uptime the company can achieve.
• Reduce costs and overhead. Every data breach, no matter how small, is expensive. You will be able to reduce IT costs and overhead by protecting your data. Teaching your employees proper security will also reduce the amount of time your IT team needs to spend on tasks such as removing adware or malware from systems or resetting lost and forgotten passwords.
• Control and protect the organisation’s data. An organisation’s data is everything today, but it can be on hundreds or thousands of devices. With the Internet of Things and mobile device management, organisations need to be even more protective of the data that they are in charge of. A combination of employee training and technology is a powerful way to control and protect data.
• Adhere to internal policies. Internal policies keep the organisation safe from major security events. It also keeps the operations from moving slowly. Consistent internal policies will prioritise both efficiency and security.
• Comply with all relevant laws and regulations. Many industries are facing data privacy laws and regulations. A violation can lead to millions of dollars’ worth of fines. Security training helps with laws and regulations as well as security.
• Contain threats. When threats do emerge, they need to be addressed immediately. An organisation that can secure and contain threats immediately is an organisation that will not suffer an excessive amount of damage before mitigating the threat. 

Implementing cybersecurity training is a step towards building a better and sustainable culture of security. 

This is more than just about reminding your employees to regularly change their passwords. As Tim Ferris says, “Culture is what happens when people are left to their own devices.” Therefore embedding a culture of security means helping your employees understand and embrace their role in keeping your organisation safe.

Topics Covered in Cybersecurity Training

Cybersecurity is growing more complex every day, and security awareness training has a lot to cover. This is one of the major reasons that cybersecurity training has to be handled regularly.

Amongst other things, cybersecurity training covers:

Corporate Data Responsibility

What responsibilities do employees have to protect the company’s data? What responsibility does the company hold to its clients, vendors, and employees? Underscoring the importance of company data responsibility helps: it gives employees a sense of accountability and a measure by which to gauge the seriousness of the security efforts.

Document Management

Today’s documents can include a large quantity of personally identifiable information, confidential data and intellectual property. 

Employees should understand how to manage their documents, including how to securely share them. They should be able to identify issues that may indicate that something is wrong: if documents are loading slowly, go missing, or are being accessed by unauthorised persons outside the organisation, consideration needs to be given that there could be a problem. 

Data Incident Reporting SOP

What do employees do when they identify an incident? If an employee isn’t told what they should specifically do during a data incident, they may worry that they aren’t doing the right thing. They may hesitate to notify anyone of the incident, or they may assume that someone else has already taken care of it. 

When it comes to security, reporting is critical: many data breaches and disruptions are ignored and consequently can get worse. 

Password Security

Employees today often have it drilled into their heads that they need to create long, complex passwords. Still, they tend to reuse passwords or use similar passwords because it’s simply easier to remember. Employees need to be given tools such as password managers and password generators if they’re to be expected to manage their passwords securely. 

Authorised Software Downloads

Employees will often download and install software that’s meant to make their job easier, such as a PDF viewer that’s lightweight and easier to use than an internal PDF viewer. 

While this solves a problem for them immediately, it can open up a company to substantial risk. Third-party applications are one of the most common sources of data breach and disruption. Employees should be directed to only use the authorised software packages.

How to Identify and Report Cybersecurity Threats

Do employees know how to describe a threat when they see one? Simply having the language and terminology needed to adequately describe a threat can go a long way toward resolving it. 

Email, Internet, and Social Media Policies

Quite frequently, cybersecurity events are caused by poor email usage, web browsing, and social media. Attachments can be sent through email and social media, and files can easily be downloaded from the web. 

Employees need to be aware of the threats, as well as the hallmarks of these threats. If they compromise a personal device, such as a laptop or a smartphone, they run the risk of compromising a network of devices.

Computer and Mobile Device Mobile Device Policies

More employees than ever are using their personal devices for work, which can be beneficial. It improves a company’s efficiency by leaps and bounds. Unfortunately, it can also present some security risks, as an employer can never know how secure an employee’s personal devices are. 

Through rigorous mobile device management policies, it becomes easier to secure an employee’s devices. 

Social Engineering and Phishing

Social engineering and phishing thrive on employees being in the dark about their company’s security policies. 

A social engineering attack begins with an attacker, who can look like anyone, using great social skills to interact with an employee. The attacker would gain the employee’s confidence so they could acquire company information only employees would know. 

Phishing, on the other hand, is a kind of social engineering that uses email or malicious websites to acquire personal information. In March 2019, Evaldas Rimasauskas pleaded guilty to wire fraud after helping to orchestrate a scheme that misled tech giants Facebook and Google into paying him more than $100 million over the course of two years. The scam involved sending phishing emails to employees from a fake business Google and Facebook do business with Taiwan-based Quanta Computer. 

There is no business too large or small for these scammers, therefore all employees should be educated on the signs of social engineering attacks and phishing emails.

The First Steps: How to Make Your Team Care about Cybersecurity

Cybersecurity matters. But your team will probably be focused on getting their jobs done. Often, IT security can seem to present a barrier to their jobs, and they may not properly understand how important cybersecurity is to the business. Training doesn’t just tell them how to secure their systems. It tells them why they should.

So how can you get started?

Both new staff and those who have been in the company for some time need to go through a standardised cybersecurity training. With this, third-party training is ideal. 

When training is done internally, there can be gaps that remain because there is no one to notice them. Further, business processes and the culture of security can drift over time because there is no external reinforcement. Training has to be regularly updated, which is something that internal staff often don’t have the chance to do. A third-party that specialises in cybersecurity training can help.

Finally, gamifying employee training helps get the message stick. By rewarding cybersecurity trained employees and departments that go without major security events (or finding security events), you can show that the company truly does value improved security and that it values the employees who are trying their best. 

Conclusion

Most businesses run under a false sense of security. They assume that because they haven’t yet experienced a major security issue, they won’t experience one at all. But it’s just a matter of time. Every company, regardless of how small or how large, is vulnerable to major security events. The best thing you can do is prepare.

Through regular cybersecurity training, you can ensure that all of your employees are on the same page and that they are committed to helping keep your organisation safe. You can prevent costly, time-consuming data breaches and data disruptions from   occurring.

Ensure you have the right technology and your staff have the right training. Contact Lanrex today to learn more.