Employees are a company’s greatest asset, but also its greatest security risk. If we look at security breaches over the last five to seven years, it’s pretty clear that people, whether it’s through accidental or intentional introduction of malware, represent the most important point of failure in terms of security vulnerabilities
Rolling out an annual training is not enough. Organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.
Here are some ways for helping all employees understand cyber risk and best practices to follow:
- Create a formal education and awareness plan – Organization should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks.
- Start cyber awareness during the onboarding process – Start building the mindset of all new hires by making them go through security training from day one. Let them accept the fact that along with other business, cultural and operational guidelines, cyber security guidelines too are equally important, and that they are going to get continuous training on this.
- Offer continuous training – Cybersecurity training should continue throughout the year, at all levels of the organization, specific to their roles. It’s equally important here to keep this technical security training current as per the evolving threat landscape relative to the attacks.
- Stress the importance of security at work and at home – Leaders and trainers should help employees understand the importance of cyber hygiene not just in the workplace, but also at home. Teach users that it’s not just the organization is at risk but even their personal and private data can also get compromise with compromising on security guidelines. They need to understand that it’s equally important to remain protected at home or while roaming as much at work place.
- Periodic evaluations – Similar to periodic training, organization should perform evaluations of both employees and systems to find out how vulnerable organization is to attack.
- Conducting “live fire” exercises – The best training today is “live fire” training, in which the users undergo a simulated attack. For eg. IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression. With such exercise, even after becoming a victim, employees learn the lessons from that attack, and the implications on the business, on their personal lives and how they could have prevented it.
- Designate cybersecurity guides – Beyond IT team, organization should appoint a cybersecurity guide in every department who can act as an extension of the CISO and keep employees trained and motivated within their department. There should be a periodic sync up with these guides so that they themselves remain updated with changing threat landscape and organization’s cyber security strategy.
- Reward employees – Reward users who find malicious emails / compromised systems / suspicious behavior etc. and share stories about how they helped preventing security issues.
- Buy in from the top management – Last but not least, the CISO needs to make the rest of the C-suite aware of the implications of a potential breach. Along with getting budget for other items, he has to have line item in the budget for people. Getting the CFO, CIO, and CEO on board for such initiative will be required for fruitful results.
While these steps can surely help, organization has to maintain other guards and protection mechanism to detect, prevent, mitigate and recover from any cyber-attack. So, building a cybersecurity aware culture among employees is just one aspect of defending the environment from advanced attacks.
By:- Aman Chhikara