Let’s find what you’re looking for. Search our resources, blog, pages, and any other content on our website.
Should your business have a cyber security training program? The answer is yes, and it doesn’t matter what industry you are in or if your business is large or small. In fact, 43% of cyber attacks are against small businesses. Companies of all sizes in all industries are increasingly the targets of cyber attacks, and the cost to respond to an attack is rising every year.
In 2022, many different types of cyber attacks are predicted to increase, ranging from supply chain attacks to attacks on hybrid workplaces to more sophisticated ransomware attacks. Here are some of the cyber security facts you need to know1:
The fact is that your employees are the weak spot in your cyber security strategy. To complicate the issue, remote work increases that threat because employees working from home introduce new vulnerabilities into the equation. A cyber security training program is no longer a luxury, it’s a necessity.
Cyber security awareness training consists of educating your employees about the types of cyber threats, how to spot them, and how to avoid them to keep themselves and the company safe. By arming your workforce with knowledge, you can turn them from the weakest link in your cyber security strategy to effective participants in the war against cyber threats. The benefits you’ll receive far outweigh the effort you put into that training. Your workforce:
Customer confidence is another benefit you’ll see from avoiding cyber attacks. Even if a successful attack is easily managed, customers are paying more attention to them at every level. According to Ponemon Institute2, a company’s share values dropped by 5% after the announcement of a data breach. Further, 31% of consumers stopped doing business with companies affected by breaches, and 65% lost confidence in those companies. Training your workforce to avoid cyber threats is a wise strategy for every company.
Your training needs to be more than offering a Cyber Security 101 Training course on a periodic basis attended by employees with an interest in cyber security. To be effective, you need a program that is incorporated into your company’s culture. Follow these steps to make sure your program meets your needs.
You need support from your leaders for two important reasons. First, your employees need to know that senior management thinks cyber safety is critical for the health and growth of the organization. Employees always pay more attention to things that their company leaders talk about to encourage participation. You’ll also need support for setting policies and procedures that will reinforce your program.
The second reason is that you will need support for a training budget, and your employees will need to be allowed time to attend training and/or complete training modules. In fact, you may even need to make the training a requirement, regardless of how busy they are with other projects. Without leadership support, those things will be difficult to accomplish.
Therefore, your training should start with company leaders. They need to understand the cyber threat landscape, the repercussions from a successful attack, and the role that they and your employees play in preventing cyber attacks. You can then get their support for creating a program that will be effective in reducing your risk. It’s often helpful to give the program a name so that you can refer to it as a company initiative.
Every company is different when it comes to cyber security. Assess your systems to determine where you have the highest risks to help you prioritize the topics you need to emphasize in your training.
For example, is your company using a remote or hybrid workforce approach? If so, your risks are higher and you’ll need to put more emphasis on how employees access your systems, the devices they use, how they maintain login security, and more.
Several departments should be involved in creating a cyber security training program. You’ll need allies in Information Technology, Human Resources, and, if you don’t have standalone departments, those individuals responsible for legal and compliance.
You’ll need to keep key players aware of the progress you’re making with the training and the results you’re seeing. Keep the entire workforce involved by publishing articles in a company newsletter or posting updates in company online resources. Solicit feedback from the organization to determine what they like or dislike about the training and suggestions for improvement.
Choose a training approach that makes sense for your company. Consider your company’s size and culture to determine if your training should be in person or online. Also consider the type of terminology and examples that most of your employees will understand. Not everyone wants a gaming training approach, but it does need to be high quality, interesting, and easily accessible.
Include an overview of the cyber security landscape and the impact a serious cyber attack can have on your company and your employees. Messages from senior leadership concerning the importance of taking cyber security seriously will also help to set the stage.
Cyber security awareness training can cover a wide range of topics. For each topic, be sure to include the actions the employee needs to take if they believe they’ve found a threat. These are the most important topics to include in today’s environment.
One of the most common ways hackers gain access to data is using your email system. Train employees on how to spot phishing emails. Reinforce the fact that they shouldn’t click on any link in an email or open an attachment unless they know the sender.
It’s also important to cover the topic of lateral phishing where a hacker takes over an email account of one employee and then sends phishing emails to others. It may be difficult to convince employees not to respond quickly to requests in an email from their supervisor, but they do need to stop and consider if the request makes sense.
Emphasize the importance of setting strong passwords and changing them regularly. Set a standard for using unique passwords for each account they access and using different passwords for personal and business accounts. Include information about the dangers of using open authorization (OAuth) to reduce the number of passwords they use. For example, many authentication processes will offer the ability to login using Facebook or Google credentials.
Make sure that employees understand how and when they are accessing sensitive company data. Reinforce the need to limit access to that data and to avoid sharing sensitive data in an insecure manner or sharing with people who don’t really need access.
If your employees are working remotely, either as part of a hybrid workforce model or just from their mobile device when they are out of the office, it’s imperative that you address how to do it safely. Follow best practices for remote work, but what you teach will depend on how your remote workers are set up. You may need to discuss their devices, how they access central servers or the cloud, how they use WiFi, and more.
Train on physical security also. Leaving a laptop unattended while an employee gets a refill of a drink in a restaurant could be a problem.
You probably work hard to avoid shadow software, but if your employees use third-party software that is either sanctioned or unsanctioned, train on the threats they could be exposed to.
The cost of cyber security awareness training will vary depending on the size of your company and the partner you use to develop and present it. It could range from $10 to $60 per employee per year – and sometimes more. That’s a very inexpensive cost when you compare it to the alternatives.
For example, consider the statistics surrounding phishing attacks,3 a type of attack that is directly related to human error. These are just some of the effects experienced by victims of a successful phishing attack:
And, according to IBM, a data breach caused by phishing attacks cost victims an average of just over $4.5 million. That makes the cost of training look like a rounding error.
There’s no doubt that cyber security awareness is critical given the number of cyber security threats that exist and the consequences of being a victim. As cyber security experts, Access One can partner with you to help you assess your risks, monitor your systems, develop a disaster recovery strategy, and train your employees. To keep your company safe from threats, contact Access One today.