How Employee Training is your First Line of Cyber Defense?

By Avalon Siegel
October 18, 2020
10 min

Developing a company culture and ongoing training that values cybersecurity can help mitigate current and future cybercrime threats. Employees can be one of the biggest threats to a company’s cybersecurity, but with the right training, they can be armed with the tools to form a strong, frontline defense against cybercriminals.

Your Company’s Data is at Risk

We were all shocked by the recent security breaches at organizations like JP Morgan Chase and Equifax. If companies with high levels of security can be breached, then what about the thousands of smaller businesses across the world?

Businesses put themselves at risk by failing to regularly train their employees to recognize threats

Although most enterprises have indeed increased their budgets for IT security, it doesn’t seem to be having the impact CEO’s had hoped for. When you take a hard look at the job description of most CISO’s, you can readily see the problem. In today’s business environment, IT specialists are required to know everything there is to know about the different devices in the market—And then to top it all off, each device must be properly configured and aligned with the overall data system’s architecture.

Businesses put themselves at risk by not performing adequate cybersecurity risk assessments and taking action to mitigate them, and by failing to regularly train their employees to recognize threats.

Many IT experts believe that one reason for the consistent failure of counter-threat intelligence is the fact that experts are always a few steps behind the hackers. Cyber threats become more sophisticated with each new breach. When critical data is compromised, customer data, financials, and intellectual property are freely available to attackers.

The Human Factor

Effective security requires a unified approach. Appropriate technology and well-written policies are critical. But, they cannot provide the entire solution. Recent studies have shown that it is the human element that is at the heart of most security incidents.

Verizon reported that the biggest threats to security are from external sources that prey on the habits of personnel. So yet again, the human element continues to be the weakest link in information security. They cite recent examples of breaches in the healthcare industry as an example of the need for better training. This should not come as news to anyone involved in the information security industry. In my experience, it is the failure to provide employees with appropriate and ongoing training that creates conditions ripe for a security incident.

The human element continues to be the weakest link in information security

“The greatest cybersecurity risk to businesses is their own untrained, unprepared staff. Over 90% of all breaches go back to a bad email attachment, malicious link, or other employee mistakes,” said Tracy Hardin, president and founder of Next Century Technologies, an IT consultant and managed services firm in Lexington.

Years ago, hackers sent thousands of generic and crudely written phishing emails and hoped a small percentage would fall for them. Scam emails from Nigerian princes wishing to share their wealth and long-lost relatives with inheritances to bestow are a thing of the past. Today’s cybercriminals study their targets – using information readily available online – and tailor their scams to specific companies and individuals.

“Phishing is becoming more sophisticated,” Danaher said. “Compromised (Microsoft) Office 365 accounts from people you know are sending malware in attachments. Secure attachments are being used to trick users into downloading malware and giving up their passwords to sites like Office 365, Amazon, and Google.”

The Job of Combatting Thieves Involves Us All

In a world where information is so readily available, the task for CISO’s is now more complex. It requires better and more consistent training for employees and vigilance at every level. With ongoing training, employees can help identify outside risks in their email boxes or across the Internet.

The job of combatting cybercriminals mandates that we take the protection of our data as seriously as we do the protection of our homes and families. It’s not just the responsibility of IT specialists and CISO’s—It’s everyone’s job to guard the “doors and windows” of our network and cloud storage systems.

Top cybersecurity training tips and best practices:

Train Team About Basic Data Management
Inform personnel about exactly what your data is and where it is located. Train them on how to securely create, access, and destroy data.
Monitor Data Status
Regularly review abnormal technology behavior and encourage personnel to report concerns/to ask questions.
Share Clear Security Policy
Don’t allow personnel to download or install unauthorized/unapproved software or applications, including encryption software, remote-access, backup, or other similar software.
Use Only Corporate Communication Tools
Ensure employees understand that no public email or messaging service is secure. For example, avoid sending sensitive information through unsecured email, texts, social media, or other communications, and don’t allow them to forward internal email and documents to a personal email address or download to personal devices. Be cautious of emails and PDFs that appear suspicious.
Put Their Attention On HTTPS
Teach them the ways of the internet, such as ensuring a website’s address begins with “https” (not “HTTP”) before submitting information through it, and reiterating that there is no “delete” on the internet – the internet is forever.
Remind About The Importance of Backup
Tell your team to beware of requests from smartphone applications to access personal data, which can be used for analyzation and sold to others. Ensure they are mindful of backup applications that consistently run on personal devices, which can make copies of sensitive information and store them online.
Teach Rules of Secure Device Sharing
Never allow a third party to use a workstation or access your systems and data without supervision and appropriate contractual protections. For example, consider removing encrypted data on a personal device before allowing the third party to access it. Securely remove data from a device if you are selling or disposing of it.