Is Your Cybersecurity Training Program Adequate?

A 2019 Ponemon survey of 2176 global SMBs reported the following:

–        66% of firms surveyed experienced a cyber attack within the last year

–        SMBs spent an average of US$1.2 million to recover from damage or theft or corporate assets, and experienced average downtime costs of US$1.9 million

• –        53% of firms surveyed reported that they had experienced a phishing attack, while 39% reported that they had experienced a cyber attack via malware – two of the top three threat over-all areas for attack
•  

With these sobering statistics in mind, are you sure your one-hour-once-a-year cybersecurity training program is adequate? A strong, evolving, and continuing cybersecurity awareness program is an essential part of every company’s cybersecurity program. Many firms still rely on a dry, annual PowerPoint presentation to review cybersecurity tips in order to be able to “check a box” on their compliance or cyber insurance documentation. But with the risks involved, and the fact that phishing and malware are among the most common ways for the bad guys to get into your organization via your staff, it is risky to cut corners on ensuring your team is adequately prepared.

Cyber threats are constantly evolving, so without a continuing – and tested – program in place, your company is risking exposure to attack. The days of the easy-to-spot “Nigerian Prince” emails are behind us. Modern day email attacks are well-constructed (and proofread!) messages that can dupe personnel who are not vigilant. Training and testing will help ensure that your staff are appropriately wary if a potentially fraudulent email hits their mailbox.

Training programs need to be engaging, and need to be continuous. In today’s fast-paced world, a one-and-done session will quickly be forgotten. Regular communications (e.g., a “tip-of-the-day” about cybersecurity, regular lunch-and-learn sessions, guest speakers, etc.) are great ways to remind and reinforce the security message. Cautionary tales are always useful, helping to bring a sense of immediacy to the threat of cyberattack. Incorporating a war story about how a potential breach was identified and prevented at your office drives home the message more effectively than discussing theoretical threats or hypothetical situations.

Since developing in-house materials may be beyond the reach of some smaller organizations due to personnel or budget restraints, you may consider online or training-as-a-service offerings which provide access to a wide catalogue of cybersecurity topics, and will evolve as the cyber threat landscape changes. There a number of players in the cybersecurity awareness training space that offfer interactive, web-based programs. When choosing any service, be sure to understand the subscription or volume-licensing model they use. Check if their programs can be customized to reflect cyber security issues unique to your company or industry. And be sure the following key areas are addressed:

–        Guidance on mobile device security (including mobile phones and laptops, remote passwords, care of USB devices and thumb drives)

–        Web awareness and identifying dummy sites, the importance of “hovering over” links before clicking on them to make sure you’re going where you expect to go, etc.

–        Strong password selection, rotation, and management for users

–        Physical security awareness – cybersecurity isn’t just about bits and bytes: are your staff on the lookout for suspicious visitors in the office, the forgotten passcard in the lunchroom, or the server room door that was left open?

–        The principle and value of clean desk and clean screen policies, especially in today’s open concept offices

–        And of course, vigilance about phishing scams and other social engineering attacks which remain the prevalent method of attack

Training-as-a-service offerings provide cybersecurity tutorials on these subjects and more, in a form that staff can watch anytime, anywhere. Staff are then tested on their engagement with the training materials through a short test after the session: successful tests are recorded against the staff members, making compliance tracking easier. Unsuccessful tests trigger follow-up on the system, with remedial materials and corporate intervention available as appropriate.

Complementing the on-the-spot assessments, unannounced tests are a great way of evaluating staff preparedness. Security consulting firms can construct compelling “ethical phishing” attacks on your company. These tests are structured to be as realistic as possible. Conducting regular tests will help sensitize your staff to be on the lookout for email communications that seem suspicious. Tests can incorporate references to current events in the office, invitations to install security patches, etc. It’s key to track the results of the tests to follow up with any staff members who are duped, as well as verifying that the overall hack success numbers are trending downwards. This will help validate that your training program is on the right track. Set and publish benchmarks and targets for your staff to achieve, also to help drive engagement. Forward-thinking organizations are even tying training achievements right into their performance management and compensation programs. All of these efforts will, ideally, help foster a culture of cybersecurity awareness among every member of your team. Cybersecurity is everyone’s responsibility, not just the compliance or IT team’s problem to worry about.

It’s also helpful to look at cybersecurity awareness as a value-add, not just an expense. Staff can be reminded that the best practices they adopt in the office will translate to better awareness and cyber safety at home as well. Your board and your investors will be interested in the efforts and investments you’ve made in ensuring your staff members are adequately trained. And won’t your customers feel more confident about you as a business partner if they know how seriously you take the security of their data through cybersecurity awareness programs and plans.

Much of this discussion has revolved around cybersecurity awareness and identifying potential issues. Training programs, however, should also be sure to touch on the appropriate response in the event of a successful breach. Staff members should know exactly what to do – and not do – if they discover a potential hack or disclosure. Personnel should know whom to contact, what should be documented, what their special responsibilities might be in the event of a breach.

No question, launching and maintaining a cybersecurity awareness program requires an investment of time and effort. But the benefits of training, and the risks of inadequate preparation make training one of the best investments you can make. If you’re interested in learning more, contact us to see how we can help.