Cybersecurity awareness training is a critical component to your security hygiene. The most effective training programs are offered frequently and use available frameworks, focus points, tools, and tactics to build a culture where cybersecurity is embraced, not avoided or shunned.
To begin with, ensure that it is being offered; when it is, make it enticing, educational and attention-grabbing. When the security firm ESET conducted a Google survey on cybersecurity, they asked, "How much cybersecurity has your current employer provided to you?" one third of respondents replied none, another third answered some, and the remaining respondents were split between little and none. Translation: there's not nearly enough cybersecurity training taking place within the workplace, given the clear and present danger imposed by cyber threats.
Such results are not encouraging given that we live in a world where data does not seem safe anymore, particularly when there are so many new gateways for malicious actors to gain access. This is the conundrum of IT security leaders: don’t become a story you read about in the international free press as a victim of a cyberattack.
In fact, here’s a few samples of cyberattacks in the recent past:
Nearly every day there’s a new story of some version of a cyberattack on large and small companies. This contributes to the case for employee training that builds awareness and helps prevent any behavior that might open a gateway to a hacker or leak sensitive data. Those actions could not only be costly, but incompliant.
In addition to training, a culture with competency is essential. A culture of security is the goal, but not an easy one to create. Employees are at the core of so many initiatives to improve or create a specific corporate culture. Now here’s one more.
However, a culture of cybersecurity goes a long way in that it prevents problems (sometimes very big ones) while averting loss of intellectual property and any financial setback from the aftermath of a breach. A rock-solid corporate culture of awareness, coupled with a tacit discipline towards data and its security, is an asset, one that’s worth continuously working at.
So how can you devise an effective cyber culture and competency?
According to Deloitte, "Create a corporate-wide cyber mindset. There has to be awareness, education, and training throughout the organization to combat cyber risk. You may have top-notch hardware and software to protect you against cyber intruders, but it might take only one unaware employee opening an attachment with malicious software to shut down your systems."
There's a spirit of trust that is needed between parties who share data and information. Consultant McKinsey outlines them as between the C-Suite and a board of directors, between business units of an organization, between customer and vendor, and between company and government. Says McKinsey: "Technology alone cannot hold cyberattacks at bay. A culture of trust is also important for corporate cybersecurity initiatives to succeed."
The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework that is updated regularly. The framework consists of three parts: the framework core, the implementation tiers, and framework profiles. The core is a curriculum of cybersecurity activities, outcomes, and references common across business sectors and critical infrastructure. It provides specific guidance for developing individual organizational profiles to help an organization align and prioritize cybersecurity activities with a company's mission, risk tolerances, and resources. Implementation tiers provide structure for organizations to manage cyber risk and achieve cyber objectives. It provides flexible guidance to a cyber program and may be incorporated into training.
"Live fire" exercises train workers to participated in a simulated attack specific to their job. For example, an IT cyber team may send out mock phishing emails and see who responds and how they respond, and then train according to results. It brings the proximity of likely compromises to those who may be exposed and trains to alleviate that risk.
Those are the words of Michael Kaiser, executive director of the National Cyber Security Alliance. Employees may be remotely aware that much data within their cognizance is sensitive, to some extent (if not very), and should not be shared. But many employees feel that security measures are encumbrances and wrongly share corporate information anyhow. A corporate culture, nurtured by continuous education and collaboration from IT experts and leaders, helps counter such behavior by building an atmosphere that disallows any data from migrating elsewhere.
Cybersecurity training is often dreaded, mostly because it's so dry and seemingly repetitive. How can you make it more palatable? Mix it up with some different tacts. Some companies actually hired comedians to instill humor into the curriculum. One company interviewed a hacker on video and shared it with their employees. Another firm didn't just talk about phishing but introduced a voice-version of phishing called "vishing" that most had never heard of.
The loom of cyber threats has hardly diminished. We can only expect more. And not necessarily more of the same, but probably different ones in different places by different people. Remember that often a cyberattack has its roots from an insider, or from inside behavior that was improper, incompliant, or just plain ignorant.
For this very reason, impactful cyber awareness training is crucial as part of a pervasive corporate culture where most employees understand the risk of a cyberattack, the damage it may do, and the ways it can be prevented. Carefully designing a curriculum that is comprehensive and covers many bases is very important. Emphasize the external and internal influences that affect the cyber hygiene of your organization. For example, vendors—first, second and third tier—are all targets and therefore may affect cybersecurity. Employees need to know and understand this connection.
Don’t forget to make it palatable so that the training will be enjoyed rather than loathed so its message will be more likely to stick in the minds of the employees; they are the organization’s DNA when it comes to networks and their usage. Searching for creative ways to make training fun, entertaining, and at the same time informative will pay off when cyber threats are unrelenting.
To learn more about security awareness training, be sure to attend the InfoSec World Conference & Expo where we'll be hosting sessions on this topic and others.