The Importance of Employee Cybersecurity Training: Top Strategies and Best Practices

For those responsible for overseeing the data protection and cybersecurity of an organization, it’s a familiar storyline: “Employee opens email attachment and infects business with ransomware.”

Headlines to this effect are nothing new. Even the most advanced security solutions can’t completely guard against the sophisticated approaches hackers leverage to target individual users. All it takes is for an employee to open a single malicious attachment, or click one infected link, and the company’s entire cybersecurity posture is put at risk.

Because these actions are so simple and so common – opening an email, following a link to a website, et cetera – it’s more difficult than ever for enterprises to shore up their cybersecurity. However, with robust employee user training that helps drive home the importance of a staffer’s role in the overall data protection and cybersecurity landscape, businesses can reduce the risk that one of their users will open the door to a digital attacker.

Employees: A security weak link

For several years in a row, employee users have represented one of the weakest points in enterprise cybersecurity. Now, CIO contributor Clint Boulton noted that this includes not only lower-level employees, but users at supervisory and management levels as well. Hackers are increasingly utilizing more advanced techniques to dupe users and encourage attacks.

In addition, Boulton discovered that many employees are being “lulled in a false sense of cybersecurity” when advanced data safeguarding and other protection tools are put into place.

While advanced software can surely be considerably helpful in the fight against breaches and data theft, businesses also need to put the necessary time and effort into proper security training, and not rely on cybersecurity software solutions alone.

“With robust employee cybersecurity training, businesses can reduce the risk that one of their users will open the door to a digital attacker.”

“That’s a big problem that we’re seeing,” Theodore Kobus, BakerHostetler Privacy and Data Protection team leader, told Boulton. “Companies really need to focus on the key issues to help stop these attacks from happening in the first place.”

Current statistics back this up: Overall, phishing, hacking and malware contributed to the most cybersecurity incidents, at 43 percent. Of these, 32 percent came as a result of human error, and 18 percent resulted from lost or stolen devices, Boulton reported.

Phishing, hacking and malware accounted for 43 percent of all cybersecurity incidents in 2016.

With such a high percentage of issues coming due to employees’ own actions, enterprises can no longer ignore the key role of users in the overall cybersecurity posture. Appropriate training, including suspicious elements to look out for as well as awareness of current hacking techniques, should be a top priority for organizations in any industry.

How to approach employee cybersecurity training

There are a few tips and best practices that organizations can incorporate into their employee-focused training to help support success:

Ensure employees understand the importance

As author and security consultant Anthony Howard noted for BitSight Tech, one of the first and most important steps in training is making sure that employees understand the critical importance of the process. While workers may be aware of the type of attacks taking place in the current cybersecurity landscape, it’s crucial that IT leaders and other department managers drive home the importance of training and appropriate security steps on the part of users.

“Bottom line: It doesn’t matter what firewall or intrusion detection or VPN you use if your employees don’t understand the significance of data privacy and protection,” Howard pointed out. “No one in your organization will care about data security, privacy policies, intellectual property protection, or data breach until you tell them why it’s important, how it can impact them, and then tell them what to do to prevent it.”

Phishing, hacking, and malware attacks remain common for businesses of all shapes and sizes.

Raise awareness of current threats

Security training can be overwhelming, particularly if the organization has never engaged in this type of initiative before. Because the threat landscape is constantly changing, it can be difficult to discern where to start. A good beginning point, however, includes raising awareness of the current top threats, and ensuring that employees understand how these vulnerabilities could impact the organization and what actions they can take to reduce the chances of this taking place.

As Trend Micro highlighted in its 2018 Midyear Security Roundup, some of the top issues faced during the first half of this year include:

	Serious software and hardware vulnerabilities, and associated patching challenges. Ransomware. Unwanted cryptocurrency mining. Mega breaches, or data breaches that expose or compromise more than one million records. Weak router security. Business Email Compromise. Fileless and small-sized malware samples.

Making sure that employees are aware of and understand top threats like ransomware and Business Email Compromise in particular can help considerably reduce the chances that these issues will impact the business’s security.

Focus on key strategies: Phishing and social engineering

It’s also important to educate users on the approaches that hackers use to support attacks like BEC and ransomware. This includes phishing and social engineering, specifically. Trend Micro’s Chris Taylor reported that phishing and social engineering attacks were ranked as the most time consuming security concern by attendees at the 2017 Black Hat security conference.

“Phishing is among the most common tactics used by cybercriminals,” Taylor explained. “Employing social engineering tactics, they typically aim to trick the user into clicking on a malicious link or opening a malware-laden attachment. This in turn could lead to a ransomware download or even be the first stage in a more covert info-stealing operation designed to lift customer data or highly sensitive intellectual property.”

Making sure users are aware of these strategies can further support the business’s proactive cybersecurity posture, and put users in a position to identify suspicious activity that could point to an emerging or impending threat.

Include all users: Supervisors, consultants and vendors

It’s not just regular employees that can fall victim to social engineering, phishing and other hacking tactics – higher ups, managers, partnering organizations and vendors with access to the company’s key platforms can also present a weakness as well. This was a harsh lesson learned by Target after its 2013 data breach, which came as a result of hackers leveraging stolen credentials from the retailer’s third-party HVAC vendor.

In this way, security training should be extended to all users with access to the business’s infrastructure platforms, including outside consultants or service providers, as well as internal supervisors and managers. As Jerumai Chief Information Security Officer Rocio Baeza told BitSight Tech, this becomes an increasingly critical part of training as cross-collaboration between companies increases.

“Require cybersecurity policies to apply to employees, contractors AND service providers,” Baeza noted. “Companies oftentimes overlook contractors and service providers. This means that others can literally walk away with your data.”

To find out more about best practices for employee cybersecurity training and the role that advanced software solutions can play in an enterprise’s overall security posture, connect with the experts at Trend Micro today.

Read More HERE