If there’s one takeaway from this year’s National Cybersecurity Awareness Month, it’s that your employees are instrumental in reinforcing, or undermining, your organization’s security efforts. End-users have always posed the largest attack surface to businesses, but this year, with the move to remote work and Covid-19 related scams, the stakes are higher than ever for employees and their companies. If you have not done so, now is the time to make a concerted effort to train your employees on security best practices. Designing effective employee training takes skill – you need to know where blind spots lay, how to best engage your audience, and how to customize content around your industry needs.
Here Are iCorps’ Recommendations for Creating an Effective Employee Cybersecurity Training Program:
Address Common Employee Security Misconceptions
When it comes to cyberthreats, it can be difficult to separate fact and fiction. Stories of immense data breaches and inventive hacks muddy the water of what is and isn’t possible in the world of cybercrime. This creates its own unique challenge: employees are overly cautious about non-existent or misunderstood threats, and lax when it comes to real ones. In MediaPro’s 2020 “State of Privacy and Security Awareness Report,” their research team analyzed employee security practices and general threat awareness. Here are five of the most common security misconceptions they identified:
Proximity Leads to Infection
- 14% of employees believe that if their computer or mobile device was close to one infected with malware, theirs could also become infected. 39% also believe that leaving their computer unlocked could result in a malware infection.
You Can Store Sensitive Data Anywhere
- 69% of employees don’t think storing personal data on their work devices would violate company security policies. Additionally, 58% don’t believe storing on-site company data to unsecured locations would violate their policies.
You Don’t Have to Encrypt Data
- Half of employees surveyed believe there is little risk in having unencrypted data on their work device. This is surprising given that a lack of encryption is one of the main drivers for data breaches.
Authentication Isn’t Necessary
- 32% of employees believe there is little risk associated with not password protecting their laptop or mobile devices.
Compliance Isn’t Employees’ Responsibility
- Most employees don’t know which regulatory frameworks impact their business. MediaPro found that 62% don’t know if their organization needs to be compliant with the California Consumer Privacy Act, while 66% did not know if their organization needs to be compliant with Payment Card Industry Data Security Standard. Employees don’t need to be compliance experts, but they should have a basic understanding of their company’s respective privacy regulations and guidelines.
Recognize the Cost of Poor Security Training
Email is still the most common vector for security incidents such as ransomware, business email compromise, and brand impersonation scams. Even before Covid-19, businesses were struggling to secure their email. In Mimecast’s 2020 “State of Email Security“, researchers found that:
- 42% of businesses don’t automatically detect and remove malicious or unwanted emails that have reached employees’ inboxes.
- 40% are not monitoring and protecting against email borne attacks or data leaks in internal emails.
- 39% don’t have a system to address email-borne attacks like malware and malicious links in outbound email, and 44% aren’t protecting against data leaks or exfiltration in outbound email.
The vast majority of companies have seen a stable increase in web and email spoofing threats, phishing attacks, and downtime following a security event. But over half do not provide awareness training on a regular basis. If more than a quarter of employees struggle to identify phishing attacks, and three in five can’t identify a social engineering attack, it’s only a matter of time before they click something they shouldn’t. When that happens, will your business be able to afford the data loss, downtime, and reputational damage?
Drive User Engagement
While there are many ways to promote a more cybersecure working environment, these are our top four recommendations for improving employee engagement and retention:
Phish Your Employees
- When presenting cybersecurity training, emphasize that these are transferable skills. If employees use secure practices on their home computers and phones, they will be more likely to do so at work.
Reward Staff for Security Awareness
- Devise a means of measuring end-user cybersecurity awareness. Reward staff members who follow best practices and incentivize others to improve their security habits.
Engage Your Marketing Team
- Ask your marketing team to leverage social media platforms and tools to distribute helpful security content. From short instructional videos to concise how-to guides, there are numerous ways to boost engagement with creative content.
This post was originally published on the iCorps blog.