People are the largest security vulnerability in any organization. Here's some expert advice on how to make cybersecurity training more effective and protect your business.
Employees are a company's greatest asset, but also its greatest security risk.
"If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities," said Eddie Schwartz, chair of ISACA's Cyber Security Advisory Council.
In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. "Most organizations roll out an annual training and think it's one and done," Simpson said. "That's not enough."
Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.
"Your people are your assets, and you need to invest in them continually," Simpson said. "If you don't get your people patched continually, you're always going to have vulnerabilities." Even in a company with hundreds of employees, it's worth training them as opposed to taking on the risk of a breach, he added.
However, it's important to empathize with your employees as well, said Forrester analyst Jeff Pollard. "People represent a large potential attack surface for every organization," Pollard said. "The reason I don't like to think of people as a security vulnerability is that it encourages a blame the victim mentality. Security teams exist to protect information, people, and the business."
When a user makes a mistake and clicks on an email that causes an infection, we often think that was the cause, Pollard said. But that's not actually the case—the organization was already under attack when the attacker sent the email, before it was opened. It also means every other security control in the path of that attack failed, he added.
Here are 10 tips for helping all employees understand cyber risk and best practices.
1. Perform "live fire" training exercises
The best training today is "live fire" training, in which the users undergo a simulated attack specific to their job, Schwartz said.
"Maybe they become a victim to an attack that's actually orchestrated by a security department or an outside vendor, and then they're asked to understand the lessons they've learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it," Schwartz said. "And then they're asked to share that experience with their peer group."
ISC(2) performs regular phishing tests, in which the IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it, Simpson said. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.
2. Get buy in from the top
The CISO needs to make the rest of the C-suite aware of the ramifications of a potential breach, Simpson said. "Typically, to have a good cyber plan, you have to have line items in the budget for people, hardware, or software, year over year," he said. "That means getting the CFO, CIO, and CEO on board."
3. Start cyber awareness during the onboarding process
"The first time employees come through the door, start building the mindset as all new hires go through security training from day one," Simpson said. "That way they hear from the time they start that cyber is important, and that they are going to get continuous training."
4. Conduct evaluations
Don't be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack, Simpson said. "Until you do that, you won't know how bad or good your security posture may be," he added.
Create a plan for how best to communicate cybersecurity information to all employees, Simpson said, to get all departments on board with training and learning best practices. "It will help break down siloes—it creates alignment, and people working on it together," Simpson said.
6. Create a formal plan
IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks, Simpson said.
7. Appoint cybersecurity culture advocates
Tech leaders should appoint a cybersecurity culture advocate in every department at their organization, Simpson said. These advocates can act as an extension of the CISO and keep employees trained and motivated. "That's something that's often overlooked—use the resources you already have in the company beyond the IT team," he added.
8. Offer continuous training
Cybersecurity training should continue throughout the year, at all levels of the organization, specific to each employee's job, Schwartz said. "If you're an end user, there has to be training associated with the types of attacks you might receive—for example, attacks on your email or attacks that are oriented on the type of job you hold," Schwartz said. "If you're in IT, the attacks may be more technical in nature in terms of the attacks you might be seeing.
"It really is a case of understanding how the threat landscape continues to evolve relative to these attacks, and keeping technical security training current," Schwartz said.
9. Stress the importance of security at work and at home
Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home, Pollard said. "Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a 'what's in it for me' they can apply all the time, not just at work," he added.
10. Reward employees
Reward users that find malicious emails, and share stories about how users helped thwart security issues, Pollard said. IT leaders should also empathize with employees who make mistakes, Pollard said: Many employees send or receive hundreds of emails per day, so asking them to avoid one of those can be difficult.
While these training tips can help, education is not a perfect solution, Schwartz said. "Even in the most advanced and most current education scenarios, there still are a percentage of attacks that will get through, and even in the most enlightening and useful educational programs, there still is anywhere from a 4-6 percent success rate, even after all of the training is done," he said. "So, training is just one aspect of defending the environment from advanced attacks."
By Alison DeNisco