When you think about cyber security incidents, the images that are likely to come to mind are nefarious hackers breaking into a corporate network to steal data or a ransomware attack that shuts down systems at a bank or a hospital.
The fact is, research has shown that the majority of information security attacks stem from human error, not from malicious intent. With the first quarter of the year and the busiest hiring season underway, it's imperative that organizations put together a training plan for new employees who are not up to speed on cyber security basics, according to the National Cybersecurity Center (NCC).
The non-profit organization, which helps business executives protect against cyber attacks, said employee education and applying common sense practices needs to be a priority at companies -- and could end up saving them millions of dollars.
Here are steps organizations can take to provide employee education and training to mitigate attacks caused by human error, according to Jonathan Steenland, COO of the NCC.
Focus on content instead of topic
Most security awareness training is conducted by IT, which means it's focused on information security as a topic and doesn't emphasize the human element of the risk sufficiently. Effective training includes content that addresses the threat's psychological, behavioral, and economic aspects, Steenland said, with practical advice on how to spot scams and protect data.
Link the risks to employees' lives in the real world
Take staff demographics (age, technical proficiency, etc.) into account and create a program that focuses on employees' lives and the risks they face. "Most people can't fathom losing millions of dollars due to an organizational data breach," Steenland said. "But they can imagine having their personal bank account hacked and their money stolen. Make it personal."
Work with marketing to make training stick
Too many companies create cheesy, overly long security awareness training modules that seem designed to tick yet another compliance box, Steenland said. IT and security executives need to work with the marketing team to come up with bite-sized training modules with snappy taglines and engaging graphics. These should grab employees' attention and deliver a compelling call to action.
- Google doesn't want you to have to think about cybersecurity CNET
- 3 ways to kick-start your organization's cybersecurity TechRepublic
Follow up with testing
Let employees know there will be tests, such as a white-hat phishing expedition or an unescorted visitor in the workplace to see how employees use their new knowledge to spot scams and intruders. Followup testing also provides a baseline to measure the training's effectiveness, so that the company can gauge security program maturity going forward.
Recruit organizational influencers to drive acceptance
To get true buy-in on security awareness training, it's a good idea to enlist key influencers within the organization to serve as ambassadors for the program. "A 'train the trainer' effort can extend program reach beyond the original modules, and help make security awareness a core component of company culture," Steenland said.