Can you imagine what the implications would be if the personal and financial information of every employee in your company were leaked to an intruder? The 4,000 employees of Scotty’s Brewhouse sure can. They were the victims of an email phishing scam where company-wide W-2 forms were sent to an imposter pretending to be the CEO (whoops!)
But Scotty’s Brewhouse isn’t the first or only company to be burnt by the attacks of phishers, hacktivists, and cybercriminals. And phishing isn’t the only strategy these computer thugs use, either. You see, your company (and just about every other company in the world) could be vulnerable to malware, ransomware, spam, hacking and social engineering, too.
Okay. You’re officially alarmed and a little confused, not to mention one sentence away from screeching down the hall to Human Resources to request emergency cybersecurity training for employees – yes, all employees. But when you get there, what will you say?
Here’s what you need to know:
- Why should you offer cybersecurity awareness training for employees?
- Security awareness topics to include in your employee training
- Top tactics and best practices for cybersecurity training for employees
Why should you offer cybersecurity awareness training for employees?
The argument for educating employees on cybersecurity is a simple one: if employees don’t know how to recognize a security threat, how can they be expected to avoid it, report it or remove it? They can’t. But if you’re looking for some jaw-dropping statistics to back you up, you’ll find those by the plenty, too.
For example, the 2019 State of IT Security Survey found that email security and employee training were listed as the top problems faced by IT security professionals. Yet, more than 30% of employees surveyed by Wombat Security Technologies didn’t even know what phishing or malware was. Which is probably why scams like the Business Email Compromise (BEC) result in whopping losses of over $3 billion (according to an FBI public service announcement, June 14, 2016).
Hang on. Don’t these companies have firewalls and security software? They do, but it’s just not enough. Employees, not technology, are the most common entry points for phishers. And when it comes to companies, well, let’s just say there are many ‘phish’ in the sea.
Now, this doesn’t mean that employees are conspiring to bring about the downfall of the company. Nothing that sinister. But as humans, employees make mistakes, they’re trusting of fake identities, tempted by clickbait, and vulnerable to other sneaky tactics used by criminals to gain access to company information. Unless, of course, your employees have participated in cybersecurity training programs!
Your employees need online cybersecurity training to protect themselves and the company against cyber attacks. By making employees aware of security threats, how they might present, and what procedures to follow when a threat is identified, you’re strengthening the most vulnerable links in the chain. So, phishers are more likely to move on to someone else’s waters and leave yours in peace.
Security awareness topics to include in your employee training
You know why cybersecurity training for employees is important. Now, you want to know how to implement it. Let’s begin with the most important topics your security awareness employee training should include.
Different forms of cybersecurity threats
For employees to be able to spot and prevent security breaches, they’ll need a basic education in the different ways that cybersecurity threats can present themselves. For the most part, this includes spam, phishing, malware and ransomware, and social engineering.
To start with, provide cybersecurity training videos to help employees identify spam content that could be hiding malicious software. It’s important to explain that spam isn’t only found in emails, but in social media messages and invitations, too. For example, a LinkedIn ‘invitation to connect’ can be carrying a virus.
Then, offer phishing training for employees both new and old. Provide examples of real phishing scams that help employees understand what a falsified email might look like, who it might come from, and what kind of information it might ask for. Usually, these emails request usernames, passwords, personal information or financial information that allow criminals to access company programs or steal money.
Your training should also include cybersecurity tips for employees who might be tricked into downloading malware or ransomware. Malware is any virus or other software that attacks and damages the functionality of a device. Ransomware leverages a company’s website or other platforms to extort money from a third party. Both are major threats to any company.
Finally, social engineering should be a mandatory topic in online security awareness training for employees. While the word ‘engineering’ might throw you off, this training topic is actually quite simple. Social engineers disguise themselves with fake but trusted online identities, and then trick your employees into handing over information that they shouldn’t.
The importance of password security
Today, people need passwords for unlocking their devices, for logging into their accounts, and for every work-related application. It’s a lot to remember, so many people set generic passwords that are easily unraveled. This is why online cybersecurity awareness training should help employees understand how important passwords are.
Explain that passwords are the first line of protection to keep sensitive information safe and hackers at bay. Then, show employees how to set strong passwords that incorporate a combination of letters, numbers, and symbols.
Email, internet, and social media policies
The email and browsing habits of employees can leave a company wide open to malicious software, which attacks company applications and social accounts, steals information, and possibly even money. So, it’s crucial that cybersecurity training for employees in your company includes policies and guidelines for using email, internet, and social media.
Include policies on the types of links that can be clicked on, and those that shouldn’t. For example, suspicious links from unknown people or organizations, links contained in unexpected emails, and links that have been flagged as untrustworthy by your antivirus program, should not be clicked. Outline the rules for internet browsing and social media usage on company devices, and for using company email addresses.
The protection of company data
Every company has its own policies on the protection of data, but don’t assume that all employees are aware of these policies, or that they understand them. Information security training for new employees should explain the regulatory and legal obligations of data protection. Then, offer regular refresher courses so that all employees are up to date on the rules and policies around data protection, even when they change.
How to identify and report cybersecurity threats
Employees are your eyes and ears on the ground. Every device they use, email they receive, and program they open may contain clues about a lurking virus, phishing scam or password hack. But, to really mobilize your employees as a force against attacks, you’ll need cybersecurity awareness training for all employees.
First, use this training to help employees become aware of unexplained errors, spam content, and legitimate antivirus warnings. Then, educate them on the process they should follow to report these red flags, as well as the right people to talk to about suspicions of a cyber attack.
Top tactics and best practices for cybersecurity training for employees
The purpose behind cybersecurity training for employees is always to alter their habits and behaviors, and create a sense of shared accountability, so that the company is safe from attacks. It’s not difficult to see that a once-off knowledge dump about the topics outlined above is just not enough to achieve this. Instead, you’ll need to follow these best practices.
Make online cybersecurity training mandatory for new employees
Creating awareness about online security threats needs to start on Day 1. So, incorporate cybersecurity training into your onboarding program, and make sure that it covers all of the most important topics. Incorporating policies and rules about data protection and internet usage into the employee handbook can help, too.
By starting at the onboarding stage, you’ll show new hires that the company cares just as much about cybersecurity as it does for job duties and strategy. As a result, they’ll understand the importance of careful online behavior from their first week of work.
Update and repeat training regularly
For most people, grabbing their mobile phone is the first thing they do when they wake up. Why? Well, it’s a habit. And, according to research (“Habit Formation and Behavior Change”, B. Gardner and A. Rebar), repetition is a key step in forming a well-entrenched habit.
So, when it comes to online cybersecurity training for employees, make sure to offer it often, and with plenty of opportunities for practicing safe online behaviors in between. Continuous training will also allow you to incorporate policy changes and information about the latest scams into your training. Much like technology, cybersecurity is continuously evolving, and staying up to date could be the difference between keeping your company safe or not.
Give employees a cape
Employees might be the primary target for cyber attacks, but they’re also your first line of defense. And keeping your defense strong will take the whole company, working together as one. So, you’ll need to earn the buy-in of employees, and make cybersecurity a core element of the company culture.
To do this, make employees feel like cyber heroes. Using a powerful enterprise learning management system (LMS), incorporate gamification tricks that make them feel excited, recognized, and appreciated for their security training achievements.
Then, when more threats start to be identified before they turn into problems, send out a company-wide email to let employees know. Showing them how much their training has helped the company is bound to encourage further learning in this area.
Conclusion
As you’re reading this, your company could be falling prey to a cybersecurity attack. And the chances are that it could have been avoided if one employee, on one computer, had known what to look for. So, when it comes to cybersecurity training for employees, the only question left to be asked is, are you doing enough?
