Fixing the People Problem: Why Security Awareness Should Come First

It happens all too often. Imagine a Human Resources (HR) assistant receives an email from the CFO requesting an update to the companies account and routing number. The email appears to be legitimate and the diligent employee rushes to handle the CFOs request only to discover later it was a phishing email. These types of social engineering attacks have become increasingly sophisticated and difficult to detect. So what are your employees supposed to do?

There Is No Security Without Effective Company-Wide Training

Nearly half (46%) of security breaches are the result of human error, according to a recent Kaspersky Lab report. You can have the tightest security possible, the right mix of physical and technical safeguards in place, and well-documented security policies, but it only takes one convincing phishing email, phone call, or even in-person visit to give an attacker access to your network.

Social engineering attacks take advantage of employees’ trusting nature and desire to be useful and compliant. This tendency is also what puts your company at risk. To fix the people problem, your company needs an ongoing security awareness training program that reaches all levels of the company’s human capital.

Top Topics to Cover in Security Awareness Training

Acknowledging you need an effective security awareness training program is the first step. As a next step, you can determine what areas of your security posture need to be addressed. Then you can begin teaching across the range of security skills in your company. Crucial topics to cover in an effective security awareness training program might include the following:

  • how to safely surf the Internet

  • best practices to safeguard sensitive data (e.g., no sticky notes with passwords adorning monitors!)

  • regular reminders of company policies (i.e., BYOD expectations)

  • deeper dives into cybersecurity technology and threats, covering how malware works and the most secure data management approach.

One-Time Training Won’t Cut It

When asked how he would spend a dollar toward cybersecurity, former U.S. CISO Gregory Touhill responded, “I would spend it on better training for my people.” The most important aspect of a well-informed and well-trained staff is to ensure security awareness training is both ongoing and company-wide. This approach works to:

  1. keep security front-of-mind for all employees

  2. show that upper-level management have prioritized cybersecurity awareness

  3. help keep your company safe from data breaches and other cybersecurity incidents

Whether you take the onsite security awareness training approach, engage online training resources, or both, “cybersecurity training should be a core component of your overall information security strategy.” It’s just a matter of time before your company becomes a cybersecurity incident statistic. Today, most cybersecurity experts would agree with the statement, “it’s not a matter of if but when a company will be the victim of a breach incident.” While there are no silver bullets, a robust cybersecurity awareness training program for network users is about as close as it gets.