07 May The Dos and Don’ts of Cybersecurity Training
When it comes to cybersecurity, the weakest links in any organization — regardless of its size or complexity — are the people who work there.
But the good news is that you can reinforce those shaky bonds with an investment in effective training programs.
Business owners who run professional services firms –– lawyers, accountants, financial advisors, mortgage brokers –– where client data privacy is paramount, can’t afford to skimp when it comes to securing their IT systems.
Cyberattacks are becoming more common in smaller organizations. Statistics Canada data shows that in 2017 almost one in five small companies experienced an IT security breach. In 2020, just three years later, almost a third or 28 per cent of data breaches in 2020 involved small businesses, according to Verizon’s 2020 Data Breach Investigations Report.
Small businesses are easier targets for cyberattacks because they often don’t perform security audits or put in the resources in place to protect themselves, Erik Knight, the founder and CEO of SimpleWAN tells Forbes magazine.
When it comes to security breaches, one of the best ways to mitigate risk is by effectively training users, but this is an area where many organizations fall short. At ProTek IT, we’ve helped many business owners bulletproof their organizations through custom training programs.
Here’s our list of dos and don’ts when it comes to cybersecurity training.
Don’t get distracted by location
With workers around the world largely confined to their home offices, many small and medium-sized businesses are understandably worried about the impact a scattered workforce might have on their security.
But what they shouldn’t forget is that humans are the real vectors of breaches, and it doesn’t make much difference where in the world they are located.
The bread-and-butter scams of cybercriminals — think social engineering and phishing attacks — rely on individuals for entry to company systems, and their hit rate won’t vary much whether the target is down the hall from colleagues or hundreds of kilometers away in another city.
You’d be amazed how much information a criminal can glean from an unprepared employee who thinks they’re helping out a potential client or how often trusting workers will click on an innocuous-looking link from a sender using a disguised email address for nefarious purposes.
The key to reducing these kinds of lapses is appropriate security training, and that will be just as true once people are back in the office — whenever that day may come.
Do foster a culture of openness
As part of your IT security training, you need to let your employees know that there’s no issue too small to check in about.
At ProTek IT, we’re fans of the medical idiom that an ounce of prevention is worth a pound of cure. And the more your workers are able to share about what makes them nervous or uncomfortable in the cybersecurity realm, the more proactive you can be about plugging gaps in your defences.
Don’t play the blame game
On a related note, there is no value to shaming employees who do come forward to report security concerns or personal errors.
It’s never going to be easy for someone to admit that they didn’t understand training materials or that they’ve clicked on something in error, and a dressing down from management will do little to help. In fact, it’s more likely to be counterproductive in the longer term.
When a cyberattack succeeds — and, unfortunately, they will from time to time — the last thing anyone wants is for the breach to go on unchecked because staff were too frightened to say what they knew about it for fear of retaliation.
Do test regularly
There’s not much point in having the best cybersecurity training regime available if your employees absorb none of the information.
I’m sure we can all think of a time when we sat vacantly through a mandatory session and collected the checkmark for attendance only to immediately forget all of the content.
Regular, targeted testing encourages attendees to take a more active approach to their learning and helps drive home the key messages you want to get across.
What’s more, regulators, clients and incident insurance providers all place a high value on the security of private data and are increasingly interested in what businesses are doing to minimize the chance of a systems breach. Our testing not only allows us to validate your security posture, but it can also provide statistical proof of progress over time.
Don’t forget feedback
Reinforcing testing with feedback is the final step in a comprehensive training program.
For instance, at ProTek IT, we’re able to simulate phishing attacks using company address books. We then collect statistics on which users opened or interacted with the messages and how much private information each person shared with our fake scammer.
Some clients like this kind of testing done annually, while others prefer monthly drills to keep everyone on their toes.
Again, the focus of feedback should not be on lambasting staff for mistakes. Instead, we see this as an opportunity to remind workers of the cybersecurity concepts that will improve their performance next time around, when the attack might just be a real one.
At ProTek IT, we have a suite of more than 30 security awareness and training modules from which our clients are able to build a top-notch education campaign tailored to their individual needs. We’d love to hear from you if you want to know more about how we can help.