Let’s face it, when it comes to cybersecurity, humans are an unpredictable liability. According to Forrester’s “Reconfigure Your Human Firewall” report, only one-third of employees receive cybersecurity training and under half are aware of their organization’s policies.
Non-technical employees are perceived as an organizational weak link and are consistently targeted by attacks. For example, many ransomware attacks target HR departments, since viruses can be disguised as unsolicited resumes. Europe’s biggest manufacturer lost 40 million euros with one simple email that leveraged a single employee. With proper policy, procedure, and training these incidents can be avoided. Of course, it’s one thing to talk about involving all personnel in security and another to achieve it. True “defense in depth” requires multiple interrelated best practices.
Cybersecurity awareness training is required by just about every cybersecurity regulation to prevent these risks that many companies fail to address on their own.
The most common regulations requiring training include:
- PCI DSS
- GLB Act
- NERC CIP
For a comprehensive list of all regulations requiring training click here.
Essential Cybersecurity Training Best Practices
Ideally, all personnel should receive basic information security training as part of their on-boarding. This not only makes the details more memorable but makes it clear to them that security will be taken seriously throughout their tenure. Ongoing education about new and emerging security issues should be provided as well.
Ensure you create clear and enforceable policies that are made well known to employees. These one or two-page policies should not only explain how an employee is to comply but also why they play a vital role in cybersecurity. Bear in mind people pay less attention to issues that don’t directly affect them. Making sure they understand the negative impact of poor cybersecurity on both the business and themselves is crucial to have them actively participate in proper practices.
The following key aspects should be made clear with written policy and procedure related to employee cybersecurity awareness.
Responsibility with Company Data
Follow the Principle of Least Privilege – users should have access to only the data they need. Have clear rules for acceptable use of information assets. How to properly handle sensitive information in both paper and electronic form.
Solid and Familiar Document and Notification Procedures
Each employee should know who to report an incident to and exactly how.
Password Management Rules
Require password changes periodically. Implement a minimum password strength. It would be in your best interest to jump right to two-factor authentication where possible.
Phishing emails, intended to collect passwords and other information, usually only look official at first glance. Train your users to recognize the signs of a scam email and avoid attachments.
While it’s unavoidable that personnel will need the Internet, they should avoid suspicious links. Network management software can prevent some personal browsing and defang mistyped URLs.
Social Engineering and Phishing
From day one, every stakeholder should understand that no one from the company – at any rank, anywhere on Earth – will request their login information, particularly over the phone.
Social media platforms and apps should be disabled by network management rules for users who don’t need them. If possible, virtually segment marketing teams on their own secure partition.
In the era of “Bring Your Own Device,” mobile is unavoidable. The best way to manage it? Have each device scanned as it connects to the network to ensure it meets your enterprise security standards.
What is The Goal/How to Evaluate Your Strategy?
Ask these three questions:
- Would the employee know if an action was right or wrong?
- Would the employee choose to report a violation?
- Would the employee know how to report a violation?
If they are all “Yes” then you are poised to maintain a strong cybersecurity-aware culture.
Business leaders should lead by example with proper tone, attitude, and management practices to promote a clear and enforceable cybersecurity-aware culture.
No less than the Pentagon has pioneered the development of High-Reliability Organizations (HRO) – an organization robust and resilient enough to achieve operational excellence when a single error has massive consequences. In today’s environment, all enterprises should strive to emulate the HRO model by making everyone cybersecurity stakeholders.
Cybersecurity Training Resources
Sophos IT Security Training Tools
IT Security DOs and DON’Ts is a complete employee training curriculum for cybersecurity. The site offers a program launch guide, employee handbook, posters, emails, and more.
Free Phishing Training from PhishMe
PhishMe CBFree is free computer-based security awareness training to meet compliance needs.
Top-Quality Cybersecurity from SANS
SANS is the industry leader in security training for those seeking a sophisticated paid solution.
End-to-end security is a big job, but giving everyone responsibility makes it easier. The sooner you apply these principles, the more secure your organization will be. Contact Sedara today with any questions on cybersecurity best practices.