Beat The Budget | Cybersecurity Awareness Training

Let’s face it, when it comes to cybersecurity, humans are an unpredictable liability. According to Forrester’s “Reconfigure Your Human Firewall” report, only one-third of employees receive cybersecurity training and under half are aware of their organization’s policies.

Non-technical employees are perceived as an organizational weak link and are consistently targeted by attacks. For example, many ransomware attacks target HR departments, since viruses can be disguised as unsolicited resumes. Europe’s biggest manufacturer lost 40 million euros with one simple email that leveraged a single employee. With proper policy, procedure, and training these incidents can be avoided. Of course, it’s one thing to talk about involving all personnel in security and another to achieve it. True “defense in depth” requires multiple interrelated best practices.

Cybersecurity awareness training is required by just about every cybersecurity regulation to prevent these risks that many companies fail to address on their own.

The most common regulations requiring training include:

  • PCI DSS
  • HIPAA
  • SOX
  • GLB Act
  • CobiT
  • FISMA
  • NERC CIP

For a comprehensive list of all regulations requiring training click here.

 

Essential Cybersecurity Training Best Practices

Ideally, all personnel should receive basic information security training as part of their on-boarding. This not only makes the details more memorable but makes it clear to them that security will be taken seriously throughout their tenure. Ongoing education about new and emerging security issues should be provided as well.

Ensure you create clear and enforceable policies that are made well known to employees. These one or two-page policies should not only explain how an employee is to comply but also why they play a vital role in cybersecurity. Bear in mind people pay less attention to issues that don’t directly affect them. Making sure they understand the negative impact of poor cybersecurity on both the business and themselves is crucial to have them actively participate in proper practices.

The following key aspects should be made clear with written policy and procedure related to employee cybersecurity awareness.

Responsibility with Company Data

Follow the Principle of Least Privilege – users should have access to only the data they need. Have clear rules for acceptable use of information assets. How to properly handle sensitive information in both paper and electronic form.

Solid and Familiar Document and Notification Procedures

Each employee should know who to report an incident to and exactly how.

Password Management Rules

Require password changes periodically. Implement a minimum password strength. It would be in your best interest to jump right to two-factor authentication where possible.

Email Training

Phishing emails, intended to collect passwords and other information, usually only look official at first glance. Train your users to recognize the signs of a scam email and avoid attachments.

Internet Use

While it’s unavoidable that personnel will need the Internet, they should avoid suspicious links. Network management software can prevent some personal browsing and defang mistyped URLs.

Social Engineering and Phishing

From day one, every stakeholder should understand that no one from the company – at any rank, anywhere on Earth – will request their login information, particularly over the phone.

Social Media

Social media platforms and apps should be disabled by network management rules for users who don’t need them. If possible, virtually segment marketing teams on their own secure partition.

Mobile Devices

In the era of “Bring Your Own Device,” mobile is unavoidable. The best way to manage it? Have each device scanned as it connects to the network to ensure it meets your enterprise security standards.

 

What is The Goal/How to Evaluate Your Strategy?

Ask these three questions:

  1. Would the employee know if an action was right or wrong?
  2. Would the employee choose to report a violation?
  3. Would the employee know how to report a violation?

If they are all “Yes” then you are poised to maintain a strong cybersecurity-aware culture.

Business leaders should lead by example with proper tone, attitude, and management practices to promote a clear and enforceable cybersecurity-aware culture.

No less than the Pentagon has pioneered the development of High-Reliability Organizations (HRO) – an organization robust and resilient enough to achieve operational excellence when a single error has massive consequences. In today’s environment, all enterprises should strive to emulate the HRO model by making everyone cybersecurity stakeholders.

 

Cybersecurity Training Resources

Sophos IT Security Training Tools

IT Security DOs and DON’Ts is a complete employee training curriculum for cybersecurity. The site offers a program launch guide, employee handbook, posters, emails, and more.

Free Phishing Training from PhishMe

PhishMe CBFree is free computer-based security awareness training to meet compliance needs.

Top-Quality Cybersecurity from SANS

SANS is the industry leader in security training for those seeking a sophisticated paid solution.

End-to-end security is a big job, but giving everyone responsibility makes it easier. The sooner you apply these principles, the more secure your organization will be. Contact Sedara today with any questions on cybersecurity best practices.

This is part of our comprehensive guide on Improving Cybersecurity Without Increasing Your Budget.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.