Why Cybersecurity Training Matters
Let’s face it, when it comes to cybersecurity, humans are an unpredictable liability.
According to Forrester’s “Reconfigure Your Human Firewall” report, only one-third of employees receive cybersecurity training and under half are aware of their organization’s policies. Non-technical employees are perceived as an organizational weak link and are consistently targeted by attacks. For example, many ransomware attacks target HR departments, since viruses can be disguised as unsolicited resumes. Europe’s biggest manufacturer lost 40 million Euros with one simple email that leveraged a single employee.
With the proper policy, procedure, and training these incidents can be avoided. Of course, it’s one thing to talk about involving all personnel in security and another to achieve it. True “defense in depth” requires multiple interrelated best practices. Cybersecurity awareness training is required by every cybersecurity regulation to prevent these risks that many companies fail to address on their own.
Common Regulations Requiring Training
- PCI DSS
- GLB Act
- NERC CIP
For a comprehensive list of all regulations requiring training click here.
Essential Cybersecurity Training Best Practices
Ideally, all personnel should receive basic information security training as part of their onboarding. This makes the details more memorable and clear to your employees that security will be taken seriously. Ongoing education about new and emerging security issues should be provided as well.
Ensure you create clear and enforceable policies that are made well known to employees. These one or two-page policies should explain how an employee is to comply and why they play a vital role in cybersecurity. Bear in mind, people pay less attention to issues that don’t directly affect them. Making sure they understand the negative impact of poor cybersecurity on both the business and themselves is crucial to have them actively participate in proper practices.
The following key aspects should be made clear with written policy and procedure related to employee cybersecurity awareness.
Responsibility with Company Data
Follow the Principle of Least Privilege – users should have access to only the data they need. Have clear rules for the acceptable use of information assets. How to properly handle sensitive information in both paper and electronic form.
Solid and Familiar Document and Notification Procedures
Each employee should know who to report an incident to and exactly how.
Password Management Rules
Require password changes periodically. Implement a minimum password strength. It would be in your best interest to use two-factor authentication where possible.
Phishing emails, intended to collect passwords and other information, usually only look official at first glance. Train your users to recognize the signs of a scam email and avoid attachments.
While it’s unavoidable that personnel will need the internet, they should avoid suspicious links. Network management software can prevent some personal browsing and defang mistyped URLs.
Social Engineering and Phishing
From day one, every stakeholder should understand that no one from the company – at any rank, anywhere on Earth – will request their login information, particularly over the phone.
Social media platforms and apps should be disabled by network management rules for users who don’t need them. If possible, virtually segment marketing teams on their own secure partition.
In the era of “Bring Your Own Device,” mobile is unavoidable. The best way to manage this is to scan each device as it connects to the network to ensure it meets your enterprise security standards.
How to Evaluate Your Strategy
Ask these three questions:
- Would the employee know if an action was right or wrong?
- Would the employee choose to report a violation?
- Would the employee know how to report a violation?
If you answered “Yes” to all three, then you are poised to maintain a strong cybersecurity-aware culture. Business leaders should lead by example with the proper tone, attitude, and management practices to promote a clear and enforceable cybersecurity-aware culture.
The Pentagon has pioneered the development of High-Reliability Organizations (HRO) – an organization robust and resilient enough to achieve operational excellence when a single error has massive consequences. In today’s environment, all enterprises should strive to emulate the HRO model by making everyone cybersecurity stakeholders.
Cybersecurity Training Resources
Sophos IT Security Training Tools
IT Security DOs and DON’Ts is a complete employee training curriculum for cybersecurity. The site offers a program launch guide, employee handbook, posters, emails, and more.
Top-Quality Cybersecurity from SANS
SANS is the industry leader in security training for those seeking a sophisticated paid solution. End-to-end security is a big job, but giving everyone responsibility makes it easier. The sooner you apply these principles, the more secure your organization will be.
Contact Sedara today with any questions on cybersecurity best practices.
How Sedara Can Help You
Sedara’s cybersecurity experts can teach you everything you need to know in order to stay compliant. Contact us today to get started.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.