Nearly 60% of all cyber-attacks can be considered “inside jobs”. And while some of these were done with malicious intent, a good portion of them are the result of employee negligence or error. Eddie Schwartz, the chair of ISACA’s Cyber Security Advisory Council states, "If we look at security breaches over the last five to seven years, it's pretty clear that people, whether it's through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities." Educating employees who are probably not IT or tech experts, might seem like a daunting task, but with proper procedures and policies in place, it can be done.
Stress the importance of cyber security from the start: Cyber security should be a part of the onboarding process for new employees. Be sure to educate new hires about threats that may be specific to your business or industry. Email phishing scams, what employees should and should not share on social media, policies about using corporate mobile devices and the particular challenges of bring your own device (BYOD), as well as letting employees know what apps they can and cannot use are just some of the items that should be included in the onboarding process for new employees.
Training is not a one and done event: Starting with the onboarding process is a great start. However, threats are constantly changing so education must be ongoing. Sending out short reminders, hanging informative posters around the office, and even contests can be used to remind employees that security is everyone’s job. Follow up any training by testing employees. Sending out occasional phony phishing emails to see which employees follow procedures appropriately and who may need additional training only strengthens IT security.
IT security policies need to constantly evolve: Just as training is not a one and done event, IT policies also must be continuously reviewed and changed. It is important that these changes must then be clearly communicated to the staff. It’s not enough to have employees sign off once a year on IT policies if they do not fully understand the changes that have been made.
Share and reward: If your goal is to build a company culture of cyber-security awareness, avoid scare tactics. Share with the entire company when employees are proactive and report potential threats to the proper channels. Cooperation is key and each person in the organization should know what they can do to prevent cyber-attacks. When employees are proactive, they can be rewarded for their vigilance.
It may sound cliché, but even the best cyber security system is only as strong as its weakest link. Informing and educating the employees of your organization is an important line of defense against cyber-attacks. With education, knowledge, and some common sense tips, staff can not only help with early detection of threats, they can also stop many of them. Contact us at De Novo HRC to learn more about our Cyber Training program. We can educate your employees on-site to help minimize your exposure to cyber-attacks.