Cyber security training for employees may not be on the top of your list of priorities, but consider this: on December 6, 2017 Mecklenberg county officials in North Carolina received a ransom note from a hacker, threatening to bring the county to a standstill if it didn’t pay a ransom of $23,000. The county refused, the attack went through, and now the most populated metro area in North Carolina has been reeled back into the 20th century, relying on paper records and processing for permits, jail intakes, court cases, and every other function of county government. A measly 44 of the county’s 500 servers was breached, but the cost to the county could stretch into the millions of dollars.
Who gets attacked, and at what cost?
The numbers aren’t good: 43% of cyber attacks are on small businesses, and of those small businesses, 60% go out of business within six months following an attack. The average cost of cyber attacks in the U.S. is steadily climbing with the average as of January 2017 being just over seven millions dollars.
Across businesses large and small, the cost of a data breach per client record averages $225. What does this mean for your company? If you store just 1,000 client emails, a data breach could cost your company $225,000. The more complicated the data, the higher the cost.
Who needs cyber security training in my workforce?
The answer to this question is simple: if an employee touches a computer, they need cyber security training.
In the Mecklenberg attack, hackers used primarily email attachments to install ransomware on the county’s computers. Globally the “human attack surface” (employees in contact with a computer) will reach an estimated four billion people by 2021.
Information security training (infosec training) can help mitigate this exposure. Everyone with access to the internet needs training.
How can I create effective cyber security training for employees?
Creating an effective cyber security training for employees starts at the top, is meaningful, just-in-time, and ongoing. Here are ten tips to help you get there.
1. Get executive buy-in
Play the numbers: the costs of cyber security awareness training are worth the ROI when it comes to protecting your customers, their data, and your company’s proprietary information.
It may be as simple as pulling together the statistics on the costs of cyber security training versus the costs of rebuilding your reputation and customer base after an attack. Focus on hard numbers and tailor your pitch to leadership knowing your company’s needs.
2. Take a broad view, and then evaluate your company’s weak points
When designing cyber security training courses for your company, look at the overall security already in place, and then consider the weakest points in your system.
Are there gaps in security when it comes to payment processing? Inter-office emails? Uploading to DropBox or another file storage program? Attachments and document security? Figure out the weakest link and focus the start of your course design there.
3. Figure out what employees already know
Don’t waste employees’ time (and your own) teaching them what they already know.
Work with your cyber security training developers to evaluate employee awareness before sending everyone to the same training.
4. Use microlearning and at-hand resources
Chances are good that your company already has training resources at hand. Don’t re-invent the wheel. If your employees respond best to online training, don’t shuffle them into a room and make them stare at a four-hour presentation.
Utilize the principles of microlearning to deliver essential small bites of information that address the most vital cyber security tips for employees.
5. Train employees about email and phone phishing scams
Get specific when it comes to current phishing scams via phone and email.
Even the most well-informed employees may not be completely up-to-date on every scam that comes down the pike. Microlearning can come in handy here, too. Nearly 91% of cyber attacks start with an email. Teach employees how to protect themselves (and the company!).
6. Standardize a company-wide process for updating passwords
Do you want employees to change passwords every 30 days? Should each password have a capital letter, a special character, and eight or more characters total? What about two factor authentication (2FA)?
Set the standard, and make sure the entire company knows what it is, and create automatic processes that force them to update their passwords.
7. Use personal examples
In a company of any size, chances are good that one or more employees have been the victim of some form of identity theft or cyber attack.
8. Make it real-time
Your company can also create simulated cyber attacks for each department of your company. These “live-fire” training exercises can sharpen cyber security awareness and get everyone ready if the time comes when it’s not just a drill.
Evaluate employee response to the drill and adjust your training accordingly.
9. Train early, train often
Start cyber security training for employees during the onboarding process as an integral part of joining the company.
This can help you identify new employees’ level of awareness and tailor training to their needs. Check in as they integrate into the workforce.
10. Make it an ongoing, team effort
Wesley Simpson, COO of a cyber security training firm, believes that cyber security awareness training isn’t just an annual proposition, noting,
“Most organizations roll out an annual training and think it’s one and done. That’s not enough.”
Instead, he advocates what he refers to as “people patching.” Similar to regular a software upgrade, cyber security training should be an ongoing, team effort that takes into account changes in the industry, the world, and the ever-evolving tools of the hackers. He says:
“Your people are your assets, and you need to invest in them continually. If you don’t get your people patched continually, you’re always going to have vulnerabilities.”
If it’s time to think about patching your people, get in touch with EdgePoint Learning to talk about your cybersecurity training needs. We have a dedicated team who are up-to-date on the latest cyber security developments and training methods.