Despite growing risks, most organizations short-change security training, basics

Register now

For some inexplicable reason, businesses regularly eschew cybersecurity training for their employees. When observed objectively, this sounds staggeringly absurd. While it’s perfectly understandable that every business has to operate on a specific budget, it’s very odd that, when the money gets tight, IT almost exclusively gets the short end of the stick.

Statistically, proper cybersecurity measures always pay dividends in the long run. However, many CEOs work under the illusion that investing in cybersecurity is nothing more than buying air. As a result, the companies these CEOs run become sitting ducks in hackers’ eyes. Operating like that makes little sense, especially in today’s environment, where the average data breach costs $3.8 million and happens every 40 seconds or so.

Of all cybersecurity measures, training your employees is definitely one of the most important. The fact is that cybercriminals hack companies through employees, not by cracking through firewalls. That’s how many of history’s biggest data breaches took place, after all. All too often, a hapless employee opens a phishing email, exposing the company to fatal financial and data losses.

Ignorance Isn’t Bliss: The Ubiquity of Undertrained Employees

To make matters even worse, a security report conducted by Wombat revealed that about 30% of employees have no idea what phishing even is. Given the fact that 76 percent of businesses found themselves falling victim to phishing, this is hardly an acceptable state of affairs. And I won’t even mention how many of them leave their computer turned on or passwords written on paper notes, just lying about in the office.

At some point, you have to face the facts. Your business is just as likely to be attacked as the next. When a hacking attempt takes place, you’ll want your employees to be able to identify the common trappings of such attempts. To be sure, it will cost you some money to properly train them. But you will ultimately save much more money by preventing cyber attacks from devastating your company, rather than trying to pick up the pieces after a successful hack.

So, you realize that your employees require some enlightening on cybersecurity. But what do they need to learn?

What Your Staff Should Know

While they don’t need to be full-blown experts, your employees really ought to know the basics of cybersecurity. Here are the most relevant points a good cybersecurity course should cover.

1. Different Kinds of Cyber Attacks

Your employees need to know what kinds of attacks can come their way. This means they should learn about phishing, ransomware, social engineering, malware, spam - all the types people fall for the most. The more they know, the smaller the odds of something malicious seeping through the cracks.

They need to know it’s very common for social media to also contain spam, and therefore malicious software. They should be informed about how to spot a suspicious email. It’s a good idea to provide real life examples of these kinds of successful attacks. Bringing these concepts closer to them with the use of examples and exercises helps them solidify their existing knowledge.

2. Dangerous Internet Habits

More often than not, people have low awareness of the consequences of their online activities. Good training would address this issue by explaining what the most common pitfalls of surfing the internet are and to how much risk they expose both themselves and the company.

This entails the promotion of safe browsing. In other words, your staff should watch out for links they need to avoid. Mostly, this is a matter of staying away from links that the antivirus program flags as unsafe and links in phishing emails. Safe conduct on social media while using company devices is also vital.

3. Password Security

In case you didn’t know, one of the most common passwords in the world is “password.” With that in mind, it’s easy to come to the conclusion that people have a pretty reckless attitude about passwords. This is something in dire need of rectifying if you wish to minimize the chances of a hack in your business.

There are two key takeaways your employees need to leave the training with. One is the importance of password strength, i.e. having numerals and symbols in long passwords. The other is how crucial it is to have a different password for every account or profile they make. With this knowledge, their passwords will be almost impregnable. And even if one does get compromised, it cannot be used to access other sensitive accounts.

4. Reporting Potential Attacks

Once your staff becomes proficient at detecting dangers, they need to put that knowledge into practice. With so many people working on so many different devices, they will probably detect an attack pretty quickly. When they come across a likely hazard, they need to know the proper reporting procedure.

That’s to say they should know how to spot a problem, who to talk to when they do, and where and how to report it. After that, your IT experts can do what needs to be done in order to resolve the issue.

For reprint and licensing requests for this article, click here.