Contributor: David Mahon, Chief Information Security Officer, Deloitte Global
The number of worldwide cyberattacks is on the rise, and organizations with a global footprint face a relentless wave of attacks by motivated “threat actors.” These actors can be organized multinational criminals, nation states, cyber-activists (known as “hacktivists”) or company insiders. And, their activities can damage a company’s reputation, disrupt its business, and impose financial penalties through regulatory violations and remediation costs.
To combat proliferating threats, it is important to take a holistic approach to cybersecurity that includes the three pillars of organizational transformation: people, process and technology. By far the weakest of these pillars is “people.” It is the most difficult to shore up, because humans, by their very nature, are error-prone creatures. In fact, 90% of cyberattacks are caused by human error, mainly from employees either deliberately or inadvertently violating policies designed to prevent breaches.
Cyber attackers know that employees are the “weak link” in any organization, so they overwhelmingly invest their efforts on them, through activities like phishing attacks and other “social engineering” scams. Their goal is to trick people into giving away their sign-in credentials, so they can get onto the corporate network and into systems. And, once they have accomplished that, they will attempt to seek out and steal credentials of high-privileged individuals, who are authorized to access the most sensitive assets. This is where trouble really starts – but it all begins with a single person making a single mistake.
This is why employee awareness and training are critical components of any cybersecurity strategy.
The Pillars of Employee Cybersecurity Training
When building a cybersecurity training program, remember the following:
- Everyone matters – Executives are not immune to cybersecurity mistakes. In fact, studies show that senior executives tend to be among the worst offenders when it comes to violating security policy. This is due to the fact they tend to be very busy and may not notice or participate in cybersecurity training. Plus, the notion of “getting in trouble” is not as acute to a senior executive as it is to rank-and-file employees, so they tend not to be as motivated as others to practice good cyber hygiene. This means that training programs must be designed with all levels of employees in mind. And as long as you’re at it, work the board into your training – board members should be particularly cyber-aware, since they have access to so much confidential information.
- Reduce stigma – The first few moments after a mistake are critical. Encourage employees to speak up quickly if they think that they have been breached. It is important to impress on employees that admitting mistakes is good and trying to conceal them or make them go away is bad. This runs directly counter to human nature, so it is important to reinforce this concept on a constant basis.
- Make cyber awareness a habit – Cybersecurity training and expectations should be part of the employee training lifecycle, beginning with orientation and continuing throughout their careers. For companies, it needs to be part of the culture – just like other typical cultural components such as diversity, innovation, dress code and wellness.
Cybersecurity Training in Action
These program examples are just a few ways to prepare a workforce to remain vigilant about cybersecurity threats:
- Circulate cybersafe materials – Distribute cyber awareness campaigns to engage and educate employees through communications and trainings. And, educate employees about new protections when using collaboration tools, such as securing virtual meetings with a password.
- Employ new media - Engage employees through a variety of media such as podcasts and gamification of trainings.
- Distribute time sensitive cyber alerts – Create a plan to alert employees of emerging phishing scams, ransomware attacks, and social engineering in a timely manner.
- Test employees’ phishing awareness through training drills –Distribute emails designed to appear to be phishing attempts and test whether employees can identify them as such.
Employees are the weakest link in cybersecurity – but they also can be the first, and strongest, line of defense. There may be a relentless wave of attacks hitting your organization, but your employees – from staff right up to the CEO - can be an effective “sea wall” if they are trained to be cyber-aware, and cyber-safe.