Employee security awareness tactics that work
It may seem like an uphill battle, but there are ways businesses can arm their employees against these and other devious methods attackers use to scam businesses out of sensitive information or their cash.
Here’s what to consider while evaluating a security training awareness vendor or creating a program of your own.
1. Start on Day One
When a new employee comes onboard, security training typically takes a back seat to filling out HR paperwork, being assigned to a work area and getting issued a laptop. Brandon Czajka, virtual chief information officer at Switchfast Technologies, believes in getting employees ready for the cybersecurity threats they’ll encounter during any given workday from the moment they accept a job offer.
“There are several security training vectors available out on the market that can easily be incorporated into an organization’s new hire onboarding process or used as a frequent means of keeping these threats front of mind,” Czajka said, noting that many are similar in this regard.
2. Watch emerging threats
The cybersecurity landscape can change drastically in no time at all, that’s why it’s important to use a security training awareness vendor or service that keeps its finger on the pulse of the market so that employees don’t wind up blindsided by the latest scam.
“Ultimately, it is best to select a training platform that not only defines past data breaches and how organizations responded to them – learning from past mistakes – but also one that keeps the training material up to date with new breaches as they occur in real time,” Czajka said.
3. Practice makes perfect
Simulations are used to sharpen the reflexes of air pilots and military personnel in challenging situations and to teach them how to respond. Similar information security training can expose employees to the latest deceptions and attacks, helping them guard against risky behaviors that can lead to data breaches.
Cofense’s Robinson advocates a similar “learning by doing” approach to block security threats that workers may encounter during the course of their jobs.
“This is best accomplished through the use of active threat simulations that provide the end user an experience they will remember and a new action to take; in the case of phishing, the new action is reporting [the threat],” said Robinson. Organizations that fail to instill this mindset lose the ability “to address and mitigate threats in real time,” he added.
4. Explain why
Learning with the immediate feedback provided by security simulations can help concepts stick, but companies can go further by making it clear why the training is important.
“User engagement is further driven by transparency within an organization,” Robinson said. “To that end, awareness and training materials need to clearly outline why security is important both at work and at home. In other words, make the training personal.”
5. Fix the password problem
Weak, reused and easily guessed passwords continue to be a major security weak spot. A 2017 study from F-Secure found that 30 percent of CEOs had a service linked to their company email hacked and the password leaked. Another survey from Dashlane found that nearly half (46 percent) of employees use personal passwords to protect company data.
Enforcing password policy is one step enterprises should take, combined with multi-factor authentication.