Employee security training is an essential part of an organization’s defense against cyberattacks, yet many CISOs and CSOs are not conducting regular training. In fact, according to a survey conducted last year on behalf of ClubCISO, one in five CISOs (21%) said they had never given security training to their staff.
This could indicate overreliance on technological security measures to prevent cyberattacks, such as firewalls, anti-virus and anti-malware software, anti-spam filters, and web filters. Organizations may have confidence in their policies and procedures. CISOs may even believe that their organization is unlikely to be attacked. Regardless, of the reason, a lack of training leaves a gaping hole in security defenses.
Employee Security Training Is A Cost-Effective Way of Improving Security Posture
IT departments are well aware that employees are a weak link in the security chain and can all too easily undo all the good work done to keep data and networks secure. All it takes is for one employee to open a Word document and enable malicious macros, visit a compromised website, or inadvertently download malware for a network to be compromised.
If you want to improve your security posture, one of the easiest and most cost-effective ways to protect your network is training employees how to identify security risks. CISOs, CSOs, and IT staff may be well aware that opening an email attachment from someone they don’t know is risky. Not all employees will be so security-minded and may not appreciate the risk they are taking by opening an email attachment or visiting a link sent to them via email. Failing to train employees on these security basics is like leaving your front door unlocked when you go on vacation. Staff also need to be trained for email compliance regulations. A little training can go a very long way.
Employee Security Training Should Not Be A One-Time Event
Many organizations realize that training is important, yet still only conduct security training sessions once a year. Security training may only be given to new recruits when they join a company. The ClubCISO survey revealed that one in five employers only provided training to new employees, and 37% carried out training just once a year. Only 21% said they conducted regular security training sessions.
Furthermore, when training was provided, more than half of organizations had no idea about how effective their training had been. Training was given in a checkbox fashion in order to meet industry security regulations. Once provided, documents could be signed by employees to confirm that training had been provided, which would be sufficient if ever the organization was audited by industry regulators. However, it may not be sufficient to prevent a successful cyberattack. Employee security training is not a one-time event. It should be provided in regular training sessions, knowledge should be tested, and a security culture should be developed.
Getting Staff Cybersecurity Training Right
It is all too easy to purchase a new security product and hope that it is 100% effective and will prevent a cyberattack from being successful, but no system is infallible. Cybersecurity defenses must be multi-layered, and end users must be part of any defense strategy. After all, cybercriminals will target end users as they offer an easy entry point into a corporate network.
Employee security training is not something that is enjoyed by the staff, and many employees would prefer not to have to undergo training. Many employees don’t concentrate and forget their training almost immediately. Conducting a training session is therefore not sufficient by itself. Online security training is similarly unlikely to be particularly effective if the staff is not then tested on their new knowledge of security.
It is therefore important to make employee security training a regular exercise and to follow up training with testing to ensure that it is taken more seriously. Consider rewarding employees for taking part in training exercises. Make sure employees are given support, and if a test is failed, such as a phishing exercise, ensure that employees who need further training are given extra help.
Employee security training is not just something that is beneficial to employers. Employees also benefit. They can use training to keep their own online activities secure outside of the office, or can use training to protect their children when they go online. Explain the relevance and inform employees that the skills they learn can help to keep them safe outside work.
Get the Board to Back Security Training Efforts
All too often there is a lack of awareness of level of risk faced by organizations at the board level. Employee security training may be considered to be an unnecessary use of time and resources. Without board buy-in, CISOs are likely to face an uphill battle.
Employee security training will require support from the board and for that to happen it may be necessary for CISOs to explain the relevance and importance of employee security training. If you feel that your board does not appreciate the benefits, send the board members a dummy phishing email. If they click the link or open a bogus attachment, it may help them to understand the high risk of employees doing the same. Without buy in from the board it will be difficult to develop a worthwhile and effective training program.
With the current threat from malware, ransomware, phishing, and hacking, it is essential to take action to defend all attack surfaces. Since employees are often the weakest link in the security chain, they are a great place to start to improve overall security posture.
