We all know that security risks are increasing. We also know that employees are often the weakest link in the security chain, making mistakes or doing things they simply do not know they shouldn’t do.
Case in point: A 2017 survey from Wombat Security Technologies revealed that nearly one-third of employees do not even know what phishing is. Nearly two-thirds do not understand the term “ransomware.” Those are scary statistics, particularly given that falling for phishing and ransomware attacks is among the primary sources of employee security mistakes.
The solution? Security training. Not just any security training, but training supported, planned and implemented across the organization — training that has an impact on user behavior and includes repercussions if not taken.
Training that sticks
One of the primary challenges with security training is that, far too often, it just doesn’t stick.
Most companies provide some kind of security training for employees, usually during onboarding. There are challenges with this approach. Primarily, a new employee has a lot to learn. If you insert training on day one, or within week one, it will most likely get lost in the shuffle of everything else the new employee is trying to learn and understand.
Many companies additionally or alternatively have standardized, module-based security training that employees must take once or twice a year. There are challenges with this approach as well. First, many employees simply don’t take the required training, particularly if there are no formal repercussions. Second, for those who do take the required training, it can be dreadfully boring and too often does not make a mental impact.
- Initiate from the top (C-team); own from the middle (IT and human resources, together)
- Create and implement policies
- Create ownership of the enforcement of adherence to policies (this is where things generally fall apart)
- Research the effectiveness of the training and modify accordingly
- Repeat annually
Let’s look at each step individually.
Initiate from the top; own from the middle. Good cyber hygiene is a top-down concept. Funding, support and willingness to enforce security policies and training requirements all come from the C-suite. Good cyber hygiene should be part of the culture.
Ownership and implementation, however, should be a joint effort between the IT team and the human relations (HR) team. The IT team should be involved in choosing and implementing the training to ensure that it’s accurate and appropriate for the company; the HR team should track the training to ensure that employees are actually taking it and to initiate disciplinary procedures if rules are not followed.
Create and implement policies. Having a loosely compiled list of things employees should do is simply not sufficient. Employees must understand that the company is serious about security and employee behavior. IT and HR should together create the policies and work together on how best to implement these policies.
Create ownership of the enforcement of adherence to policies. Ah, ownership. This can be a company’s greatest challenge. Ideally, IT implements and HR enforces. The reason? If an employee does not take the required training, that’s a personnel matter — not an IT matter. An employee who does not take required training should be treated as if that employee is violating company policy. It’s serious business and should be treated as such.
Research the effectiveness of the training and modify accordingly. Far too many companies consider security training a box to be checked. That mindset must change. If you want to make security training effective, make it personal to the employee. Conduct phishing tests, for example, to see who clicks on unknown links in emails from unknown senders. If people click (which they will), make the effects personal for those employees to ensure that they truly understand the implications of their actions. Bottom line: Make sure the training is working. If it’s not working, change the methodology or questions to ensure that employees not only understand it, but are also able to put the training into practice.
Repeat annually. Security threats are only getting more sophisticated. Training should be updated and required at least once a year, if not twice.
When it comes to security training, most companies are on the right track. That said, insider threats are on the rise and, as a result, security training should take a much higher priority in order to reduce that threat. Make it part of your culture; make it impactful; and make it required.