Reduce cybersecurity risk with awareness training

Human error continues to confound the best efforts of security executives.

No matter how much money gets spent on firewalls, intrusion detection software and other cybersecurity tools, it’s all going to be for naught if employees ignore security protocols and click on dodgy email links.

In theory, this ought to be easy to fix. But there are no shortcuts.

Rome wasn’t built in a day

An edict out of the IT department won’t get the job done.

Building a security culture takes time and effort. What’s more, cybersecurity awareness training ought to be a regular occurrence ­— once a quarter at a minimum ­— where it’s an ongoing conversation with employees.

One-and-done won’t suffice. People have short memories, so repetition is altogether appropriate when it comes to a topic that’s so strategic to the organization. This also needs to be part of a broader top-down effort starting with senior management.

Awareness training should be incorporated across all organizations, not just limited to governance, threat detection, and incident response plans. The campaign should involve more than serving up a dry set of rules, divorced from the broader business reality.

If done the right way, employees will come away with a keen understanding how their cyber behavior can impact the overall business.

Changing behavior

According to the Global Cyber Security Capacity Centre, this hinges on the organization’s ability to influence attitudes as well as intentions.

Unlike training, where employees are quizzed on their knowledge of instructions, the focus of awareness training should be on changing behavior. In terms of making this happen, organizations should make clear to everyone on staff that cybersecurity adherence isn’t optional any longer. It’s strategic.

The reality is that bad habits linger, so don’t assume that employees are going to automatically change their behavior after watching a video or two about cybersecurity. Building an awareness program must include a mix of tactics with the goal of fostering a security-conscious environment. It also doesn’t hurt to throw in a few incentives to make sure the message gets through.   

• Monitor users and compile cyber risk scores based on employee understanding of security practices and actual performance. Linking job appraisals to an employee’s proficiency in cybersecurity awareness will make mastery of cyber safety a matter of self-interest.   
• If someone fails their cybersecurity tests repeatedly, both the employee’s manager and human resources should be notified. In Riverside, Calif., for example, the city now makes awareness training mandatory. It also locks employees out of the city’s network if they fail to take and complete the one-to two-hour course within the designated period. Some organizations also stage fake phishing attacks to test their employees. Any employees who get duped into clicking on fake email links should be required to undergo a refresher course.   
• The curriculum should extend beyond the obvious risks posed by phishing, authentication and passwords to also foster greater employee understanding about physical security and data loss prevention.   
• It’s 2017 and there’s simply no forgiving easy-to-guess passwords like “password” or “1234” anymore.    
• Use imaginative and interactive ways to get employees interested in the topic. Also, festoon the corridors with posters and tips to drive home the message. Follow up with regular emails. Offer rewards or acknowledgments to employees who consistently pass mock phishing tests or spot real attempts.

With cybercriminals doubling-down on their skills, it’s never been more important to get employees to understand the fundamental risks that cyberattacks pose to their organizations. Any progress organizations make on this front will pay major dividends.

AT&T Cybersecurity Insights report

Learn more about protecting your business in AT&T Cybersecurity Insights, Volume 6: "Mind the Gap: Cybersecurity’s Big Disconnect."

In this invaluable report, you'll read about the troubling disconnects that have emerged between today's cybersecurity threats and organizations' countermeasures, as well as what you can do to help strengthen your defenses and reduce risk.