As security awareness training continues to grow, so too does the number of successful breaches caused by human error. Cyber security is now a widespread focus, but security culture is still falling far behind. Here are our 4 main steps to building a security-minded workforce.
A glance at recent tech headlines will leave you inundated with the latest data breaches, including last weeks announcement of the mountains of data exposed by Equifax.
Nowadays, security is widespread and mainstream, but security culture is falling far behind. The focus is paid mainly to securing technology, with end-user training and awareness often seen as an afterthought. The simple fact is, this mindset is continuing to harm the online safety of many of us.
For the protection of clients, consumers and employees, a cyber security culture should be an important business function of any company, regardless of size.
So, to help you build a cyber security-minded workforce, we've put together 4 of our top tips...
Some of the most common cyber attacks and data breaches can be avoided through simple security measures. The problem is, a lot of organisations often forget to train employees on basic security hygiene.
CompTIA found that a massive 50% of employees have never received security training form their employees. Taking measures like the following is vital when creating a security-minded culture.
A) Strong Password Policy
Pet names, re-using old passwords, and post-it notes: no, nope and absolutely never. Employees need to understand why having a complex password is a hugely important, and how it can block potential cyber criminals.
B) Enable Two-Factor Authentication (2FA)
2FA has had its fair share of criticism from employees in the past. Often labeled as “inconvenient”, this added level of security might require an extra step when logging in, but the protection it boasts is surely worth it. Encouraging employees to use 2FA or MFA might just reduce some of those unneeded risks.
C) Monitor and Enforce
Employees only need access to certain software and systems, so restricting users to this is important for limiting risks. If any suspicious signs pop up (like unusual login time), then this should be logged and flagged. Rules for terminating or disabling access when an employee leaves or is on holiday must also be put into practice.
The old once a year tick-the-box approach is still (painfully) apparent in a lot of businesses these days. But these long, cramped, dried-out sessions seem to focus more on satisfying compliance, rather than actually raising staff awareness. Add this to the issue of making awareness training a penalty of bad practice, rather than an effort to educate in advance, then the thought of training sessions become even more unbearable for end users. With employee focused cyber crime running rampant, security awareness training is a must.
There’s a huge need for security training to be consistent, jargon-free, and targeted towards all levels of the company -- even the C-suite. Short, informative educational sessions, accompanied by relevant and up-to-date topics, are essential for security culture to really be improved. Gathering metrics is essential when determining just how effective this training has been, and where you might need to improve.
Simulating phishing campaigns against your users is a great way of finding which departments are scoring the lowest, as what individuals are more susceptible to clicking links.
Putting the effort and resources into getting your security awareness program is a great start, but it only goes so far. Security training a lot more likely to fail if there isn’t a strong and consistent tone delivered from all aspects of the business.
After all, gone are the days of cyber security weighing heavily on the shoulders of IT in isolation-- cyber security is now a company-wide issue. Security representatives working with stakeholders from various departments can allow for a full culture of cyber security.
Execs must also share the same support and enthusiasm for reaching security goals as their IT leaders. In the long run, this can increase the security posture of a firm and has the nice byproduct of giving the security team a reputation for being credible.