As security awareness training continues to grow, so too does the number of successful breaches caused by human error. Here are the main steps to building a culture that empowers your employees to protect your company from breaches.
A glance at recent tech headlines will leave you inundated with the latest data breaches, including last weeks announcement of the mountains of data exposed by Equifax.
Nowadays, security is widespread and mainstream, but security culture is falling far behind. The focus is paid mainly to securing technology, with end-user training and awareness often seen as an afterthought. The simple fact is, this mindset is continuing to harm the online safety of many of us.
For the protection of clients, consumers and employees, a cyber security culture should be an important business function of any company, regardless of size.
So, to help you build a cyber security-minded workforce, we've put together 4 of our top tips...
Some of the most common cyber attacks and data breaches can be avoided through simple security measures. The problem is, a lot of organisations often forget to train employees on basic security hygiene.
CompTIA found that a massive 50% of employees have never received security training from their employer. Taking measures such as the ones we recommend below is vital when creating a security-minded culture.
Did you know...
Every 4 seconds a business falls victim to a cyber attack.
A) Have a Strong Password Policy
Pet names, re-using old passwords, and post-it notes: no, nope and absolutely never. Employees need to understand why having a complex password is hugely important, and how it can block potential cyber criminals.
B) Enable Two-Factor Authentication (2FA)
2FA has had its fair share of criticism from employees in the past. Often labelled as “inconvenient”, this added level of security might require an extra step when logging in, but the protection it boasts is surely worth it. Encouraging employees to use 2FA or MFA (Multi-Factor Authentication) might just reduce some of those unneeded risks.
C) Monitor and Enforce
Employees only need access to certain software and systems, so restricting users to this is important for limiting risks. If any suspicious signs pop up (like unusual login time), then this should be logged and flagged. Rules for terminating or disabling access when an employee leaves or is on holiday must also be put into practice.
The old once a year tick-the-box approach is still (painfully) prevalent in many businesses. But these long, cramped, dried-out sessions seem to focus more on satisfying compliance, rather than actually raising staff awareness. Add this to the issue of making awareness training a penalty of bad practice, rather than an effort to educate in advance, then the thought of training sessions become even more unbearable for end users. With employee focused cyber crime running rampant, effective and engaging security awareness training is a must.
Security training needs to be consistent, jargon-free, and targeted towards all levels of the company - even the C-suite. Short, informative educational sessions, accompanied by relevant and up-to-date topics, are essential for security culture to really be improved. Gathering metrics is essential when determining just how effective this training has been, and where you might need to improve.
Simulated phishing campaigns against your users is also a great way of finding which departments are scoring the lowest on their cyber security practices, and which individuals are more susceptible to clicking suspicious links.
Putting effort and resources into your security awareness program is a great start, but it only goes so far. Security training a lot more likely to fail if there isn’t a strong and consistent tone delivered from all aspects of the business.
After all, gone are the days of cyber security weighing heavily on the shoulders of IT in isolation-- cyber security is now a company-wide issue. Security representatives working with stakeholders from various departments can allow for a full culture of cyber security.
Execs must also share the same support and enthusiasm for reaching security goals as their IT leaders. In the long run, this can increase the security posture of a firm and has the nice byproduct of giving the security team a reputation for being credible.
As the technology around us advances, the threats in the cyber world also grown and adapt. Take a look at the new-look mobile workforce. We’re now able to use our devices pretty much anywhere we go. But working from home, or from coffee shops and hotels, brings about some serious security risks that aren’t given the attention they deserve.
Keeping your employees updated with the changing threat landscape is vital. New techniques tailored to phishing and social engineering continue to fool users into parting ways with sensitive information. This only adds to the need for regular training sessions, rather than the one-per-year approach we continue to see.