If you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your entire cybersecurity profile. Your employees have business-need access to a lot of important data, and their ability to protect that data—or to inadvertently let it walk out the door of your organization—is strong.
Lack of education was at the heart of a number of incidents of a major security breach. You have probably heard about the new HR employee that got an email from the president of the organization asking for all the W2 information on every employee, so that person sent them exactly as instructed. The employee did not recognize the fact that the email came from a hacker impersonating the CEO, and a major security breach took place.
Entire business models are based on this kind of fraud. Let’s pretend that I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first 10 views for free (and those 10 wil be the most adorable pictures you have ever seen), but to see more you’ll need to establish an account, with a username and password. Access is still free, though.
No big deal, right? Wrong. In this example, I own this website and I am a criminal, and my business model is to try to use the username and password you have entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password. Then, I will extract any valuable information I can from those sites and sell the information for a profit. It’s possible I may seek even more money by ransoming your own data to you, before I move on to the next victim.
Here are some numbers to illustrate why it’s so important to educate your employees about cybersecurity practices:
• Per IDG’s 2016 Global State of Information Survey, 48% of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
• According to the Ponemon Institute, 60% of employees use the exact same password for everything they access. Meanwhile, 63% of confirmed data breaches leverage a weak, default or stolen password.
So where can your organization begin? Start with a training program. Your employees need to be educated on cybersecurity best practices. One of the issues that any cybersecurity awareness training program should address is passwords.
Simply stated: you must implement real password policies. There’s no easy way to say this: Passwords stink. They are difficult to create, sometimes impossible to remember, and frequently frustrating to the people logging-in. Nevertheless, passwords remain the most common authentication method today. It is imperative for the organization to implement a password policy that requires complex passwords, ones that cannot be easily guessed, and end-user training to go along with the policy. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is mandatory too.
Many people use the same passwords for every online system that requires a password. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your business’s VPN. Your cybersecurity awareness training program must encourage your team members to use different passwords for different sites, and especially for any system that your organization uses.
Most organizations have some safety guidelines that employees must follow or be aware of, and cybersecurity should be no different. There are a number of vendors and services that specialize in this type of training, and they may or may not be a good fit for your organizational culture. Picking the right type of training is critical; having a good cultural fit is more important than the actual content, so be sure to do proper research and preparation when selecting a training package, to ensure that the training content fits well with the culture of your organization.
The important message here is this: While you know already that you must train your employees properly and effectively in order to have them perform their job functions well, you must also train them in the principles and methods of cybersecurity. Cybersecurity is one of those things they must know well in order to meet their performance goals.
If you are uncertain how to structure a cybersecurity training program, find an advisor that can help you. If you are uncertain how to convince your organizational leaders of the importance of cybersecurity, try asking these questions:
• When was the last time you were trained on cybersecurity? What did you take away from it?
• Do your team members who have access to sensitive data get additional training above and beyond those who do not?
The conversations that follow will be the start of making your organization cyber-secure.
Bryce Austin is the CEO of TCE Strategy, an expert on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. He has over 10 years of experience as a chief information officer and chief information security officer, He actively advises companies on effective methods to mitigate cyber threats. Contact him via LinkedIn, or visit www.BryceAustin.com.