Proper cybersecurity training is without a doubt a critical defense against security breaches, noted Chris Willis of Security, a magazine that provides security industry news and trends. IT policy, firewalls, physical security, and other precautions are helpful, but teaching employees the dos and don’ts helps them support their organization’s security measures and help build a strong line of defense against threats.
However, conducting cybersecurity training is not always easy. There are roadblocks hindering organizations from teaching their workers about measures that can save them millions in cleanup expenditures and lost productivity, including the impact of threats to brand reputation and future sales.
Surveys About Cybersecurity In the Workplace
Open VPN, a VPN software solutions and services for business, surveyed 250 IT leaders from the manager level through the C-suite to find out their perspectives on the potential of remote work and the quality of their firm’s security policies on remote workers. 92% of IT leaders believed the benefits of remote work outweigh the risks, but 90% believed that remote workers pose a security threat in general. Further, 54% said remote employees pose a greater security threat than onsite employees.
73% of VP and C-suite IT leaders said remote workers pose a greater risk than onsite employees unlike 48% of IT managers and 45% of IT directors. When asked about the elements that comprise the respondents’ organizations’ remote work security policies, 74% said “require VPNs, 69% said “require sensitive data to be encrypted,” 68% prohibited work-related data on personal devices, and 66% said “require security training for employees.”
Other answers made by the respondents were “require use of password manager” (56%) and "prohibit people from bringing their own device" (38%). When asked about the frequency to require remote workers to participate in cybersecurity training, 23% answered more than twice per year, 32% said twice per year, 25% said every year, 8% stated during employee onboarding only, and 11% had an e-learning platform offering courses for employees to take as they desire.
In another survey by security firm Trend Micro involving over 13,000 remote workers across 27 countries, 72% of participants claimed to have gained better cybersecurity awareness during the outbreak, with 81% agreeing that workplace cybersecurity is partly delegated to them, reported Owen Hughes of Tech Republic, an online trade publication and social community for IT professionals.
56% reported admitting to using a non-work application on a work device, with 66% uploading corporate data to that app. This is contrary to 64% of participants who said that using non-work applications on a corporate device is a security risk. Further, 39% said they either often or always access work data from a personal data, which is almost a violation of workplace security policy.
Meanwhile, 80% said they used their work laptop for personal browsing, with 36% reporting to have restricted the types of website they visit. 85% took instructions from their IT team seriously while 34% did not consider whether the applications they use are approved by IT or not if it entailed getting work done. An additional 29% said they used non-work applications as the solutions offered by their company were “non-sense.”
What Are the Barriers to Teaching Cybersecurity?
1. Too Costly
It can be difficult for companies to allocate budget to training. It’s easy for superiors to delegate the firm’s educational needs to the HR, hoping that the department will find a way to hire the necessary talent. Superiors should consider cybersecurity training through ROI and risk management.
Businesses can also utilize free courses and webinars to educate leaders and their team about cybersecurity. However, sources should be dated within the last few years as cybersecurity is an ever-evolving field.
2. Not In the Company Culture
Letting cybersecurity become part of the company culture requires accountability from the top to enable behavior change. Organizations can show employees how a data breach will affect them on a personal level. For instance, a data breach entails reduced trust in the company, causing sales teams to struggle. Revenue loss means lower or no bonuses for employees.
3. Not Enough Time
Ransomware attacks caused an average of almost 10 days of downtime in the second quarter of 2019. But companies can prevent this by helping employees recognize the signs of a phishing scam and review their personal and professional passwords. Companies can train workers to avoid mistakes that will cost their company hours of lost productivity in as little as 60 minutes.
How to Teach Employees About Cybersecurity
1. Establish A Sense of Ownership
Workers think it’s the IT department’s responsibility to secure information, but helping them establish a sense of ownership pushes them to contribute to safeguarding company data and assets, said Saryu Nayyar of Gurucul, cited Forbes Technology Council via business news Forbes.
2. Create Strong Passwords
Don Boxley of DH2i advised that password best practices should be prioritized by organizations. Passwords should be composed of random letters, symbols, and numbers. Each password should also be unique.
3. Encourage the Culture of Verification
Vikram Joshi from pulsd recommended that employees verify with their colleagues if, for example, they receive an email from their boss asking them to change their co-worker’s bank information. If the culture of verification is built into the company, their boss will not be annoyed by it.
4. Keep Educating
End-users need to be constantly educated on good cyber hygiene, particularly about paying attention to email headers to check if it matches the actual sender, said Maria Mast of Management and Network Services, LLC. Users should also be instructed to avoid clicking on unknown links, attachments, or ads that appear genuine Lessons should not be too boring or full of jargon, said Doug Shepherd of Nios. In Shepherd’s case, he likes to show examples of actual threats that users within the company have been subjected to.
Workers have to be taught how to identify attacks and the signs of phishing such as typos or strange email domains, stated Rich Campagna of Bitglass. Malicious actors can bypass traditional security defenses and purloin sensitive company data by impersonating as legitimate entities.
Good cyber habits start from the top, enabling employees to emulate their superiors and empowering them to participate in supporting cybersecurity efforts. A culture of verification should also be built to prevent phishing attacks. A company working to bolster its cybersecurity is a great move to safeguard its employees and drive growth.