If you are not educating your employees on cybersecurity best practices, you are missing the biggest opportunity for improvement in your entire cybersecurity profile. Your employees have business-need access to a lot of important data, and their ability to protect that data—or to inadvertently let it walk out the door of your organization—is strong.
Lack of education was at the heart of a number of incidents of a major security breach. You have probably heard about the new HR employee that got an email from the president of the organization asking for all the W2 information on every employee, so that person sent them exactly as instructed. The employee did not recognize the fact that the email came from a hacker impersonating the CEO, and a major security breach took place.
Entire business models are based on this kind of fraud. Let’s pretend that I am going to build a site with the world’s best collection of cute pet pictures. I’ll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still free, though.
No big deal, right? Wrong. In this scenario, I own this website and I am a criminal, and my business model is to try to use the username and password you just entered at every major banking website, on all major email providers, on your company’s VPN portal, and anywhere else that I think you might have used the same username and password. I will then extract any valuable information I can from those sites, sell the information for a profit, possibly ransom your own data from you to make even more money, and then move on to the next victim.
Need some numbers to illustrate why educating your employees about cybersecurity practices is important?
- Per IDG’s 2016 Global State of Information Survey, 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
- According to the Ponemon Institute, 60 percent of employees use the exact same password for everything they access. Meanwhile, 63 percent of confirmed data breaches leverage a weak, default, or stolen password.
So where can your company start? Start with a training program. Your employees need to be educated on cybersecurity best practices. One of the issues that any cybersecurity awareness training program should address:
Implement real password policies.
There’s no easy way to say this, so I’m just going to say it: Passwords stink. They are no fun to create, no fun to remember, and no fun to type in. That being said, passwords are still the most common authentication method today. It is imperative to implement a password policy requiring complex passwords that can’t easily be guessed, and end-user training to go along with it. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is also mandatory.
Many users use the same passwords for every online system they need a password for. This is a problem. If one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your business’s VPN. It is imperative that your cybersecurity awareness training program encourage your team members to use different passwords for different sites, and especially for any system that your company uses.
Most companies have some sort of safety guidelines that their employees must follow or be aware of and cybersecurity should be no different. There are a number of companies that specialize in this type of training, and they may or may not be a good fit for your company culture. Picking the right type of training is critical; having a good cultural fit is more important than the actual content. Be sure to do proper due diligence to ensure that the training content offered by the company or companies you are considering is a good fit for the culture of your company.
The important message here is that you already know you must train your employees on certain things in order to have them perform their job functions. Cybersecurity is one of those things. If you are uncertain as to how to structure a cybersecurity training program, find an advisor that can help you.
Questions to explore this topic further with your company’s leaders:
- When was the last time you were trained on cybersecurity? What did you take away from it?
- Do your team members who have access to sensitive data get additional training above and beyond those who do not?
About the Author
Bryce Austin is the CEO of TCE Strategy, an internationally-recognized speaker on emerging technology and cybersecurity issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over 10 years of experience as a chief information officer and chief information security officer, Bryce actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.