The greatest tragedy with scientific and technological advancement is that it advances at a much faster rate than does society’s collective wisdom. This is what Isaac Asimov essentially said a few decades ago when commenting on the relationship between science and society.
Fast forward to today, the internet has become an essential component of pretty much every aspect of modern life from the personal sphere to the professional. Despite our increasing dependence on the internet, it is surprising that cybersecurity awareness remains largely ignored.
On a personal level, an individual might be excused for having no understanding of good cybersecurity practices. But on a corporate level, the negligence of companies and refusal to promote cybersecurity awareness among employees is stupefying to say the least.
According to a report published by Chubb, only 31% of the employees surveyed reported to have received company-wide cybersecurity education and training.
As the covid-19 pandemic increases the need for online connectivity for most businesses, the increased risk of security breaches is too high to be taken lightly. Therefore, this is a critical moment for businesses. If the importance of cybersecurity training and awareness continues to be played down, companies will bear the brunt of digital attacks. In an unstable economy, this could have devastating consequences.
My aim in writing this article was to play a small part in promoting a sense of urgency about the need for companies to invest in cybersecurity training of their employees. Rather than building arguments in favor of my thesis, as is my usual style when writing pieces on such issues, I instead decided to invite security professionals and share their insights about this pressing but often ignored issue of our times.
What follows are the quotes of various are the thoughts of various industry professionals who I am indebted to for sharing their insights with us.
Why Cybersecurity Training Is Important (According to Experts)
Nancy Sabino — CEO and Co-Founder of SabinoCompTech
Employees are going to be the first line of defense in combating the cybersecurity threat. If they are not privy to what the threats are, how to notice them, and what to do about them, they become a risk rather than a source of prevention. When you assess risk in your organization, having employees that are knowledgeable and aware of what they are looking for and how to quickly respond if something were to happen would move the dial significantly to lowering your risk. Establishing prevention is always best versus dealing with remediation which can turn out to be extremely costly and time consuming.
I personally, take the ongoing training my firm provides to continuing sharpening my skills and keeping up with new trends as they appear. We also offer this to all of our clients as well so they can also help us with being proactive. It has absolutely been worth it because the awareness alone has curved the number of clicks that happen in emails as well as the amount of data entered into phishing emails etc.
John Svazic – Founder and Principal Consultant at EliteSec
Like it or not, employees remain the #1 vector for malicious parties to go after when they want to gain access to your company. Through the usual phishing emails to “vishing” (voice phishing), they will prey on an employee’s good nature to get access to an organization’s data, finances, or trade secrets.
I have both taken and given cybersecurity training for many years, and I can say that it’s indispensable if done correctly. Don’t just give your end users a 30 minute video or computer-based training module – provide them with examples of what can happen if they fall for one of these emails. What’s the downstream effect? What can happen to the individual? This is far more useful than just telling employees: “Don’t click on links or download attachments from suspicious emails.”
Steven Weisman – Cybersecurity Expert and Professor at Bentley University
Companies are only as secure as their employee practicing the least amount of cybersecurity practices. Cyberattacks such as ransomware, data breaches and the theft of important intellectual property as well as the business email compromise can have devastating effects on companies. I am a cybersecurity expert and professor at Bentley University where I teach White Collar Crime. I also write the blog Scamicide where each day I provide newly updated information about the latest cybersecurity developments.
At Bentley cybersecurity is a priority and training, in particular to recognize spear phishing emails and practice important cybersecurity basics, such as not clicking on links unless they have been confirmed to be legitimate is continually stressed. When such training is done in a non-judgmental and helpful manner, it is very effective.
Andy Sauer – Cybersecurity Exert at Steel Root
Cybersecurity awareness is important for employees in an organizational setting because COVID-19 has changed the landscape entirely, making cybersecurity a much bigger business threat than ever before. This is due to the significant increase in people who are teleworking; which leads to the following factors:
- Behavioral changes: Working off site, employees tend to be more relaxed and more likely to let their guard down – perhaps even answering emails designed to provide data access to hackers. Also, with stress levels increased, staff might be more inclined to be reactive and less strategic in their actions.
- Situational changes: Working in disparate locations, security instructions and access rules can fall through the cracks. This can result in less stringent oversight of transactions and other key workflows.
- Technological changes: Suddenly companies are forced to extend their firewalls beyond the physical boundaries of their office. Company systems are being accessed from a wide range of devices, even personal devices. These changes can lead to compromise, data sprawl and other challenges.
Chris Silbaugh – VP of Business Development at CyberKnights
I have been involved in taking part of cybersecurity training as well as providing the training and the most important part of appealing to the audience is to help them understand the negative impacts such as lost or stolen personal information, business-related information, and lawful penalties that result in a financial loss. Help people understand the consequences first so that they take the time to learn how to prevent such consequences from occurring.
Steven M. Solomon – Vice President at SecurIT360
Cybersecurity awareness reduces the risk of a high impact security incident that can damage the business. In my experience, delivering security education and awareness training is a valuable activity that is seen by many business leaders as a cost avoidance. It formally reminds employees that there are important security policies and procedures to consider when performing work and defines the consequences of failing to follow good cyber hygiene. With the prevalence of threats and the high costs of security incidents, employees should be vigilant in their daily activities.
Cindy Murphy – President of Digital Forensics at Tetra Defense
Awareness programs and employee security training initiatives are critically important for protecting the sensitive data that organizations possess. I am an advocate for providing cybersecurity training so that employees are set up to recognize malicious activity. For example, scammers are still predominantly using email to deceive their victims. What’s new in this era is the fraudulent messaging within the emails: the CDC asks for donations in Bitcoin. Your COVID-19 Tax Relief Documents are available on this (fake) website. A doctor from the World Health Organization has “drug advice” if you click here. This is social engineering at its worst — and unfortunately, it’s more likely to work in these uncertain times.
People haven’t become more gullible in the past three and a half months; they’ve become used to big changes in small messages. When the next news headline could be a matter of safety or sickness, it’s much easier to believe information that appears right in your inbox.
Mark Soto – CEO of Cybericus
One of the biggest reasons why cybersecurity awareness is important for employees is due to the fact that the vast majority of data breaches (varies between 60-80% depending on the source) are due to internal employee errors and nearly (30%-40% same reason above) of data breaches is due to malicious internal employees. Your employees need to be aware of the basics of cybersecurity, cyber dangers outside the company as well as inside of it. We usually work with companies once they’ve been attacked, but we would definitely consider cybersecurity training worthwhile.
You can spend millions of dollars on the best highly advanced cybersecurity software for your company, but if your employees aren’t knowledgable enough on the best practices you’re just wasting your money. There is only so much software can do to prevent attacks due to human error and if your employee doesn’t know why they shouldn’t plug in random USB sticks into their computer or not to click on random email links from shady email addresses then you’re bound to get hacked no matter what type of software or technology you’re using.
Marty Puranik – President & CEO of Atlantic.net
A major trend that we are now seeing that didn’t really exist years ago is employee cybersecurity training. This should be a part of your company culture, and the more widespread it is at your company, the more people will buy into it. Try having your CIO or IT manager included during the onboarding process to really drive home to new employees the importance of security at their new place of employment. For long time-employees, ensure your message is being passed on through their team leaders. Try to stay away from long emails and memos that a lot of employees will skim the first couple sentences before deleting.
Instead, try creating some videos, or maybe hang up some infographics in main areas of the office, like the break room, near the water fountain, and even in the restroom. Even if your employees aren’t that interested in security, repeatedly reading phrases and actions in visual form will help them remember said messages when something out of the ordinary occurs online.
Nick Santora – CEO of Curricula
According to various reports, there’s been a 500% increase in cyber attacks since the Coronavirus outbreak. Hackers and bad actors are taking advantage of this unfortunate time we are all going through. We have seen so many phishing attacks targeting employees that are now part of a massive remote workforce, and the lack of cybersecurity training is apparent.
The #1 most effective cybersecurity strategy is to train your employees at every level in the company on what to look for in a suspicious email, potential phishing scam, or even a ransomware attack.
Dr. Al Marcella – CISA, CISM, President of Business Automation Consultants
We used to say “knowledge is power,” however, in our globally connected, always on, 24/7, information-dependent world, data are a commodity – data have value. It is no longer knowledge that begets power but, today, “information is power.” An employee who does not act responsibly to protect and secure the organization’s information assets, invariably puts the organization at risk…financially, competitively, legally.
I have been providing cybersecurity training for over 35 years. Training that makes an employee stop and think before they click on an external email, provide information to a caller, open a web link, scan a QRC code or take any action that could potentially place themselves or their organization at risk, is positive, receptive, timely, and proactive training.
Cybersecurity Is Not Only for IT/Technical Staff
I have noticed that a lot of the times, discussions around cybersecurity training tend to assume that it’s only the technical staff that need to be well-versed in security best practices. But this ignores the fact that even if the people responsible for designing a company’s networks do a thorough job of minimizing the risks, all it takes is one person in a company clicking the wrong link to undo all that.
There is a need to kill this idea and make cybersecurity awareness an all-inclusive program. Here’s what some expert have to say about this issue:
Dr. Tom Keenan – Professor at the University of Calgary
Even receptionists need cybersecurity training and awareness!
I will never forget the “Social Engineering Challenge” at DEF CON a few years ago where the goal was to extract information from car dealerships, supposedly because they were going to be featured as a bogus “Dealer of the Month”.
Receptionists gave up things like “what version of Windows does your company run?”, “What’s the name and email of your Chief Financial Officer?,” and even “What day is your garbage collected?”, all useful to hackers and identity thieves.
So, when I go to a company to do cybersecurity awareness training, I usually have a nice chat with the receptionist and can then tell the CIO and CEO all kinds of interesting things about their company. Works every time!
Steve Harrington – Vice President of Marketing at Cygilant
The whole company should be trained. Breaches can start with the CEO or the stockroom technician. All cybercriminals need is a way into the network and they don’t care where that entry point is made.
Gabe Turner – Cybersecurity Expert at Security.org
I believe the training should be focused on any kind of employee that uses electronic devices for company-related purposes, especially if they use the Internet. While IT people will obviously be brought in if there are any data breaches, training employees themselves is a preventative measure versus a reactive measure, lessening the business’ chance of having a data breach in the first place.
Ilia Sotnikov – Vice President of Product Management at Netwrix
Regular training sessions for all teams, from IT staff to non-IT employees, will help your staff better understand how they should react to hackers’ activities. For example, if you include information about phishing and the most recent scams, there is a chance that workers will not click on suspicious links in emails and will send these messages to the IT team.
Moreover, these training sessions will help employees at all levels and from all departments understand that they are personally responsible for security posture of the organization, which may help them be more vigilant. This might not fully eliminate the risk of data breaches, but you will certainly have better workplace culture and your data and systems will be more protected.
Darren Deslatte – Vulnerability Operations Leader at Entrust Solutions
Your business’ cybersecurity training program should absolutely encompass all employees. Nearly 90% of cyberattacks are caused by human error or negligence. One of the best ways to beat those odds is to ensure that everyone at your organization understands their responsibility in keeping your company cybersecure, from the CEO to the remote contractor.
Key Topics to Be Included in A Cybersecurity Training Program
For a cybersecurity plan to be effective, the training program should be suitably designed to include topics that effectively contribute to employee awareness without making them feel overwhelmed. This is the general consensus of the experts who gave their views on this topic:
Mihai Corbulea – Information Security Consultant at StratusPointIT
Studies reveal that 45% of entry-level employees don’t know if their organization has a cybersecurity policy in place. The main issues organizations face when it comes to cybersecurity are poor user practices, lack of knowledge, and weak access management. All employees should be trained to use virtual private networks, access encrypted URLs only in order to connect securely and always login to shared drives using multi-factor authentication or a physical token in addition to the regular password to get access to shared business data.
As you probably know, the email service is still the most common delivery method for malware which means that the human component is still the weakest link in the security chain and that’s because they don’t know what to expect, what an attack looks like, etc.
All employees should be educated in regard to email security and business executives should begin using training platforms for that. Ensuring that all employees access their work email from secure devices, preferably not their personal devices, and that they don’t open unsolicited emails or download suspicious attachments is paramount.
Chris Silbaugh – VP of Business Development at CyberKnights
There are a variety of cybersecurity topics that employees should be trained in and it should ultimately depend on the position that the employee is in. As an example, technical/IT department staff should go through more rigorous given the nature that they are tasked with the primary responsibility of managing the companies network in some shape or form.
Employees who are more of an average user of the company’s network should have another form of training that focuses on a simpler approach towards managing the security of the domain. Finally, the training should not be in long formats that enable the employee to lose attention quickly. The training should be conducted frequently, but shorter in duration. The culmination of a years’ worth of training will prove to be a better process rather than a couple of hours dedicated at one time.
Nick Santora – CEO of Curricula
Some key cybersecurity awareness training topics would be:
1. Phishing – The majority of cyber attacks against an organization will come through email phishing. Employees need to understand how to identify a phishing attack and defend against not clicking suspicious links in an email.
2. Password Protection – Employees should understand how to create strong passwords, such as not using passwords that are easy for someone to guess like ‘1234’.. They should also understand the risk of password reuse between personal and corporate accounts, how to use a password manager (‘vault’), and learn why passwords are so important in protecting their online accounts.
3. Information Security – “InfoSec” is all about protecting your organization’s digital information assets. Employees should understand that accessing information is a privilege and ‘need-to-know’ access should be practiced at all times.. Sharing sensitive data outside of the organization must be taken very seriously and employees should know your organization’s policy for protecting information.
4. Ransomware – Ransomware is malicious software that encrypts data on a computer until a sum of money is paid to the hacker, and it’s one of the most popular threats targeting businesses across the world. If the ransom is not paid, your computer and all of its data are unrecoverable. The best way to defend against ransomware is to prevent it from happening in the first place.
Dr. Al Marcella – CISA, CISM, President of Business Automation Consultants
Data are an asset – and have value to the company. Employees need to be trained to consider data a critical corporate asset that must be protected.
Cyber-risk. Who are the threat actors seeking to gain unauthorized access to the company’s critical data assets? What are the vulnerabilities within the company’s that a threat actor could take advantage of? What is the possibility of the threat actor taking advantage of the vulnerability? What is the impact (financial, legal, reputational) to the organization, if this were to occur? What is each employee’s role in mitigating these cyber-risks?
Network Security. Employees should only connect to the Internet and company networks via a Virtual Private Network service thus, keeping employee exchanges private.
Encryption. Educate employees on implementing and consistently using, strong encryption protocols to protect critical, organization digital data assets.
Cyber hijinks. Consistent training and updated information on increasingly sophisticated scams, phishing attacks, social engineering ploys, bogus emails and tempting websites…all designed to lure an employee into disclosing, clicking on, acting upon or responding to, fictitious, contrived and deceptive information.
David Shrier – Program Director of Oxford Cyber Futures from the University of Oxford in partnership with Mastercard
Employees need to be trained on a core of cyber hygiene, and have a greater awareness of broader issues such as data security and privacy, and cyber ethics – all of which create risk and open up opportunity for enterprises. Oxford Cyber Futures, for example, first builds a strong cyber foundation, and then extends into digital identity, predictive AI, open banking, and other growth areas.
For an enterprise to effectively collaborate on cyber, it needs to build cyber capacity across all functional areas in the organization, not just the IT staff. All to often, cyber is made impenetrable or scary in terms of how it is taught, so in our programme with Oxford we’ve sought to de-mystify the complexity, and help business professionals understand the potential for tangible impact on revenue and profit.
Tom DeSot – EVP & CIO of Digital Defense, Inc.
“Sadly, the most common and detrimental thing that many companies are doing wrong when it comes to training employees on cybersecurity is a big one – they’re not doing it all.
While employees are getting some sense of what to look out for when they do receive training, the threat landscape changes so quickly, the information becomes obsolete within weeks or months and, without regular reminders, it is out of the employees’ minds quickly.
After a cybersecurity training program is put in place, there needs to be policies and procedures put in place to enforce what is being learned. I rarely see companies doing this which means employees are not being held accountable for skirting proper procedures that would normally protect their company from different cyber-threats. Companies also need to have regular cybersecurity training programs and refresher courses – training updates should be done monthly and throughout the entire year.”
Heinrich Long – Privacy Expert at Restore Privacy
When it comes to cybersecurity training for employees, I would strongly recommend using a professional, third party training provider. If you’re unable to find a good fit for your company, then it’s important to cover the following topics:
1) Identifying the potential online threats and risks to your business.
2) The processes and tools required to prevent data breaches, including document management, password and security hygiene.
3) Safe internet use and how to identify suspicious links.
4) Safe use of email and how to avoid phishing.
5) Responsible use of social media.
6) Safeguarding company hardware such as laptops, desktops and handheld devices.
It’s important to empower your workforce to identify common cyber threats and provide them with the tools to prevent data breaches
Fostering a Culture of Cybersecurity Awareness and Best Practices
Andrew Ryan – Founder & Director CEO of Newtec Services
At Newtec Services, we consider anti-virus or anti-malware software step one for businesses that want to keep their data safe. Managers must also take the following precautions:
- Ensure that all their software is up to date. We recommend cloud-based security to our clients.
- Implement end-to-end security. That means making sure that all data, including messages, video, etc., is fully encrypted.
- Train employees to keep up with more stringent security requirements. Go beyond internal security policies and train employees on in-depth security specific to each worker’s role.
The basic remote worker tech stack needs to include these things to boost security:
- Endpoint security
- Virtual Private Network
- Mobile security
Joseph Stornelli – Founder/CEO of JS Technology Group
Employees that are savvy and aware create a more secure environment than the toughest of corporate firewalls. A culture of skepticism is key. Do I know the sender of this email, or the originator of this request? If no, am I prepared to research thoroughly, through multiple independent sources (including and especially a call to a verified number) before I proceed with a request? If yes, am I prepared to confirm anyway, via phone or encrypted message, the details of the request, both for accuracy, and verified sender? Employees must be bloodhounds when it comes to the authenticity of email requests, and must complete verification promptly but thoroughly to avoid interrupting normal deal flow.
Steve Tcherchian – Chief Information Security Officer at XYPRO,
For a cybersecurity program to become successful, the following are key components
- Top down support. If the initiative isn’t important and supported at the highest levels of the organization, its doomed to ultimately fail. Cybersecurity awareness is no longer just “an IT problem”. It’s a business risk and needs to be treated that way.
- Engage your employees. Give them ownership of the process. Make them part of the solution. Employees are always better engagement and supportive of the initiative if they feel they have skin in the game.
- Gamify the process. Make it fun. Everyone loves competition, and a healthy process to gamify the experience will ensure you’re getting most people’s participation – even the naysayers.
David B. Rounds – CEO of NetEffect
Cybersecurity awareness is an important topic these days. How do you ensure that your employees are cyber aware? It starts from the top, and it is just like any other policy or process that a company has. There should be an awareness and focus on security at the executive level. The concerns should be articulated in conversations with all staff down to the most basic employee only using systems for email or access to one company application. This is the foundation for all company culture.
You also need to have a training program. Whether it is something delivered in house by knowledgeable employees or HR, or better yet businesses can find a cybersecurity awareness program. There are many out there. Some are as inexpensive as a few dollars per month per user. These programs can include things like short 2-5 minute “Micro-Trainings,” simulated email phishing attempts, and even tracking of employee cybersecurity awareness and company policy acknowledgment monitoring for any company policies.
It can be fun as well! Some of the systems show anonymous security scores where the employees can compete to see who is the highest.
Chloé Messdaghi – Vice President of Strategy at Point3 Security
Phishing your own companies is a good best practice. I’m a strong believer in making sure people know what phishing is and how to keep an eye out for it. Have someone do a phishing test. There are companies you can hire to help with this, and help implement a cybersecurity training and awareness program. I would suggest phishing your team throughout the year, and have your teammates do the same thing, for example set up a fake persona; email account that is under your boss’ name (with permission of course!) and send emails to team members saying they are doing such great work and here’s an Amazon gift card, just click the link (non-malicious link but something that tracks if the link was used)…
Many people think implementing security practices are a lot of work. The fact is that if an attacker can get to just one of your employees, they can have access to your operation and confidential information, so the amount of work that might be involved is worth it to avoid a potential catastrophe. Make sure your employees understand this to the fullest. Conduct phishing tests like a game, get employees involved “playing” while still reinforcing the importance of being aware and staying secure not only as an individual, but as one potentially vulnerable part of the company as a whole.
If you’re not overwhelmed with all the advice and insights from experts above, here’s a concise statement of tips that every employee and organization should be following in the interests of good cybersecurity practices:
Keep your desk clean; do not use your personal device for business; manage your data; use external storage solutions; practice safe internet habits; be very cautious of your password; limit how much you share on social network sites and be aware of their vulnerabilities; watch out for email scam; be aware of what malware is; and lastly, always get expert advice from an IT pro if you question something that seems out of place.