Your business could have world-class firewalls, anti-virus software, and other cyber security programs installed on your network, but that’s still not enough to prevent data breaches, cyber attacks, and internal threats. According to a 2016 Ponemon Institute study, 55 percent of small businesses said they’ve experienced a cyber attack in the past 12 months. In addition, 50 percent said they’ve fallen victims to a data breach within the last year.
The cause of the majority of SMB data breaches isn’t malicious hackers or cyber criminals targeting your data. The Ponemon survey found that 41 percent of SMBs were impacted by mistakes made by negligent employees, contractors, and third-parties.
Incorporating cyber security training for employees is critical to your business’ security infrastructure. It is the most effective way to combat poor password practices, successful phishing attempts, and other cyber threats that could put your business at risk.
We asked five cyber security experts about what every business owner and IT manager should know about introducing cyber security awareness training for employees to their organization.
Expert Tips on Cyber Security Awareness Training
Take notes! We asked these experts important questions about what every business owner, executive, and IT manager should know about investing in an effective cyber security awareness training program:
“Why should organizations consider a cyber security awareness training program?”
Users are a key element in cyber security and when they are improperly or inadequately trained it creates a massive gap in your defenses that can allow hackers and easy way in that bypasses most or all of your security controls. This modern era of cyber attacks requires users to engage in the cyber defense of the organization. The biggest mistake I see most companies make is thinking that good cyber defenses can be accomplished through technology alone. Organizations need to make a serious investment into their human assets if they truly want to be secure. -Joshua Crumbaugh
Employees are being constantly targeted by the bad guys and are unfortunately falling for the phishing emails and scams in very high numbers. This is resulting in data breaches, ransomware infections, significant monetary loss and the loss of sensitive information such as employee W-2 forms. The best way to combat these is to train your users to identify these attacks before they click a link or download software. – Erich Kron
You need to protect your employees at work and outside. Think of your employees as your own children. They might be safe at home, but it is outside that they should be protected the most. Same with your employees. When they are at work, using company tools, they are fine. But when using personal tools on an unprotected network then they are at risk. When your employees are at risk, then so is your business. You also need to be able to enforce policies. You should trust your employees, but it does not mean you should not check whether they are doing what you asked them to do. Asking your employee to use strong and unique password is not enough, you need to be able to monitor whether they are actually doing it and make sure you can reach out to them if they don’t. –Alexis Fogel
“What are the potential consequences of not having cyber security awareness training?”
It’s a well-known fact that if you hire a good pentesting company that they will definitely be able to get in if your users aren’t cyber aware. I’ve personally never encountered a single cyber defense that could keep me and my teams out. The only reason these stats hold true is because users aren’t being properly trained. -Joshua Crumbaugh
Given that 91% of data breaches start with a phishing attack, if your users are not prepared to identify and avoid these attacks, your risk of a successful breach or malware attack, such as ransomware is greatly increased. In addition, many regulations and cyber insurance policies require awareness training. – Erich Kron
Small businesses can be extremely fragile, and the cost of a data breach is high ‒ in terms of both money/liability and lost access to a computer network for extended periods of time. Suffering a data breach can have a great impact on an organization. Additionally, depending on what’s lost or how it impacts your customers, a breach can do significant damage to your brand, and you could lose business because of it. -Michael Kaiser
“What topics should cyber security training for employees cover?”
Training needs to be adaptive to the need and risk of the individual. Different job functions generally come with their own set of risks and the individual should be educated accordingly. That being said there are a number of subjects that all users should be continuously educated on the biggest being secure user behavior and adaptive threat simulations such as spear phishing attacks based on data gained through threat intelligence. Users should never see the attack for the first time when they’re being targeted by the bad guys. –Joshua Crumbaugh
Every awareness program should cover how to identify phishing emails, types of social engineering scams, what it is the bad guys are after and why they are being targeted. – Erich Kron
I believe one of the most important cyber security risks to teach employees to look out for is unsecured Wi-Fi….That’s because Wi-Fi hotspots typically lack proper encryption, and/or have widely shared passwords, making them highly susceptible to hackers and leaving employees’ online activities exposed….I recommend companies not only hold a session to make employees aware of the threats but also, simplify matters by providing employees with smart, preventive security technologies for their devices. – Amit Bareket
An awareness program should always address account security, including the importance of implementing strong authentication and creating long, strong and unique passwords. Your program should also cover software patches, the need to ensure software and antivirus programs are always up to date and what websites and services (for example, personal email) are acceptable to access while at work. Additionally, if you have employees that work remotely or regularly work off premises, you should teach safe Wi-Fi practices and mobile device security. -Michael Kaiser
Deploy solutions your employees will use. I have a personal story. When I was a child, my mum used to attach a stuffed animal to the seatbelt of the car. I had to put the seatbelt on to get the stuffed animal. I did it not for security but because I wanted to play with the stuffed animal. As a company, you need to reconcile security and convenience when talking to your employees. When we help customers to deploy Dashlane Password Manager, we emphasize the fact the people won’t have to manage their password anymore, that they will be logged in in one click, that they will be more productive. When talking to an employee, don’t sell security, sell the convenience. – Alexis Fogel
“What should a business owner or IT manager expect as a result of cyber security awareness training for employees? How should they define success?”
The goal of any security awareness program should be to lower risk to an acceptable level. My opinion is that since user security poses the largest risk to organizations that the acceptable risk level should be somewhere well below 1%. Remember a hacker only needs one person in your organization to click. Even at 1% if you have 100 users get phished, someone is still likely to click. Success should be defined based on the progressive risk and cooperation in user security of the individual user. At minimal risk should take into account the following:
- Does the user understand cyber security best practices and corporate policy?
- Does the user pose a phishing risk to the organization and if so how much risk?
- Does the user actively participate in corporate security by reporting suspicious activity? (This should include – reporting of phish tests)
Business owners should see a significant reduction in phishing email click rates and malware/ransomware infections. Success can be defined by the lowered risk of a breach and the reduced time and effort spent combating malware infections. One ransomware infection will consume an average of 33 man-hours to resolve. That is time that can be better spent working on improvements to the organization’s security as opposed to reacting to events. – Erich Kron
It can be hard to measure the success of an awareness program because you might not know whether a behavior change is solely a result of your awareness efforts….Additionally, organizations can track how many employee devices require IT support as a result of malware or viruses and determine whether it goes up or down. Reporting should always be part of any awareness program. Seeing the number of incidents reported and their quality and/or type (e.g., phishing or suspicious activity on the network) is an indicator of employees’ understanding of cyber security. Awareness training is an emerging field, and organizations should always look out for upcoming trends in employee compliance and new tools they can use to improve cyber security awareness. -Michael Kaiser
“Some people may still be on the fence about investing in cyber security awareness training program. What advice would you offer to anyone hesitant about investing in such a program?”
First of all, do it! It’s essential to get started with cyber security awareness at your organization if you haven’t already done so. You don’t have to start big – even just gathering the team together for a brown bag lunch and talking about basic, core cybersecurity issues can help. Start to create a culture of cybersecurity from the top down by explaining to employees how important it is that they help protect both your organization’s networks and key company, employee and customer information. Remind your colleagues that everyone has a role in protecting the company and your stakeholders. It’s also important to have good messaging about why cybersecurity is valuable to your workplace. -Michael Kaiser
Organizations that don’t invest in security awareness are extremely susceptible to cyber attacks. Your spam filter, firewall, IPS, SIEM, NAC, app whitelisting and other security controls will not help you when the human is breached. The only way to make those tools effective is to get your users involved in cyber defense. -Joshua Crumbaugh
Every organization has data that is valuable to the bad guys, no matter how small they are. Customer records, email accounts, and employee data are all sought after and make you a target. You must have a cybersecurity program in place that includes high-quality security awareness training, a documented patching process, identity, access and password management and an incident response plan. If an organization is on the fence about a cyber security awareness training, I would advise them to get a demo of the “New School” training methods being used. These are much more effective than herding users in a room once a year, giving them coffee and donuts and subjecting them to “Death-by-PowerPoint”. Along with being more effective, it is also surprisingly inexpensive and easy to manage. – Erich Kron
Effective Cyber Security Awareness Training Strategies, According to IT Managers
Our experts offered great insight on why and how to implement an effective security awareness training program, but I also asked IT managers on Spiceworks how they effectively taught their employees or clients to be more vigilant about cyber threats. Here are some of their responses:
“Horror stories are the only thing I’ve found that has more than a 10-15% success rate.”
Nobody cares unless they understand how big of a deal it is and the easiest way I found to share that is with real world stories (preferably from related industries to your target) of bad things that happened and how they could have been prevented. The first couple things that come to mind are backups and wireless security.
When I started with a small business I found they had 0 backups. All their data was stored on one of the workstations and shared with the others. That was it. It took me 2 years to be able to implement any sort of backup plan because they didn’t want to add it to the budget (despite some very crude and cheap methods offered to at least copy the data). I heard a story where a someone geographically close (within 100 miles) had a false alarm in their server room and the fire suppression system was activated. The big problem was that the devices were not powered down prior to the suppression system activation and most of the servers, networking hardware, and storage systems were fried. All data was lost. They turned to their backups only to find that they had not been run in over 3 years. They lost everything to include payroll, everything HR, contracts, billing and payments, the whole nine yards and the only reason they didn’t go under was they were a government organization. That caught their attention and suddenly I had a budget for just about any backup plan I wanted.
The other was the WiFi. This was several years back but still…Same company. They had an open wireless network with access to that shared drive with everything (employment applications (SSN’s), a frigging password list, etc…) and I couldn’t believe the resistance I got trying to secure that network. A related organization of similar size did the same thing and that made it okay. I decided to make my own story so I went to this other organization and hopped on the “free WiFi” which sure enough had access to everything. I grabbed just enough to get their attention, told both parties what I had done and what I was able to grab (I had a working relationship with the other organization previously, maybe this wouldn’t be the best approach in all situations…) and was able to get both organizations to secure their WiFi. A little reminder of what someone with malicious intent could do with the data I grabbed didn’t hurt. Throw in Target and Home Depot since those were well covered by the media. – Aaron (Aaron5), a Small Office Network Admin, Consultant
We got full management buy in before the system went in place. It is now part of our normal certification training in house. The time it takes to watch the videos and take the test is peanuts compared to the estimated time to repair one round of damage by someone clicking something that they should not. – George M (Snufykat), 9 years of experience in IT
“For us, we regularly “share” (okay, PUBLISH) whenever a suspicious event takes place.”
So, one of our field salespersons clicked on a link and was “ransomwared” (is that a valid verb?), we shared. She lost everything that wasn’t on her self-managed back-ups (2 months old).
When another of our field salespersons received a “scare advertisement” from “Microsoft’s 800 number” that they were infected and actually called, gave them his credit card and allowed them Remote access……..(yes, I know, so many fails), we shared the outcome with the other staff. The machine had to be re-imaged AND his credit card was charged for the $150.00 that he had authorized – well, he HAD authorized the “work”! Noted that he was lucky that his card wasn’t duplicated and used throughout the region……had to get a new credit card.
We are also positioning ourselves politically to propose KnowBe4 as an addition to our onboarding training. –Victor M. (victormarquez), 31 years in IT
The moral of the story: there’s no “one size fits all” approach to cyber security awareness training for employees, but it should be a cornerstone in your organization’s security infrastructure.
Meet the Experts
Michael Kaiser, Executive Director of the National Cyber Security Alliance (NCSA)
Michael Kaiser joined the National Cyber Security Alliance (NCSA) in 2008. As NCSA’s chief executive, Kaiser engages diverse constituencies—business, government and other nonprofit organizations—in NCSA’s broad public education and outreach efforts to promote a safer, more secure and more trusted Internet. NCSA builds efforts through public-private partnerships that address cybersecurity and privacy issues for a wide array of target audiences, including individuals, families and the education and business communities.
Erich Kron, Security Awareness Advocate at KnowBe4
Erich Kron is the Security Awareness Advocate at KnowBe4. Kron is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training, and educational opportunities to succeed in InfoSec.
Alexis Fogel, Cofounder & VP of Product at Dashlane
Alexis Fogel is the staff wrangler, making sure that the product pipeline is moving forward. After school at ESCP Europe, he studied at Centrale Paris, where he met his Dashlane co-founders. Outside of work, he runs and codes the cultural site Playlist Society, plays multiple instruments and bets Martinis with everyone. Someday, he may leave tech behind and try as many other different jobs as possible.
Joshua Crumbaugh, Founding Partner & CEO at PeopleSec
Joshua Crumbaugh is the founder of PeopleSec and experienced penetration tester with an impressive background performing high-end security assessments against high profile targets. He is also an expert social engineer who has talked his way into bank vaults, Fortune 500 data centers, corporate offices, restricted areas of casinos and more. His experiences highlighted a significant need for a better “human solution.” This led him to identify key mistakes commonly made in security awareness training programs and answer the question of how “patch stupid.”
Amit Bareket, Co-Founder and CEO of SaferVPN
Amit Bareket is the co-founder and CEO of SaferVPN. Bareket is the brilliant engineer behind the VPN service designed to do two things for you: keep you safe, do it quickly and with simplicity. Amit takes on the highly complicated programming projects necessary to make your online experience simple, fast and easy as you travel beyond geo-blocks and avoid price discrimination.
Ready to protect your employees? Dashlane Business can help employees at your company or business get their digital lives together. Try it free for 30 days!