For the last few years, companies have been funneling more and more budget dollars towards cybersecurity. And for good reason. When you look at the statistics, they are frightening.
To give you an idea, here are some of the latest stats for 2018.
- More than 90% of malware is now delivered by email.
- 56% of IT specialists claim that targeted phishing attacks have become their top security threat.
- A ransomware attack will cost a company an average of $5 million.
- The average time it takes an organization to find and identify a data breach is 191 days.
- 25% of all companies now have a dedicated security department.
As a business owner or leader, what can you do to prioritize cybersecurity training within your company?
Lead by Example: First, you need to lead by example. Paying attention to cybersecurity isn’t a one-time thing. It’s like maintaining your health—you need to continuously monitor and improve upon it.
Keep cybersecurity as a priority, and make sure you talk about it throughout all levels of the organization. Then practice what you preach.
Clearly, this means getting buy-in from the C-Suite. If they aren’t aware of the extremely damaging and costly impact of a security breach, make them aware. Often times, everything comes down to dollars and cents at this level, so wave that $5 million cost in front of their faces if necessary. Trust me, that will get their attention. Once they’re on board, work out a good cyber plan that meets the companies needs. Then get the budget to implement it and keep it up to date.
Educate Your Team: It’s also important to educate your team on policies and best practices and then have follow-ups to make sure everyone has adopted an integrated these policies into daily activities.
With new hires, you could highlight your cyber awareness endeavors during the onboarding process. Don’t wait to instill your mindset on the issue, do it right from the start.
Use the Right Technology: You should also endeavor to have the right types of technology in place to protect you and your company. I’m sure you already use things like firewalls and antivirus software, but be sure they are maintained and kept up to date. Another excellent piece of software that’s becoming almost as important as your antivirus, is the use of a VPN for Firefox browser.
Let’s talk a bit more about what kind of topics should be covered in cybersecurity training.
Recognizing Threats
In order to deal with cybersecurity threats, your employees need to be trained to recognize them. And unfortunately, as time goes on the types and number of threats increase. Six or seven years ago, the most typical type of threats were:
- Trojans
- Unpatched software — for example, Adobe, Flash, and Java
- Phishing attempts
- Network traveling worms
- Advanced Persistent Threats
However, when we skip ahead to the last few years, other types of threats have also become more common, including attacks against Internet of Things (IoT) devices, and against the sheer explosion of data we now have stored in our devices, computers, and the cloud. But that’s not all. Here’s a comprehensive list of the types of threats companies now need to be aware of.
- Advanced Persistent Threats
- Phishing
- Trojans
- Botnets
- Ransomware
- Distributed Denial of Service (DDoS)
- Wiper attacks
- Intellectual property theft
- Theft of money
- Data manipulation and destruction
- Spyware/Malware
- Man in the Middle (MITM)
- Drive-by downloads
- Malvertising
- Rogue software
- Unpatched software
That’s a shocking number of things to be on guard against. Clearly, companies do have their work cut out for them when it comes to training their employees on what to be aware of and how to vigilant.
It’s also important for your employees to be aware of the need for caution when logging into your company’s network from any off-site locations. Many employees are now working with mobile devices while on the road or from home, so it’s imperative for you to evaluate the procedures and management of mobile devices. Also, make it a company policy that no one ever logs into the company network via public or free Wi-Fi networks.
Reporting Threats
Have a Formal Plan in Place: Your company should have a documented plan in place for training. And it should be reviewed and updated often.
Train your staff to report any sort of security incident. Make sure they are willing and able to make these reports and create a culture that encourages it.
First of all, make sure your staff is aware there will be no negative impact when reporting. If they feel they will get in trouble, that increases the chances of them not making a report, and something that could’ve been dealt with becomes critical. So be sure to minimize any anxiety with regards to reporting.
Secondly, make sure your staff is aware of the positive impacts of reporting a threat. That it will ultimately contribute to the better of the company.
And finally, always maximize accessibility for reporting.
Don’t Stop There. Offer Continuous Training: This applies to everyone in the organization and should be specific to their jobs and the technology they use. Obviously, everyone needs to be aware of the vulnerabilities of email and mobile devices, but some employees may require more specific training.
Since cyber threats continue to evolve, it’s important that training keeps pace.
Assign a Few Advocates: Every department should have at least one person who advocates the company’s cybersecurity culture. This doesn’t mean a spy, but someone who has an awareness of dangers and can help to keep others in the department motivated and vigilant as well.
Life-like Training Exercises: We all know the best way to learn something is by doing it. So launch some simulated real life-like attacks at the company and see how employees deal with it. This can be done department by department, where attacks are specific to the job, and what they may actually face.
Once they’ve lived through it and responded—hopefully in the manner they’ve been trained—they have the opportunity to offer feedback and share what kind of lessons they learned. What kind of implications a similar—but real life attack—could have on the company, and ultimately their jobs.
Whatever manner of training you choose, be sure to reward your employees every time they do something that thwarts an attack. Even if it’s just spotting a phishing email. On the flip side, realize that some employees may receive hundreds of emails a day, and asking them to spot that one potentially dangerous email could be hard.
On top of training your employees, here are some other key tips.
Recognize that it’s not just your employees that you may need to educate and train. Any business partners or third-party vendors who may have access to your network need to get proper training as well. They need to understand the real threat of cybersecurity and how to handle it. So it’s imperative that anyone you have a business relationship with has some form of training.
Cybersecurity is ever-changing. It’s a little bit like playing whack a mole. For every threat you think you’ve protected yourself against a new one pops up. So realize that you’re going to need to remain up-to-date and educated.
As a reminder, I’ll reiterate something I said above:
- A ransomware attack will cost a company an average of $5 million.
Can you afford to be complacent when it comes to cybersecurity?