One of the cornerstones of information security for enterprises is staff training. State-of-the-art anti-malware software and stringent security policies are effectively useless if your employees can be persuaded to bypass security protocols and aid an attacker without realizing it.
According to ComputerONE, Information security training can assist you with keeping your team prepared to repel cyberattacks, but it calls for a careful approach. With the 3 steps we will outline below, you will substantially reduce staff-related security risks in your organization.
Why Train Your Employees?
The ultimate goal of information security training is to protect assets and information that are crucial to your business. This is done on multiple fronts.
The primary way in which infosec training can reduce the risk of security breaches is that employees will be more aware of the possible consequences of their actions and may have a better sense of responsibility.
According to the Ponemon Institute’s 2020 Cost of a Data Breach Report, 23% of data breaches were caused by human error. The human error category incorporated negligent employees or contractors who unintentionally caused a data breach.
Separately, the Office of the Australian Information Commissioner (OAIC) reports that 38% of data breaches (18% up from January-June 2020) between July and December 2020 were due to human error.
By making employees more informed, information security training reduces the risk of accidents caused by carelessness or mishandling of corporate data or systems.
Sense of responsibility aside, information security training is imperative due to the rapid evolution of cyber threats. Enterprises constantly come up with new ways to protect their operations, and malicious actors likewise invent new methods of circumventing carefully designed security measures.
Information security training allows you to keep your employees up-to-date with the latest developments in the worlds of ransomware, phishing, and the like. With proper instruction, even the most sophisticated threats should not be able to defeat your defenses.
Three Key Steps For Improving The Effectiveness Of Information Security Training
1. Review your information security policies
Infosec training is a must for any company that handles sensitive data, but if the policies you are enforcing are ineffective at protecting the organization, training your staff to follow them might not convey the protection you seek. Aside from the training itself, you should take care of your security policies. In fact, these need to come first – training, albeit undeniably important, is only secondary.
Security policies define how an organization should protect itself from threats and the actions to take in the event of a security incident. As far as staff training is concerned, policies can help organizations ensure their employees stick to what they learned and prevent them from attempting to cheat the system or being compelled to cheat the system by a time-poor superior.
As an example of how a security policy could solidify your defenses, let’s consider a whaling attack where the compromised account of an executive could be used to force a fraudulent transaction out of your finance department under time duress.
To prevent such incidents, your security policies could (and should) enforce multi-factor authentication (MFA) and a spoken voice conversation to clear the transaction. Even if a CEO’s email account becomes compromised, failure to pass such supplementary stages of confirmation will likely prevent the transaction.
In similar circumstances, security policies act as a guide for employees and a safeguard against security breaches. Without policies and incentives to follow the procedures established in your infosec training, the chance of the training’s success plummets.
2. Gamify infosec training
Security policies can certainly go a long way towards improving information security. However, repetitive training that occurs annually could easily bore your employees. The result – employees get distracted and fail to absorb the important lessons.
Gamification is one of the ways to “spice up” infosec training. The purpose of gamifying information security training is making it more invigorating via interactive activities that simulate security breach attempts.
A whopping 83% of those who receive gamified training feel motivated, and only 10% are bored. In contrast, non-gamified training makes 61% of employees bored and unproductive.
Organizations may either come up with their own methods to gamify traditional face-to-face or video training, or they could make use of available solutions. For executives, PwC has come up with “Game of Threats”.
“Game of Threats” simulates the experience of executives during cyberattacks. Possessing limited time and resources, participants play both as attackers and defenders with the aim of beating each other. This interactive approach provides a deeper, more practical insight into how attackers may attempt to penetrate your defenses and how executives should respond to malicious incidents.
3. Don’t just train – test
You may have fleshed out your security policies and completely revamped your infosec training program, but did it all actually make a difference?
You may find that out by testing your employees post-training. Solutions like Barracuda PhishLine allow you to simplify and streamline this process.
PhishLine lets you leverage the massive collection of real-world threat templates collected by Barracuda email protection tools to simulate email attacks. During a customized simulation, you will be able to survey your team to identify potential weaknesses in your security policies, work culture, and training methods.
Then, the most high-risk employees can be provided with additional gamified training based on their past actions and current responsibilities.
Most Executives Consider Untrained Staff As The Greatest Cybersecurity Risk
87% of executives around the world regard untrained staff as the greatest risk to their cybersecurity.
Infosec training and compliance with up-to-date security policies can go a long way in protecting your organization. For some perspective, according to Microsoft, a simple step like enabling MFA can reduce security compromises by 99.9%.
Measures like training (and re-training) your workforce are easy to neglect since they require time in development and delivery, but it’s critical that you deploy them in your organization. Otherwise, you’re ceding ground to the attacker without even realizing it.