Chances are your organization already addresses cyber security to some extent in new employee onboarding. Whether that’s traditional training videos on cyber security that employees watch on their own time, presentations by IT, or brochures, most employees know that their companies have cyber security protocol and best practices. But how many of your employees actually know what the protocol and practices are?
In 2016, the average cost of a data breach was $3.62 million. And according to a study by the Poneman Institute, careless workers are the leading cause of data breaches in small and medium-sized businesses. If you want to improve your business’s cyber security, it’s time to get serious about employee education and cyber security training. You can start by asking these questions about your employees’ training:
- Is your information relevant?
Everyone should be familiar with the basics of cyber security, but not all employees need a complete cyber security education. HR professionals, for example, generally have access to sensitive data such as social security numbers and bank numbers, so they will need special training on how to safely handle that information. But to a new marketing team member who can’t even access those SSNs – that security training wouldn’t be applicable. Tailoring your cyber security education to specific jobs will help your employees stay engaged throughout the training – and hopefully remember and implement what was covered. - Is your information understandable?
The cyber security world is chalk full of jargon. To the average employee the words “Ransomware,” “DDoS,” “patch” and “worm” just don’t have any context when it comes to their job. Not only will they not understand you if you launch into cyber-speak, they might feel unintelligent, and just tune you out. Speak their language, not yours. A Forbes article also suggests keeping your cyber security training short; try a few quick 10-minute sessions instead of an hour-long training. If you break the training up, it will be easier to digest and remember. - Have you told them WHAT TO DO with this information?
The basics of cyber security are great, but make sure you are sharing how to implement the security measures. Do you want employees to go change their passwords? Tell them some good rules of thumb for creating strong ones. Do you want everyone to update software? Tell them about auto-updates and show them how they can set it up. Giving employees action items turns cyber security from an abstract idea into a goal they can work to achieve. - Do your employees understand why it’s important?
You know how costly security breaches can be. You know the consequences of employee negligence. So tell your employees. If they see how simple steps to improve their security can impact business operations, they’re more likely to take those steps. All of us are more likely to do something if we understand why we are supposed to be doing it. It won’t bring about 100% compliance, but it will help your employees to know you aren’t making demands just to make their lives more complicated – you’re asking for help in making a real difference in the business. - Have you covered the basics?
Everybody could use a refresher on the fundamental rules of cyber security. Even if a few employees do roll their eyes, chances are some of them have been using the same password for years – so they really should be hearing it again. In an interview with Fortune, the CEO of the Computing Technology Industry Association said, “Behavior changes really only happen through repetition, follow-up, and emphasis. It takes a long time to instill new habits.”
If we want to mitigate our employees’ risk, then we need to get serious about how we educate them about information security. If we honestly evaluate our cyber security training methods, we could probably all make some improvements. And that could make a real difference.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.