For any company, being aware of the cyberthreat landscape is critical. There is often the mindset that most cyberattacks can be thwarted off by procuring and implementing the latest security technologies, and while this may be true to a certain extent, it takes a high level of security awareness on the part of both employees and management to 100% fortify the lines of defense around the business or corporation.
In this article, we’ll examine four major security awareness training mistakes and how to mitigate them.
The Major Mistakes and Their Fixes
1) Newly-Hired Employees Are Not Trained in Security During Their First Days of Employment
Whenever you bring new employees into your organization, the first few days (perhaps even the first week) is usually spent on orienting the new hire about the company, their job roles, what is expected of them, corporate culture expectations and so forth. An important part of this is to educate your new hire on the company’s security policies and guidelines during the onboarding process. In particular, the following should be reviewed with them:
- What defines proper Internet usage
- How company assets should be safely used (there should be a strong emphasis given on devices that are issued to them that they can take home – namely wireless devices)
- The password security policy, especially in regards as to how the company defines what a constitutes a “strong” password and how often they should be changed. Training should be provided in how to use a password manager if your business or corporation uses one
- The consequences for not abiding by the security policies set forth
- Train new hires on the latest cyberthreats – with a focus on phishing, spearphishing and business email compliance attacks
- Explain the proper protocols and procedures that employees should follow if they see or witness any suspicious behavior or activities
2) Security Training Is Just a One-Time Deal
Just because you have security-trained your employees at some point in time during their tenure with your company, do not assume at all that they will remember all of it. Therefore, it is up to you to keep the training fresh and remind them of the consequences of not following the security policies.
In this regard, having training programs at least once a quarter is a must. Also consider the use of mock exercises at least once every couple of weeks.
Probably one of the best examples of this is to launch a mock phishing campaign. This will be an attempt to see how many employees will fall for a phony email, and those that will just delete it. This will be one of your strongest indications in determining if your new employees are carrying out on what they have been trained on. Of course, if they fall “victim” to this mock email exercise, then that particular employee should be notified that he or she will require further training and that their manager will also be notified about what has transpired.
3) Employees Are Not Rewarded for Their Security Hygiene
After a new hire has been trained and reminded of the security issues that are relevant and important to the business or corporation, they should also be tested on this to determine how much they knowledge they retain. With this goal in mind, you should perhaps consider implementing a certification program. If the new hire passes a set test, he or she should receive a certification of completion and a formal, documented “Congratulations” for it. If possible, even provide a small reward along with this, such as a gift card or a reduced gym membership.
The point of this is that if your employees are constantly being chastised for what they are doing wrong, not only will they lose motivation, but you may even provoke an insider attack. But if an employee is formally recognized for good work in abiding by company security policies, this will not only motivate the individual but other employees as well.
It is important to note also that longer-tenured employees should be acknowledged and rewarded as well for their security hygiene.
4) Not Enough Content Related to Security Topics for Employees
It’s important to keep everyone informed of the ever-changing cyberthreat landscape — not only your new hires, but all employees. You don’t have to include all the technical jargon in your updates, but you could post straightforward daily content on the company intranet, covering what the IT staff has discovered in terms of the latest threats and what your organization is doing to prevent them. You can also use these daily posts to mention what your employees can do to help.
Then, perhaps once every couple of weeks, you could also send out an email to your employees reminding them of the security steps they need to accomplish before they leave for home. This could include the following:
- The importance of logging off their workstation and turning off their monitors
- Not to leave any sensitive documentation around their desks, and if anything needs to be destroyed, it should not be simply thrown away but shredded
- The need to take proper precautions when remotely logging into the corporate servers when working from home
- How not to fall for social engineering schemes off the company premises (one of the best examples of this is saying something by mistake at a party or a bar when mingling with friends)
- Above all, not to use their personal smartphones for conducting work-related matters. They need to use the ones that have been directly issued to them
Along with daily and periodic weekly reminders, it is also crucial to have security-related topics published on a quarterly basis as well. Probably one of the best tools to use in this is the infographic. People can have very strong visual memories, and seeing the data mapped out in a picture will help them remember it.
Overall, this article has reviewed some of the major security-awareness training mistakes that are found today and how to mitigate them. This is obviously not an all-inclusive list, but what you glean from this article will depend primarily upon your organization’s own security requirements.
But keep in mind that employees don’t have to be the weakest link in your security chain. Instead, if they are trained and motivated in a positive manner, they can be one of the strongest.
Please don’t send me to cybersecurity training, CSO Online
8 Security Practices to Use in Your Employee Training and Awareness Program, The State of Security