• LinkedIn
  • Twitter
  • Google+
.
|
TechRecs: Cool Tools & Hot Topics
|
How to Make Your Employees Care about Cybersecurity: 10 Tips
Posted on June 22, 2017 by

People are the largest security vulnerability in any organization. Here’s some expert advice on how to make cybersecurity training more effective and protect your business.

Employees are a company’s greatest asset, but also its greatest security risk.

“If we look at security breaches over the last five to seven years, it’s pretty clear that people, whether it’s through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities,” said Eddie Schwartz, chair of ISACA’s Cyber Security Advisory Council.

In the past, companies could train employees once a year on best practices for security, said Wesley Simpson, COO of (ISC)2. “Most organizations roll out an annual training and think it’s one and done,” Simpson said. “That’s not enough.”

Instead, Simpson said organizations must do people patching: Similar to updating hardware or operating systems, you need to consistently update employees with the latest security vulnerabilities and train them on how to recognize and avoid them.

“Your people are your assets, and you need to invest in them continually,” Simpson said. “If you don’t get your people patched continually, you’re always going to have vulnerabilities.” Even in a company with hundreds of employees, it’s worth training them as opposed to taking on the risk of a breach, he added.

However, it’s important to empathize with your employees as well, said Forrester analyst Jeff Pollard. “People represent a large potential attack surface for every organization,” Pollard said. “The reason I don’t like to think of people as a security vulnerability is that it encourages a blame the victim mentality. Security teams exist to protect information, people, and the business.”

When a user makes a mistake and clicks on an email that causes an infection, we often think that was the cause, Pollard said. But that’s not actually the case—the organization was already under attack when the attacker sent the email, before it was opened. It also means every other security control in the path of that attack failed, he added.

Here are 10 tips for helping all employees understand cyber risk and best practices.

1. Perform “live fire” training exercises
The best training today is “live fire” training, in which the users undergo a simulated attack specific to their job, Schwartz said.

“Maybe they become a victim to an attack that’s actually orchestrated by a security department or an outside vendor, and then they’re asked to understand the lessons they’ve learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it,” Schwartz said. “And then they’re asked to share that experience with their peer group.”

ISC(2) performs regular phishing tests, in which the IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it, Simpson said. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.

2. Get buy in from the top
The CISO needs to make the rest of the C-suite aware of the ramifications of a potential breach, Simpson said. “Typically, to have a good cyber plan, you have to have line items in the budget for people, hardware, or software, year over year,” he said. “That means getting the CFO, CIO, and CEO on board.”

3. Start cyber awareness during the onboarding process
“The first time employees come through the door, start building the mindset as all new hires go through security training from day one,” Simpson said. “That way they hear from the time they start that cyber is important, and that they are going to get continuous training.”

4. Conduct evaluations
Don’t be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack, Simpson said. “Until you do that, you won’t know how bad or good your security posture may be,” he added.

5. Communicate
Create a plan for how best to communicate cybersecurity information to all employees, Simpson said, to get all departments on board with training and learning best practices. “It will help break down siloes—it creates alignment, and people working on it together,” Simpson said.

6. Create a formal plan
IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks, Simpson said.

7. Appoint cybersecurity culture advocates
Tech leaders should appoint a cybersecurity culture advocate in every department at their organization, Simpson said. These advocates can act as an extension of the CISO and keep employees trained and motivated. “That’s something that’s often overlooked—use the resources you already have in the company beyond the IT team,” he added.

8. Offer continuous training
Cybersecurity training should continue throughout the year, at all levels of the organization, specific to each employee’s job, Schwartz said. “If you’re an end user, there has to be training associated with the types of attacks you might receive—for example, attacks on your email or attacks that are oriented on the type of job you hold,” Schwartz said. “If you’re in IT, the attacks may be more technical in nature in terms of the attacks you might be seeing.

“It really is a case of understanding how the threat landscape continues to evolve relative to these attacks, and keeping technical security training current,” Schwartz said.

9. Stress the importance of security at work and at home
Tech leaders should help employees understand the importance of cyber hygiene not just in the workplace, but also at home, Pollard said. “Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a ‘what’s in it for me’ they can apply all the time, not just at work,” he added.

10. Reward employees
Reward users that find malicious emails, and share stories about how users helped thwart security issues, Pollard said. IT leaders should also empathize with employees who make mistakes, Pollard said: Many employees send or receive hundreds of emails per day, so asking them to avoid one of those can be difficult.

While these training tips can help, education is not a perfect solution, Schwartz said. “Even in the most advanced and most current education scenarios, there still are a percentage of attacks that will get through, and even in the most enlightening and useful educational programs, there still is anywhere from a 4-6 percent success rate, even after all of the training is done,” he said. “So, training is just one aspect of defending the environment from advanced attacks.”

For more information on solutions for running your businesses’ technology more efficiently, visit our website or contact Megan Meisner at mmeisner@launchpadonline.com or 813 448-7100 x210.

This was originally posted by TechRepublic.

Posted in TechRecs: Cool Tools & Hot Topics, Small Business IT Management, IT Solutions - Stay Secure
TechRec – Mobile Apps Series: Pushover, Gusto & TickTick
This App of the Year Winner is the Best PDF Editor Available

Related Posts

  • What Is Patch Tuesday? Microsoft’s Monthly Update Explained

    On the second Tuesday of each month, Microsoft and other tech companies release patches for
    read more
  • 10 Ways to Save Time on Your Windows 11 PC

    Windows 11 packs many features that you can use to speed up your tasks and
    read more
  • How to Automatically Fix Column Width to Fit Your Data in Excel

    There are numerous ways to change column widths in Excel, but did you know you
    read more
  • Why I Use a Privacy Screen When Working in Public

    Privacy screens are an affordable way to protect yourself from nosy colleagues and strangers whilst
    read more
Logging In...

Profile cancel

Sign in with Twitter Sign in with Facebook
or

Not published

TO WEBSITE >>
launchpadonline.com

CATEGORIES

  • Launch Pad News
  • TechRecs: Cool Tools & Hot Topics
  • Small Business IT Management
  • Small Business Web Strategies
  • IT Solutions – Cloud | Mobile
  • IT Solutions – Stay Secure
  • ITs Easy Being Green
  • RevITup TechCare Client Forum
  • GreenBack Nonprofit Wish List
  • Launch Pad Franchise Forum
  • Launch Pad Partner News

Cloud Computing in Plain English

Copyright © 2026 | Privacy Policy
  • LinkedIn
  • Twitter
  • Google+

Archives

  • January 2025 (1)
  • December 2024 (3)
  • November 2024 (4)
  • October 2024 (2)
  • September 2024 (4)
  • August 2024 (3)
  • July 2024 (2)
  • June 2024 (1)
  • May 2024 (3)
  • April 2024 (4)
  • March 2024 (2)
  • February 2024 (3)
  • January 2024 (4)
  • December 2023 (3)
  • November 2023 (3)
  • October 2023 (3)
  • September 2023 (3)
  • August 2023 (5)
  • July 2023 (3)
  • June 2023 (5)
  • May 2023 (4)
  • April 2023 (3)
  • March 2023 (4)
  • February 2023 (3)
  • January 2023 (3)
  • December 2022 (2)
  • November 2022 (2)
  • October 2022 (2)
  • September 2022 (3)
  • August 2022 (3)
  • July 2022 (2)
  • June 2022 (3)
  • May 2022 (2)
  • April 2022 (2)
  • March 2022 (2)
  • February 2022 (3)
  • January 2022 (2)
  • December 2021 (2)
  • November 2021 (3)
  • October 2021 (3)
  • September 2021 (3)
  • August 2021 (3)
  • July 2021 (2)
  • June 2021 (4)
  • May 2021 (3)
  • April 2021 (2)
  • March 2021 (2)
  • February 2021 (3)
  • January 2021 (2)
  • December 2020 (2)
  • November 2020 (2)
  • October 2020 (4)
  • September 2020 (2)
  • August 2020 (3)
  • July 2020 (2)
  • June 2020 (3)
  • May 2020 (2)
  • April 2020 (3)
  • March 2020 (3)
  • February 2020 (3)
  • January 2020 (4)
  • December 2019 (3)
  • November 2019 (2)
  • October 2019 (4)
  • September 2019 (3)
  • August 2019 (4)
  • July 2019 (2)
  • June 2019 (3)
  • May 2019 (3)
  • April 2019 (3)
  • March 2019 (3)
  • February 2019 (3)
  • January 2019 (4)
  • December 2018 (3)
  • November 2018 (4)
  • October 2018 (3)
  • September 2018 (2)
  • August 2018 (3)
  • July 2018 (3)
  • June 2018 (3)
  • May 2018 (2)
  • April 2018 (3)
  • March 2018 (3)
  • February 2018 (3)
  • January 2018 (3)
  • December 2017 (3)
  • November 2017 (4)
  • October 2017 (3)
  • September 2017 (4)
  • August 2017 (4)
  • July 2017 (4)
  • June 2017 (3)
  • May 2017 (5)
  • April 2017 (4)
  • March 2017 (4)
  • February 2017 (5)
  • January 2017 (4)
  • December 2016 (3)
  • November 2016 (4)
  • October 2016 (4)
  • September 2016 (4)
  • August 2016 (5)
  • July 2016 (4)
  • June 2016 (5)
  • May 2016 (3)
  • April 2016 (4)
  • March 2016 (4)
  • February 2016 (3)
  • January 2016 (3)
  • December 2015 (4)
  • November 2015 (4)
  • October 2015 (3)
  • September 2015 (3)
  • August 2015 (3)
  • July 2015 (3)
  • June 2015 (5)
  • May 2015 (4)
  • April 2015 (6)
  • March 2015 (4)
  • February 2015 (2)
  • January 2015 (5)
  • December 2014 (4)
  • November 2014 (3)
  • October 2014 (8)
  • September 2014 (5)
  • August 2014 (2)
  • July 2014 (3)
  • June 2014 (6)
  • May 2014 (3)
  • April 2014 (6)
  • March 2014 (5)
  • February 2014 (3)
  • January 2014 (5)
  • December 2013 (4)
  • November 2013 (4)
  • October 2013 (6)
  • September 2013 (3)
  • August 2013 (5)
  • July 2013 (6)
  • June 2013 (4)
  • May 2013 (3)
  • April 2013 (4)
  • March 2013 (4)
  • February 2013 (3)
  • January 2013 (5)
  • December 2012 (4)
  • November 2012 (5)
  • October 2012 (5)
  • September 2012 (6)
  • August 2012 (6)
  • July 2012 (6)
  • June 2012 (3)
  • May 2012 (7)
  • April 2012 (6)
  • March 2012 (10)
  • February 2012 (6)
  • January 2012 (5)
  • December 2011 (7)
  • November 2011 (9)
  • October 2011 (4)
  • September 2011 (4)
  • August 2011 (11)
  • July 2011 (14)
  • June 2011 (4)
  • May 2011 (11)
  • April 2011 (8)
  • March 2011 (11)
  • February 2011 (11)
  • January 2011 (21)
  • December 2010 (10)
  • November 2010 (10)
  • October 2010 (8)
  • September 2010 (10)
  • August 2010 (12)
  • July 2010 (8)
  • June 2010 (9)
  • May 2010 (8)
  • April 2010 (7)
  • March 2010 (10)
  • February 2010 (8)
  • January 2010 (6)
  • December 2009 (7)
  • November 2009 (13)
  • October 2009 (11)
  • September 2009 (16)
  • August 2009 (13)
  • July 2009 (16)
  • June 2009 (18)
  • May 2009 (16)