Keeping with the weekly theme for National Cyber Security Awareness Month of “Creating a Culture of Cyber Security at Work,” we wanted to highlight the importance of employee education.
When executives think about cybersecurity strategy, a number of list items might come to mind such as keeping collected customer information safe, data encryption solutions, securing networks, etc. However, what probably isn’t on the top of the list but should be is employee education—and this includes C-suite employee education.
It should come as no surprise that employees can be (in part) responsible for data breaches or company security holes. Studies show employees engage in risky behaviors, even when they are aware of the dangers.
It is advantageous for company leaders to focus on employee education, since employees can be first-line defense against cyber-attacks. The National Cybersecurity Institute makes a good point, “Without training, workers will likely lack the skills and knowledge they need to adequately protect their companies’ networks from cyber attacks.”
There is something important to highlight: Good cybersecurity practices and a culture of awareness at work has to start on the executive level. In an article last week, Maria Korolov at CSO writes about this exact issue. “If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?”
Probably not, and that’s why company culture involves employees at every level. With the right strategy, proper education and testing, and tools for support, employees can become an asset in combating attacks.
Set Clear Standards
Clearly outline security standards for employees. It is much easier for employees to follow documented strategy and guidelines than word-of-mouth instructions with no follow up. Education and training should be an ongoing practice and more than a meeting one time of year. Standards can be developed by executives and guided by system admins who know the ins and outs of the networks and security infrastructure of an enterprise.
Regularly Test Employees
One of the most common attacks employees face are phishing email scams. ThreatTrack Security found that email is still the number one threat vector for organizations. A Ponemon Institute survey found an average company with 10,000 employees spends $3.7 million per year dealing with phishing attacks.
This type of attack takes advantage of the untrained eye or employees who are in a rush and not dedicating enough time to scrutinize details of the email, such as verifying the source of an email and checking for a Client Certificate before clicking links or downloading attachments.
Educating employees about phishing and providing tips about what to look for can reduce time wasted on mitigating the aftermath of an attack. Regular testing should be implemented to gauge the success of training programs.
Support with Technology
Technology that supports cybersecurity best practices is essential for creating a culture of awareness at work. There are some security technologies that are a given for experienced system admins (hardware or software encryption, SSL Certificates, personalized computers, etc.), but all employees should know how technology they interact with on a daily basis plays a role in the overall enterprise security. There are many useful tools and platforms that can be used to support best practice education. For example, a password management program encourages strong and unique passwords for all accounts, and using multi-factor authentication should be enables wherever possible.
Creating a Culture of Cybersecurity Awareness
A company culture involves employees at every level. Cybersecurity awareness and dedication to best practices needs to start at the top of an organization and trickle down to the low-level employees. To piggy back on Maria Korolov’s question, does employee education [and security awareness] even work? There aren’t any studies drawing a strong parallel yet, but all signs point to yes. Employees can be your first line of defense for cyber-attacks.