8 Tips and Best Practices on How to Train Employees for Cyber Security

The Importance of Cyber Security Training for Employees

As more and more data breaches and hacks make the news, affecting businesses ranging from kitchen manufacturer OXO to investment management giant BlackRock, it’s vital that you take the time now to look at where your organization is vulnerable. While you can set up any manner of systems to protect your business with cybersecurity, the truth is that many attacks target you where you’re most vulnerable: your employees. Understanding how to train employees for cybersecurity is essential for every organization.

With so many resources available to businesses to protect their digital assets, like managed IT services that provide top-notch security on a small business budget, hackers have resorted to tactics like spear-phishing and social engineering to find an easy mark. The landscape is constantly shifting, and it can be hard for businesses to keep up. Here are eight tips and best practices to help you train your employees for cybersecurity.

1. First, Don’t Blame Your Employees

Many people look at the news of a massive data breach and conclude that it’s all the fault of some hapless employee that clicked on the wrong thing. While it’s true that they may have been the one to fall for the trap, blaming an individual for not having the right knowledge at the right time is really a way of avoiding the organization’s responsibility to ensure its employees keep its network and data secure.

The onus is on the organization to come up with a plan for ensuring everyone has the knowledge they need to make the right decision and knows where to go if they have any questions. That means being clear about what to do if anybody has questions, and setting up the infrastructure necessary to share new threats as they emerge and get everyone invested in organizational security.

2. Invest in Employee Training

One of the most important concepts to grasp with cybersecurity is that maintenance is a constant job. New attacks develop monthly, if not daily, and your approach to guarding against them can’t be limited to annual training.

If you only updated your network devices once a year, your security would be a nightmare. The same is true for your people.

Wesley Simpson, COO of (ISC)2, suggests in an interview with TechRepublic that we should think about security training as people patching. “Your people are your assets, and you need to invest in them continually,” Simpson says. “If you don’t get your people patched continually, you’re always going to have vulnerabilities.”

You need to commit to a wide variety of approaches to keep your team abreast of what’s out there and what to do about it. This requires a mindset shift: not viewing the person who opened the wrong attachment as the point of failure and, instead, recognizing that it’s the security and training structure around that individual which has failed.

3. Make Cybersecurity Awareness a Priority

Even if you know which way the trends have been pointing, it’s hard to get your head around just how regularly data breaches occur. Cyber Security Hub’s “Top 5 Cyber Security Breaches of 2019 So Far” includes incidents that have affected Dunkin’ Donuts, Toyota, and Walmart, and we’re only halfway through the year.

Even more shocking is realizing how little coverage most of these attacks have gotten in the media. Before you start thinking that your small business can fly under the radar, keep in mind that according to the Keeper Security and Ponemon Institute 2018 “State of Cybersecurity” report, two-thirds of SMBs have suffered a cyberattack in the past twelve months.

One way to get the message across to your team is to share cybersecurity news regularly. The volume and frequency of attacks will certainly get the message across that everyone needs to be thinking about security in their day-to-day.

At the same time, you don’t want to flood inboxes so much that your emails head straight to the archives. Instead, think about appending a “cybersecurity in the news” section to emails or reports that you already make or simply including a few links in your signature that you can continually update.

4. Get Buy-In From the C-Suite

In an organization, change needs to happen from the top. Just like with any digital transformation project, if you don’t find a champion who is invested in the value of what you’re trying to do, it’s going to be an uphill battle to justify the man-hours and expenses necessary to implement a solid cybersecurity plan.

When making a case for investing in regular training (and more) for your employees, you need to speak to executives in terms they can understand. As we’ve cited elsewhere in this article, data breaches are a common occurrence, and there is no shortage of news articles covering the damages to organizations big and small. It’s the price we pay for all the incredible things that technology and the cloud have made possible.

If you’re looking for executive buy-in, it helps to be incredibly clear about how data breaches and other cyberattacks can affect the bottom line. The costs are more wide-ranging than most people think, and it’s helpful to use some numbers to make things more tangible.

The average cost of a data breach in 2018 was $3.86 million, and only figures to rise. Put a price on everything, from the organizational cost of losing access to mission-critical data to the potential liability of being at fault for leaking customer information. You’ll find it’s a lot easier to get the support you need.

5. Password Security Training and Best Practices

We all know that following password best practices is a fundamental building block of a solid organizational security plan. The challenge is getting your team to actually do it. To review, a strong password has these traits:

  • It’s long enough: Longer passwords are exponentially harder to brute-force. Make sure you require at least eight characters for every password you use.
  • It uses multiple character sets: Each character set you use (uppercase, lowercase, numerals, symbols) adds another layer of complexity that makes it harder to crack.
  • It doesn’t use complete words: While a common word might be easy to remember, it’s incredibly easy for an attacker to add a “dictionary attack” to their password cracker script.
  • It’s changed regularly: Using the same password over and over again means there’s more of a chance for it to be compromised. Setting a reminder to change it means there’s a smaller window of opportunity if it does get compromised.
  • It’s not shared across accounts: A quick trip to com can tell you whether or not a password attached to your email has been published on the darknet, where an enterprising hacker can harvest that information and try it on other websites.

The best approach to ensure compliance is to remove the friction for your team and hopefully solve other problems they may run into in their day-to-day workflow. We recommend adopting a password manager like LastPass or 1Password. These tools will generate and remember strong passwords for every account your employees use. They also make it easy to share passwords across your team, allowing you to collaborate remotely while still following best practices.

6. Train Employees to Recognize Phishing and Social Engineering Attacks

As we’ve discussed, some of the most powerful and effective cyberattacks that are out there today rely on human error. Attackers can spoof email addresses, domains, and even something like Google’s two-factor authentication form to create a targeted man-in-the-middle attack to compromise even the most protected accounts. Throw in some fake corporate branding and you have a recipe for disaster.

Here, again, we see the importance of not blaming an individual employee for something that your business needs to solve—as an organization. Hackers cast a lot of lines to see where they can get a nibble, but a sophisticated attacker with the right information can create a highly-targeted scheme to work their way into your network. You need to teach your employees how to identify a “phishy” looking email and where to go if they have questions.

As far as where to begin with training, Infosec recommends the following:

  • Check the sender email address and name for spoofing, especially when the sender is making an unusual or unexpected request.
  • Check the email format and ask yourself if there’s anything off about it.
  • Make a phone call if you’re suddenly asked for key information like login credentials.
  • Hover over links to make sure they go where they say they go.
  • Scan any attachment before opening it, and check the file extension for anything unusual, like multiple file types.

Social engineering attacks are even more nefarious because they target your employees’ need to help people. An attacker will call or email your organization, posing as a vendor and asking for help. If you’ve recently received a robocall, you know how easy it is to spoof a phone number.

Again, common sense rules apply here. How has this person proven they are who they say they are? Why are they requesting this information? Teaching employees to take a step back and think things through is critical to avoid falling prey to this kind of attack.

7. Make Cyber Security a Part of Onboarding

First impressions are everything, and cybersecurity is no exception. If organizational security isn’t a part of your onboarding, it’s time to start incorporating it into your training process from the start.

Password security, phishing, and social engineering attacks—all of it needs to be covered from day one. Most critically, make sure you’re not just going over the rules but also explaining why these best practices are so important.

Just like with getting executive buy-in, it’s important to be clear about just how much of a threat data breaches are and why it’s their problem, too. Creating clear employee cybersecurity guidelines can be a major asset here, as it gives them a resource to turn to if they need help. Remember that it’s better to know about a potential breach as soon as it happens, so make sure you’re creating an environment where sharing is encouraged and avoiding a situation where someone tries to cover up their mistakes and makes a risky situation even worse.

8. Conduct “Live Fire” Practice Attacks

You’d never train an employee for a new piece of software without giving them a chance to experiment in a realistic environment where they can put their newly-acquired skills into practice. On the same note, you can’t expect your team to build the correct cybersecurity habits without finding a way for them to put these concepts into action and even learn from their mistakes.

Whether you use an outside vendor or run it through your own security department, it’s well worth the investment to test your organization with a “live fire” simulation. Your team may understand the principles of recognizing a phishing or social engineering attack, but the key is to run those mental checks in the course of a busy workday where you have a million other concerns.

Just like a fire drill, running regular (practice) attacks will help your employees learn from your mistakes. You’ll also get data as to where in your organization there’s the most room for improvement, helping you plan future training sessions as necessary. We all hate falling for the same trick twice, so a successful practice attack can make for a real teachable moment about why security is so important.

What You Can Do Right Now

As the number of data breaches and hacks continue to rise, it’s vital for your business to take steps to ensure you don’t find yourself in the headlines. Just like with any organizational transformation project, that means getting your team to buy in and build habits.

Training is the key here, as well as constant reminders that there are threats out there and maybe even a “live fire” exercise to show how easily you can fall victim to an attack. Remember that cybersecurity is a team effort, and you need to put your employees in a position to succeed.

Frequently Asked Questions – How to Train Employee for Cyber Security

1.  How Important is Cyber Security Training

Training is everything when it comes to cybersecurity. New attacks are constantly cropping up, and you need to put your employees in a position to succeed. They need to be in the habit of thinking critically any time they’re asked to share login information.

2. How often should I train employees on cybersecurity?

You should train employees once a quarter or more, with intermittent “live fire” training exercises and constant reminders about new attacks that have developed and breaches that occur.

3. What should I include in cybersecurity training?

Cybersecurity training needs to include how to recognize phishing and social engineering attacks, password best practices, and the potential cost of a data breach to your business.

4. What is a cybersecurity employee policy?

A cybersecurity employee policy is the central resource employees can go to if they have any questions about cybersecurity. It includes anything addressed in training, as well as organizational policies and best practices.