While high-profile, headline-grabbing cybersecurity attacks launched by hackers may have you wondering whether your company's defenses are good enough, the biggest threat to your information security actually may be one of your own employees.
A recent report by Willis Towers Watson estimates that 66% of cyber breaches are caused by employee negligence or malfeasance. External threats came in a distant second at 18%, with extortion at only 2%. And when employees are permitted to use personal devices for work, it only adds to the threat.
This is where learning and development (L&D) comes in. The first line of defense should be employee training. Staff need to know what to look for, what to avoid and what to report to IT.
Employers may have to go retro with training. As hackers become more sophisticated, many of the oldest tricks in the book are making a resurgence; in 2017, Cisco reported the classic routes of attack — email, spam and adware — are at levels not seen since 2010. It said that spam accounts for 65% of email, with roughly 8% to 10% of it malicious. Any employee can become an access point.
Another route can be when employees save data to third-party cloud-based applications. Employees may be merely trying to work remotely or share documents with co-workers, but Cisco says more than a quarter of those sites are "high risk" and should raise security concerns.
Even employee use of thumb drives isn't advisable. Not only can flash drives transmit viruses, but they also can be just plain lost. Last year, a USB drive was found on the street in London; on it was sensitive Heathrow security data, including Queen Elizabeth II's route to the airport.
For most employers, it may be unwise to assume employees adhere to the basics when it comes to cybersecurity. With almost 60% of employers operating under a "Bring Your Own Device" (BYOD) policy — and 28% of Americans choosing not to secure their phones with a passcode — training is critical.
While many employers set requirements around passwords and Wi-Fi that they can enforce on company devices, training may be the best defense when it comes to BYOD workplaces.
Awareness, training, testing
Training starts with awareness. It may sound simple but a recent survey by MediaPRO showed that 70% of employees struggle with cyber awareness. “Understanding where the risk for your company lies is the first step in creating a training plan,” according to Tom Pendergast, the company’s chief strategist. By first assessing employee knowledge, learning professionals can start with a baseline to create a training roadmap specific to the needs of the company and each individual, he told HR Dive via email.
Pendergast recommends a three-pronged attack: awareness, training and accountability. “Effective training only happens when an employee is both aware of the consequences their actions can have on the company,” he said, “and willing to be held accountable for their part in mitigating risks on a daily basis.” Pendergast said he believes a risk-aware culture doesn’t happen overnight, but rather through the ongoing training, reinforcement and accountability, in acting as the first line of defense against cyber criminals.
And that training can't be a one-time event, according to Erich Kron, KnowBe4’s security awareness advocate. “It is important that training is continuous,” he said in an email to HR Dive, “not just one time per year. This helps the employees keep the message at the top of their mind while they go through their daily tasks.”
Giving employees a chance to test their knowledge also is important. KnowBe4 uses simulated phishing attacks about once a month to keep employees on their toes. While testing reinforces learning, Kron warns not to shame employees if they fail. “The goal is to change human behavior by testing them in ways that go against their current habits. Expect that people will fail,” he said, “but support them even when they do. This will help them build confidence and the skills they need to improve.”
Creating human firewalls
Like all training, cybersecurity training needs to be tailed to each company's culture. Creating your own training content and delivering it internally in the terminology and cultural tone of the organization will ensure it has the right impact, Brian A. Engle, founder and CEO at Riskceptional Strategies told HR Dive in an email.
Engle recommends a top-down approach that includes a training scenario that takes the organization’s key personnel through a table-top cybersecurity exercise. It's not necessary to include everyone, he said, but including top leadership in a communication, escalation and response scenario will illustrate company preparedness and identify the roles that leaders hold in response initiatives.
Training also needs to be proactive, according to Kevin Gumienny, Microassist senior learning architect. "Figuring out what people need to do (instead of what they need to know),” he said via email, “will help training stay focused, short, and on point.”
Likewise, as threats evolve, so should training. “Cyber security skills often need constant practice so that they remain sharp,” Gumienny said. To help employees remember what they’ve learned, short bursts of regular training may help with retention. “Combining testing with spaced learning can be a great way to help make sure that the training sticks.”
“A great security awareness initiative should look like a great advertising campaign,” said Pendergast. "[T]hink of it as influencing consumer behavior.” For learning professionals, initial awareness and training is only the beginning. Repeated, consistent messaging through a variety of delivery methods can keep cybersecurity top of mind and reinforce knowledge. And that level of awareness could mean the difference between secured data and an unrecoverable breach.