Organizations are increasingly facing threats from sophisticated criminal organizations and nation state actors. To mitigate the risks posed by cybercriminals, organizations must secure and protect their proprietary and sensitive information. They must also commit to training their employees to do their part to protect confidential and proprietary information. Cybersecurity training and awareness programs inform employees about cybersecurity threats, risks, and best practices, as well as how to navigate the ever-evolving threat landscape.
The importance of cybernetic awareness
Cybersecurity consists of people, policies and technology. Consideration of people and human behavior is the most important of the three because of the risks associated with human habits, neglect, and neglect. The threat landscape is constantly changing and exploiting cases of human error or neglect along with system vulnerabilities. As a result, organizations need to be careful to provide awareness and training that keep pace with the evolution of the landscape, which focuses heavily on the human factor.
Due to the COVID-19 pandemic and the shift to remote work for many employees, organizations now understand more than ever that cybersecurity must be part of the organization’s culture, whether workers work from home. as in the office of the company’s headquarters. As U.S. (U.S.) and overseas organizations work to address cybersecurity challenges, many C-Suite executives recognize the importance of employee training programs and the need for security policies and controls. C-Suite discussions on cybersecurity training and awareness programs involve consideration of the human factor, privileged threats, and cybersecurity behavior. The analysis typically includes questions and comments on the effectiveness of cybersecurity training and awareness programs.
The state of cybersecurity training
Recently, TalentLMS conducted a survey of 1,200 U.S. employees to assess their awareness and knowledge about cybersecurity risks. TalentLMS also asked employees about fundamental principles of cybersecurity. Questionnaire questions range from password intensity to suspicious emails. Less than 1% of respondents answered all questions correctly.
The most interesting responses to the survey were as follows:
- 69% of respondents actually received cybersecurity training from their current employers, but less than 1% of all respondents answered all the questions in the questionnaire correctly.
- 77% of employees reported that their company had an established cybersecurity policy, but 19% were unaware of the policy.
- 26% of employees shared that they stored their passwords on a piece of paper.
The results of the survey indicate that only 69% of respondents received cybersecurity training from their current employers. Given recent global events and cyberattacks involving almost all sectors, all organizations that have employees using information technology should require their employees to participate in annual cybersecurity training and awareness. Failure to provide cybersecurity training to employees increases the risk of non-compliance associated with human error.
In addition, awareness and training in cybersecurity are only one part of the equation of success. Organizational leadership must also focus its efforts and resources on creating a culture of cybersecurity by employing the right people with the right attitudes toward cybersecurity, training and testing employees regularly, as well as offering rewards and recognition for reinforce behavior that is consistent with good cyber hygiene.
Organizations must establish cybersecurity policies and, most importantly, policies must be clearly communicated to all employees and be available in a variety of formats (e.g., company intranet, employee manual, tips weekly information security). In the TalentLMS survey, 77% of employees reported that their company had an established cybersecurity policy, which is a fairly high percentage, but the thinking of 23% of respondents working for organizations that did not have a politics is disturbing. Even riskier is that some respondents reported that they were unaware of their company’s cybersecurity policy. Any organization that has employees who use IT should require recognition and agreement to follow all cybersecurity policies.
Protecting proprietary and sensitive information is critical to the success of the organization. One way to protect sensitive and proprietary information, such as customer data, employee data, etc., is to keep passwords safe and secure to prevent unauthorized access to devices. Survey results show that some of the respondents stored their passwords in a way that could expose their employer to an unnecessary risk of data breach (e.g., in the browser and in plain text). Specifically, 26% of respondents indicated that they had stored their passwords on a piece of paper. Employee negligence, such as leaving passwords or confidential information unattended on a desktop, increases the risk of data breach.
The results of the survey and the answers to the questions in the questionnaire make it clear that, although many of the respondents received training on cybersecurity awareness, there is a lack of a demonstration of habits consistent with good cyber hygiene and the application of knowledge about cybersecurity. This lack of discipline and application of knowledge has far-reaching consequences.
“Aside from the conclusion that companies do their cybersecurity training the wrong way, I find it very surprising and worrying that the highest failure rates on our questionnaire, by a large majority, were reported in technology-related industries. “, commented Victor Kritakis, CISO in TalentLMS.
“In addition, we saw an unexpectedly high failure rate in the financial industry, where security is very critical. At the same time, we found that health care employees had the best scores. And a possible justification for this is that good control mechanisms, strict legal frameworks and periodic audits, as is the case with the healthcare industry in the United States, lead to better informed employees, ”Kritakis added.
The survey findings have far-reaching implications for organizations that cannot manage the behavior of their employees in relation to cybersecurity practices. Failure to manage employee behavior will increase the risk of an organization’s cyberattacks.
Cyber attacks can compromise customer privacy, business operations, intellectual property or employee privacy. Of course, the effects of a cyberattack include both reputation damage and, where appropriate, costs associated with a data breach. To mitigate the risks associated with the human factor and, as government and industry continue to work to develop their cybersecurity programs, awareness and training programs should include opportunities for participants to apply cybersecurity knowledge to what they need to do. do, what not to do and best practices.
Humans are our strongest ally in securing confidential and proprietary information. Think that a properly trained employee who works for a global company that has created a cybersecurity culture certainly understands that their cybersecurity practices can affect their co-workers in another country. Conversely, if an employee works for a global company based in the United States, their negligence or negligence in Texas can affect their entire company, including their colleagues in Singapore, if they do not have effective cybersecurity awareness and training. , as well as the willingness to apply the knowledge learned
Another global implication relates to the global supply chain. Following the recent cyberattacks, cybersecurity professionals agree that security in the supply chain is essential. Thanks to technological advances, we are connected globally both personally and professionally. With the interconnections between sectors (public and private) and the scale of supply chain risks faced by government and industry, risk management for information and communications technology supply chains (ICT) requires organizations to strengthen their security stance.
Training and audits improve the cybersecurity stance
One way to strengthen an organization’s security stance is to effectively train the workforce to mitigate the risks associated with human error and to recognize and respond to threats. We must all work together to improve the security of the ICT supply chain.
“Training your employees on cybersecurity should be taken very seriously,” Kritakis stressed. “It should not be theoretical and boring for your staff, but practical and offer real life examples. In addition, cybersecurity training should be part of the incorporation process, but it should also be repeated regularly. The training material should be updated because the threats change and become more and more sophisticated ”.
Another useful tool is the frequent performance of audits.
“It is equally important that companies carry out internal security audits. We have seen that these audits help identify compliance gaps and which departments or individuals are most vulnerable to attacks due to a lack of cybersecurity awareness. They also help to adjust training and policies and see which areas of cybersecurity you need to focus on: passwords, fishing, and so on. Finally, establishing security policies helps raise employee awareness. My advice to companies would be to follow and comply with a standard safety framework such as ISO 27001 or, for Europe, the GDPR, ”added Kritakis.
Cybersecurity training and awareness programs are necessary and should be needed as part of a holistic approach to establishing and maintaining a cybersecurity program. Surveys and evaluations have shown that cybersecurity training and awareness alone will not improve an organization’s security stance because they are not sufficient to change or manage employee behavior. Changing employee behavior requires a cybersecurity culture developed by strong cybersecurity leadership and reinforced through controls, policies, and ongoing awareness and training.
About the author: Ambler is an attorney with experience in corporate governance, regulatory compliance and data privacy. He currently consults on governance, risk and compliance, business data management, as well as privacy and data security issues in Washington, DC.
Editor’s note: The views expressed in this article by the guest author are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.