The Importance of Cybersecurity Awareness for All Employees

Taylor Karl
The Importance of Cybersecurity Awareness for All Employees 7914 0

The Importance of Cybersecurity Awareness for All Employees

Soon, we will be welcoming the ‘scariest’ holiday of the year, and no, it’s not Halloween. October is Cybersecurity Awareness Month, and the terrors that can befall organizations, and everyday people, from data theft are far more frightening than The Nightmare on Elm Street. In the spirit of the season, let’s start with a tale that will make any IT security professional’s blood run cold...

Picture it, Uber headquarters, September 15, 2022, your day as an IT professional at Uber starts off as usual until an incursion is detected in your internal network. Employees find a message from a hacker in Slack stating "I announce I am a hacker and Uber has suffered a data breach" as well as a listing of the confidential data they accessed or stole. Some employees are reporting that they are being redirected to a page with a pornographic image whenever they request a website. You have no choice but to quickly take the impacted systems offline to secure sensitive data and investigate the extent of the breach. As you begin to investigate, news of the breach is spreading like wildfire in the media. The company crafts a message to hopefully limit the reputational damage and to reassure shareholders, customers, and employees that Uber is back in control of its data. It feels like it’s 2016 again, back when the company suffered its previous large data hack.

The turbulence of the past few years has supercharged the remote work model, which lends itself to an increased risk of security breaches, due largely to employee mistakes. Cybercriminals have used this turbulence to their advantage and have increased the frequency of their cyberattacks. Employees may be an organization’s biggest asset, but they are also its greatest security risk.

88% of all data breaches are caused by human error, according to researchers at Stanford University.

Some sobering statistics

The upheaval of the pandemic and the remote work model, which was new to many organizations, led to cybercriminals targeting organizations and employees because they felt employees would be more distracted and laxer on security working from home. With many employees using personal devices that aren’t managed by their organization’s IT Department, security gaps became even more pronounced. In this new reality, it’s more important than ever for employees to understand, and take seriously, their crucial role in an organization’s data security. With the ever-increasing number of cyberattacks, employees should no longer view cybersecurity as optional or hold the mistaken belief that it’s someone else’s responsibility.

To better prepare for cybercriminal activity, it’s important for everyone in the organization to understand a variety of hacking strategies that can be used against them. According to ThoughtLab, these are the hacking methods that are projected to increase over the next two years:

  • Phishing/social engineering: currently 46%, increasing to 50%
  • Human error: currently 36%, increasing to 44%
  • Ransomware: currently 32%, increasing to 40%
  • Insider threat: currently 23%, increasing to 24%

Cybercriminals can penetrate 93% of company networks with the main route utilized being credential compromise.

With the increasing number of cyberattacks, leaders are beginning to have concerns about their organization’s ability to meet the challenges posed by the speed of technological advancement, the move to the cloud, the use of partners and suppliers, and the ever-growing array of products collecting and sending data back to an organization. Many leaders fear that the speed of advancement has outstripped their organization’s ability to quickly evolve their cybersecurity posture to meet the increased onslaught of cybercriminal activity. According to ThoughtLab, many executives feel that they are not prepared for this new risk landscape.

Some reasons why executives are concerned:

  • Growing use of partners and suppliers: 44% of executives, 50% of CEOs, CIOs, and COOs
  • Cyber risk initiatives not keeping pace with digital transformation: 41% of executives, 46% of CIOs
  • Inadequate cybersecurity budgets: 30% of executives, 39% of CEOs
  • Lack of executive support: 28% of respondents
  • Non-supportive corporate culture: 16% of respondents
  • Emerging technologies: 27% of executives
  • IoT technologies: 25% of respondents, 34% of CSOs
  • Shortage of skilled workers: 24% of executives, 36% of CIOs
  • Ineffective training programs: 22% of respondents

So, How Do You Eat This Terrifying Elephant in the Room?

Maintaining your organization’s data security, especially in the era of remote work, can seem like a daunting task, just like eating an elephant. As the familiar adage says, you eat an elephant one bite at a time. One of the most important first steps that can be taken is to provide tailored cybersecurity training for all employees. No one is immune from falling prey to the traps set by cybercriminals which is why employees’ knowledge and constant vigilance is so important.

Building Effective Cybersecurity Awareness Training

Cybersecurity awareness training for all employees, regardless of role, is an absolute necessity if an organization is serious about shielding its sensitive data from cybercriminals. Additionally, the industry in which your organization operates and the functions it performs may fall under federal and state regulatory mandates that require annual cybersecurity awareness training for employees. According to Ken Crawshaw, a United Training instructor and cybersecurity subject matter expert,

"It is the responsibility of companies to show due diligence, by offering training to their employees on how to do their jobs in a secure manner. If a breach occurs, demonstrating due diligence will dramatically reduce liability and potentially save a company millions of dollars in regulatory fines and additional collateral damage."

George Pauwels, also a United Training instructor and cybersecurity subject matter expert, agreed. Data security is not just the responsibility of IT staff, it’s everyone’s responsibility. A well-trained employee base is one of the best ways an organization can protect sensitive data; training can make the weakest link in an organization’s security posture much stronger.

When building cybersecurity awareness training, it’s important that you tailor the training for both technical and non-technical employees to ensure it’s relevant for each group. In addition, it’s also important that you tailor your message for multiple generations of employees. For example, a Gen Z or Millennial employee may be more attuned to ‘technobabble’ than someone who belongs to the Baby Boomer generation would. This isn’t to say that the older an employee is, the less intelligent they are. Rather, this is an indication that younger generations have been more deeply steeped in technology, whereas older generations were not. For information to resonate with employees, you need to speak their language.

Below are some areas to consider covering as a part of your cybersecurity awareness training for employees:

  1. Passwords, Access Privileges, and Secure Network Connections

Many employees do not understand the security implications of weak, easily guessable passwords, what is meant by access privileges, or the dangers of working on a non-secured network connection. Some topics to include are:

  • The difference between weak and strong passwords
  • Password security best practices
  • What access privileges mean and their importance
  • The importance of secure network connections
  1. Social Engineering and Phishing

Many employees do not understand what social engineering and phishing are and why everyone is susceptible to this form of attack. Due to the appearance of coming from a trusted source, these attacks are generally successful if employees don’t recognize them for what they are. Some topics to include are:

  • How to recognize and counter all forms of phishing scams
  • How to recognize fake or suspicious web pages and software
  • Identify the risks of social engineering
  • How to recognize and counter social engineering tactics
  1. Security for Devices

Many employees are unaware of the increased vulnerability posed by using their own devices to access sensitive organizational data to perform job duties. Some may mistakenly view their personal devices as more secure because they are using them in their own home. Employees need to understand why their devices are particularly vulnerable to cybercriminal attacks. Some topics to include are:

  • Introduction to mobile and computer device security
  • How to use mobile devices properly and safely for work
  • Recognize the risks posed by non-secure, unattended personal devices
  • The importance of physical device security and device security updates
  • Recognize the risks posed by unattended devices and sensitive documents
  • Best practices for storing and disposing of paper documents
  1. Cybersecurity Threat Reaction

For IT staff in charge of an organization’s cybersecurity, learning how to properly react to a cybersecurity threat or breach is essential. Having an established plan of action in the event of a cybersecurity threat or breach will allow you to act immediately to contain the damage and protect sensitive data. Some topics to include are:

  • How to assemble a threat reaction team
  • Investigating and determining the source of the attack
  • How to contain the damage and prevent further incursions
  • How to assess the severity of the breach
  • How to properly notify affected employees

A Final Word

It’s important that your organization’s internal cybersecurity awareness training includes the latest and most relevant security knowledge. Non-technical employees are just as responsible for your organization’s cybersecurity as your IT security staff; non-technical employees can no longer assume that their IT department is solely responsible for their organization’s cybersecurity. United Training offers cutting-edge cybersecurity training programs for both technical and non-technical employees. If you do not currently have cybersecurity awareness training in-place, we can help! Our CyberSafe: End User Security course is for anyone, regardless of their computer experience, and can provide the baseline cybersecurity knowledge your employees need to better protect your organization from cybercriminals.

CyberSafe: End User Security establishes baseline exposure to and knowledge of the following:

  • Identifying security compliance measures
  • How to recognize and defend against social engineering attacks
  • How to securely use computers and mobile devices to protect against viruses, ransomware, and other malware
  • How to use the internet securely—web browsing security, email security, social networks security, cloud services security, and remote location security

Let United Training help you train your employees to improve their cybersecurity awareness!

View our entire lineup of Cybersecurity learning solutions.

Print