The most common cause of a breach can be traced back to human error. As we hear about more ransomware attacks and organizations being crippled by cybercrime, we need to pause and rethink the prioritization of training employees.
- Can employees be the key to mitigating the cyber problem?
- How can training change to meet the current needs?
- How can these implementations together reduce the overall risk to organizations?
There are a large number of factors that can contribute to a mistake which can lead to a successful phishing attack — compromising the company. Contributing factors that lead to cyber mistakes include lack of training, overly stressed or hurried employees, unclear processes, new processes with a buyout or merger, distraction, and apathy.
All of these factors can be influenced by an organization. Most organizations don’t want to hold themselves responsible for their employees’ behavior, but in the end they must. The liabilities created by untrained workers are growing. The shift in 2020 to more employees working from home was a direct cause of an increase in cyber breaches. According to the report Enduring from Home: COVID-19’s Impact on Business Security, “61% of organizations did not provide their staff with remote working devices, and 65% did not consider the deployment of any new security tools with the equipment.”
The long-term health and effectiveness of your employees can be directly correlated to how they perform their job, feel about their work environment, and their focus on bringing their best effort to the job role they hold. It’s a common misconception that employees don’t want training, but in reality, employees do want training. However, they want better, more tailored training that meets their specific needs. Microlearning is the concept of dividing training into small building blocks, like Legos, that can be completed in just a few minutes.
The last 2 decades have characteristically carved a person’s life into smaller, more compact, units of time. Answer the phone, send a text, jump on Google maps to find a meeting location — all breaking up a person’s day into smaller segments of time. This idea of condensed, more bite-sized training is called Microlearning. This trend in training is being unified with the idea of gamification, increasing motivation and engagement by adding a fun, rewards-based spin to traditional training methods. Together, microlearning and gamification are changing the way employers reach and train the next generation of workers.
A few statistics taken from the Lorman Blog on Training numbers and trends:
- 85% of employees want to choose training times that fit their schedule.
- 80% of workers believe regular and frequent training is more important than formal workplace training.
- 93% of employees want easy-to-complete training.
- 91% want their training to be personalized and relevant.
There are 5 common mistakes organizations need to address when looking at their cybersecurity posture. The most common mistake is the lack of training or the wrong implementation of training. Understanding the normal employee behavior and these other four areas can help an IT team, or the executive staff, better prepare for the risk of a breach. The five areas below are all related to reducing cyber risks and each can be impacted by training throughout the organization.
Training is essential. There are now 4 generational groups that work in a typical company. Baby Boomers, Generation X, Millennials and Generation Z. Each of these groups uses and understands technology differently. When the COVID-19 pandemic hit, there was a shift to working remotely. This shift proved consequential for security, because workers had new processes and were working from outside their typical security perimeter. As of today, nearly 1 in 4 employees, across all professional fields, do not receive cybersecurity training or direction from their organization.
Passwords are key. If we consider passwords as the key to all data, would you let every individual in the company create and manage their own keys to a physical office or facility? The answer is no. Passwords are typically duplicated by employees from their personal accounts to securing their organization’s affiliated accounts. This can be a major security issue as 66% of employees use the same password across almost all platforms, and 53% haven’t changed their passwords in the last 12 months, making them especially susceptible to a breach that can affect all of their accounts. Passwords and password management is related to employee training because it’s the employees who generally make and use the passwords.
Not everyone needs access. Access management is a big issue in today’s work environment. If a manager or employee moves departments or responsibilities, do the passwords and access for that individual remain open? In complex environments like Higher Education, limiting access can be complex and difficult. The fact is, 50% of organizations do not audit privileged accounts. Additionally, 70% of organizations do not require approval for creating new privileged accounts. The mapping of access is the first step in knowing how open your environment is and how to limit the authority of who can provide critical access. Employees can also be trained on who should and should not have access to certain areas. Employee training is critical for access management.
What is your Cloud Security and how often do you backup? If you have information in the cloud, make sure it’s encrypted – both in the cloud and when being transferred. Do you know what level of encryption your organization uses and what is advised for the type of information you are keeping? If you don’t need to hold the information, then don’t. Does the organization have regular data backups? How often are the backups procured and are they geographically separated? It is recommended that an organization creates backup files of important information as often as once a week, preferably every 24 hours, which can be performed manually or automatically. If using a cloud backup — it can be set to back up every 15 minutes, automatically. This practice creates a safeguard against a potential loss of data that may define an organization for years following. Backups are a great way to safeguard employees, if and when something goes wrong. But with better training, less backups are needed.
Updates or patches are more critical than ever. Does the organization use a patch assessment tool to ensure operating systems and applications are up to date with the latest security fixes? Who patches and how often does it happen? In 2019 alone, more than 80% of companies who had a data breach could have prevented the infiltration through patching on time or doing configured updates.
Deploying updates to the entire organization may be difficult, but it is a necessary defense that creates compliance in cybersecurity and protection from outside entities. Patching is generally an IT function, but in some organizations, they let employees manage their own updates. If you have ever seen a Microsoft update window pop up on your computer, you are partly responsible for patching. Training employees on who, when, and how this should happen is critical to timely updates. All applications, software, hardware, and IoT devices need updates.
Cybersecurity is an area that should be a top priority for all executive teams. Limiting liability and safeguarding an organization is paramount to the health and long-term success of the company. Effective training includes gamification and microlearning in today’s world to keep pace with the shifts in generations. There are many cybersecurity measures that keep an organization safe, but the main focus should be on training the employees. Consistent, targeted, and gamified cybersecurity training will reduce the top five common mistakes made in cybersecurity.
Written by Heather Stratford.