The hybrid work era has significantly increased the attack surface and the risk of data breaches. Organizations must reorient cybersecurity awareness training to limit human error. Let’s hear from experts on what it takes to build a robust security awareness program.
Ransomware attacks have risen dramatically in the last few years and continue to monopolize the headlines. As a result, in its 18th year for Cybersecurity Awareness Month, Cybersecurity & Infrastructure Security Agency (CISA) has encouraged individuals and companies to #BeCyberSmart. To refocus the attention on cybersecurity awareness, Toolbox asked cybersecurity and risk management experts to weigh in on this growing and costly problem and provide recommendations for cyber awareness training that meets employees’ needs.
In the hybrid work era, a significant proportion of the workforce is now working ‘outside of the perimeter,’ Daniel Clayton, VP of global security operations and services, Bitdefender said. Alerting to the fresh realities of handling sensitive data that employees are slowly adjusting to, Clayton explained that they are increasingly using devices that are out of the bounds of security teams, and this could sometimes lead to unintended data exposure, breach, or loss. A recent report The Psychology of Human Error, from Jeff Hancock, a professor at Stanford University and Tessian, found that 43% of employees have made mistakes that led to compromised cybersecurity posture while 43% have fallen victim to phishing scams.
According to Gary E. Barnett, CEO, Semafone, “This is where cybersecurity awareness training and employee education can come into play and ensure that organizations are alert to risks and take proper precautions.”
In a recent interaction with Toolbox, Sailpoint’s CISO Heather Gantt-Evans shared that in the hybrid era, cybersecurity awareness training could also be a source of community building with gamified training tournaments, lunch and learns, and more.
“In these circumstances we rely on the workforce to understand the potential risks associated with their situation, take precautions, and make informed decisions. In the past we could be loosely aligned, but highly governed. Today, we must be tightly aligned as we are governed less stringently,” Clayton further added.
While cybersecurity awareness has become a topic of great concern, what organizations should ask themselves is, are they doing enough to secure hybrid workers? What steps can they take to prevent employees’ security mistakes from turning into security incidents?
Check out six actionable insights to level up cybersecurity training for the hybrid work era:
1. Cybersecurity Awareness Training Must Go From Executive to Endpoint
In March 2020, organizations had to choose whether to make changes in the right way or to do it right now. They had to choose ‘right now.’ Poor remote access is consistently a top cybersecurity attack vector and it’s only increasing. To mitigate this, awareness training goes from the executive to the endpoint. Everyone must be part of the cybersecurity team. One of the more effective cybersecurity resiliency techniques is user education and this is non-technical. Remember, the bad guys must be right only once, and the good guys must be right all the time.
— Rick Vanover, Senior Director Product Strategy, Veeam
“Start at the top: measure the effectiveness of employee cyber awareness programs and report that to executive leadership. Include cyber awareness in orientation, onboarding, and the annual calendar to encourage employees to think about how their actions relate to cyber security. With the transition to remote workforces, organizations must adjust their cyber awareness education to include Internet of Things (IoT) and mobility, informing staff of devices, technologies, apps, and social media that can pose a risk to employees, their families, and the organization. Informing staff about security best practices is a proactive step towards situational awareness that makes all employees good cyber citizens.
— James Carnall, VP of Services, ZeroFox
2. Make Cybersecurity Awareness Training Mandatory for Employees
The cyber talent pool is small as it is, and unless major changes are made to address cybersecurity education and training needs, the cyber workforce pipeline will not keep up with increasing demand. As threat actors are constantly innovating their way around detection tools, spread-thin security teams simply can’t stay on top of every threat that impacts a distributed workforce. Further, the true effectiveness of tools and plans are often only tested during a full-scale breach. It’s therefore imperative for employees to have cybersecurity awareness training to monitor for threats before they progress.
— Becky Robertson, Vice President, Booz Allen Hamilton
3. Cybersecurity Awareness Training Needs To Be Carried Out Regularly
While a customary cybersecurity training workshop followed by a short assessment would fulfill the compliance requirement, it doesn’t help much in bringing about change. Like any other habit, security awareness training needs to be carried out continuously. Employees must be made to understand that security is not a nice-to-have but a necessity.
— Manikandan Thangaraj, Vice President, ManageEngine
4. Design Security Training and Tooling To Meet Employees’ Needs and Avoid Shadow IT
Unless you’re in the business of security, a security-first mindset isn’t going to happen. You’ll get a lot farther if you take a business-first approach. If your security controls make it harder for people to do their job, they’ll circumvent them. Whether it’s through shadow IT or a risk/policy exception, it amounts to the same thing. You need to engage with your people and understand the reality of how they’re working and why. Accommodate it. Ensure your training and tooling allow teams to do their jobs, securely, and they will.
— Brian Masson, Director of Security, Jobber
5. Create Training That Incorporates Employees’ Workflow Changes
I firmly believe that the hybrid work trend will continue even after normalcy returns. That’s why security teams need to address the issues and risks that these remote users are exposed to. Creating training that incorporates how these employees’ workflow changes when at home is key to educating and creating security awareness for these users. Including training on proper VPN usage, using remote access tools, phishing techniques that these employees may be subject to at home, or ways to ensure their local network is up to date and safe are topics that need to be included in IT security training.
— Sean Pearcy, Senior Director, Cybersecurity Services, Flexential
6. Implement a PCI DSS Security Awareness Training Program for Employees
The training can introduce and help establish robust internal controls and procedures for ensuring strong data security which will help safeguard customers’ sensitive and personal information. When it comes to payment security, merchants and businesses should implement a PCI DSS security awareness training program for all employees to help the workforce deeply understand how to handle sensitive customer information—no matter their location—and recognize threats that hybrid work has presented.
— Gary E. Barnett, CEO, Semafone
By Neha Pradhan