In this interview with Help Net Security, Brent Johnson, CISO at Bluefin, talks about the importance of making cybersecurity training a priority for every organization and why this is often a difficult goal to achieve.
There has been a lot of talk about the Great Resignation lately, and companies have found themselves trying to fill positions at any cost. Has cybersecurity training suffered a lot during this process?
In a perfect world, every employee taking on a new role would receive all the cybersecurity training they would need in order for them to perform their job function securely. However, as companies scramble to fill positions, there’s a high likelihood that cybersecurity training is a “check the box” exercise and not relevant to a person’s role or privilege level. This can lead to dangerous side effects given most companies and employees are daily targets of some form of cyber threat. For example, inadequate cybersecurity training leaves companies even more vulnerable to common threats like phishing and ransomware.
With the stakes as high as ever to protect sensitive data from being compromised, companies need to make cybersecurity a priority for all new hires, ensuring all employees are up-to-date on the latest best practices to protect against costly attacks.
How to make cybersecurity training a priority?
Cybersecurity training has to be made a priority from the top down. A successful cybersecurity training program needs upper management buy-in, and it must be clear to employees that security is taken very seriously throughout the organization. Cybersecurity and associated training programs should be ingrained within corporate policies and allocated the budget required to succeed – without investment from leadership, good intentions for enhancing cybersecurity training may never be translated into action.
Why is it important for every employee to know best cybersecurity practices and is this actually doable?
With companies losing an estimated $15 billion dollars to phishing attacks alone in 2021, it’s clear there is significant value in employees practicing good cyber hygiene. The other thing about this number, which should be highlighted, is how preventable many of the attacks likely were through training programs. These attacks can start with one seemingly harmless click, so companies need to train all employees, especially those in high risk positions, on how to spot phishing and email fraud attacks to avoid falling victim.
Simple training on these types of attacks can go a long way toward increasing employees’ cybersecurity awareness – not to mention potentially saving the company millions of dollars by preventing attacks. Phishing and other social engineering-type attacks have evolved, but definitely have similar markers to look out for. It is important that cybersecurity programs encompass the old and new tricks being utilized by threat actors.
What could be the obstacles to cybersecurity training and how do you overcome them?
Like most training, finding a program that keeps employees interested and engaged can be a challenge. But when one wrong click has the potential of costing millions of dollars and ruining a company’s reputation, the stakes are high. While it may be difficult to find the right balance of too much versus too little in a cyber training program, I’ve found that employees are more apt to remain engaged and ask questions if the subject matter is current and relevant. All companies need to keep training and reminders up-to-date with current events and incidents related to cybersecurity and reinforce the best methods for prevention.
It can also be difficult to tailor cybersecurity training to specific job roles, and in my experience, most companies resort to supplying everyone with the same general training. For instance, system administrators, while generally more knowledgeable in cybersecurity, have greater access and are more valuable targets than a company intern. Training programs should account for this variance in job roles and plan their training content accordingly.
Do you think employee training is set to become an essential part of the onboarding program?
As organizations continue to lose billions of dollars each year to threat vectors such as phishing scams, ransomware, and data breaches, it’s clear a robust cybersecurity training program is a must for any company onboarding program. Depending on whether or not a company falls under any regulatory or compliance standards, it is likely cybersecurity training during onboarding is already a requirement. Having said that, not all cybersecurity training is created equal.
Many cybersecurity training programs are very general and fall short of providing employees with the tools needed to succeed in their specific job or role. Organizations will benefit from making cybersecurity training a robust preventative measure instead of waiting until an attack to invest in this crucial aspect of data breach prevention.
By Helga Labus