{"id":103019,"date":"2023-09-26T09:00:43","date_gmt":"2023-09-26T13:00:43","guid":{"rendered":"https:\/\/trainingindustry.com\/?post_type=magazine&p=103019"},"modified":"2023-09-26T09:19:01","modified_gmt":"2023-09-26T13:19:01","slug":"7-tips-for-training-employees-on-cybersecurity","status":"publish","type":"magazine","link":"https:\/\/trainingindustry.com\/magazine\/fall-2023\/7-tips-for-training-employees-on-cybersecurity\/","title":{"rendered":"7 Tips for Training Employees on Cybersecurity"},"author":34,"featured_media":103290,"template":"","tags":[31555,31163,826],"class_list":["post-103019","magazine","type-magazine","status-publish","has-post-thumbnail","hentry","tag-closing-cybersecurity-skills-gaps","tag-cyber-awareness-training","tag-cybersecurity-training","global_topic_tax-compliance","magazine_issue_tax-fall-2023","magazine_article_type_tax-feature"],"acf":{"sponsored":false,"gated":false,"gated_content_type":"","file_attachment":null,"gated_content":"","form_instruction_header":"To access the full article, please fill out the form below:","pardot_html_embed":"","author_override":true,"author_name":"Matthew George","author_image":"","author_bio":"Matthew George is the vice president of marketing at ExitCertified. Matthew has worked in the education industry for over 13 years in various marketing roles and countries. In this time, he's seen technology evolve and change repeatedly, especially the importance of organizations keeping employees' skills up to date. He is passionate about enabling organizations to get the right skills and expertise from an industry-leading and authorized training company such as ExitCertified. Email Matthew.<\/a><\/span>","excerpt":"Your cybersecurity team and prevention technologies are separate layers of protection. Your employees play another equally important role in protecting your data, so annual training is not enough.","main_content":"Organizations are attacked by cyberthreats daily. They disrupt operations, tarnish reputations and cost companies millions of dollars. As of 2023, the average cost of a data breach globally amounted to $4.45 million, according to IBM<\/a>. It\u2019s no wonder that every organization, no matter how big or small, needs cybersecurity awareness training to help combat cyberattacks.\r\n\r\nBelow are seven cybersecurity tips to help keep your company safe from threats.\r\n

1. Train Everyone, Including Executives, at Least Twice a Year<\/h2>\r\nYour cybersecurity team and prevention technologies are separate layers of protection. Your employees play another equally important role in protecting your data, so annual training is not enough.\r\n\r\nCyberattackers target everyone in the organization, including C-level executives, to steal their login credentials and then log into their email accounts. After attackers obtain an executive\u2019s login credentials, they may send an email from that person\u2019s email address to employees \u2014 often in finance \u2014 instructing them to take immediate action, such as paying an invoice to a bank account (which is controlled by the hacker). No matter where employees sit on your organization chart, everyone is a target.\r\n\r\nThe training should provide examples of situations in which employees need to make decisions about the proper action that should be taken. Training videos should quiz employees intermittently and prohibit them from proceeding to the next part until they answer correctly. The video should then explain the rationale for the proper answer.\r\n

2. Ensure Retention<\/h2>\r\nOrganizations that engage and train their workforce only annually or on an ad-hoc basis cannot effectively change behavior. The SANS Institute 2022 Security Awareness Report recommends that organizations communicate to, interact with and\/or train their workforce at least once a month. Ensure the training program you provide is up to date with the latest recommendations for responding to suspicious activities.\r\n

3. Allow Flexibility in the Training<\/h2>\r\nWhile a course may only last 30 or 45 minutes, people get interrupted and often don\u2019t have time to finish a course at once. Make sure that if they have to leave in the midst of the training, they won\u2019t lose their place and have to restart the program. They should be able to continue where they left off. And if they feel the need to go back and review an earlier section, they should be able to do so without having to start from the beginning.\r\n

4. Continually Test Employees<\/h2>\r\nYour cybersecurity team should periodically conduct phishing tests to see which employees fall for the ruse. For example, the team could create fake emails purportedly from the HR department to ask people to update their home contact information. Attackers often send bogus emails asking people to update their personal contact information. It\u2019s not their contact information that attackers are after.\r\n\r\nWhen people go to update their information, they first are asked to log into the human resources (HR) system, and those login credentials are exactly what the attackers track, allowing them to sign in as an employee. These tests can show you which employees are likely to fall for scams and serve as teaching moments. When they fall for a phishing email, the employee should be sent an automatic notice that this was a test that they failed and cite the behavior the employee should have taken. Employees need to learn that even though an email may seem as if it is coming from someone within the company, it\u2019s essential to double-check with the actual sender.\r\n\r\nRather than replying to an email that appears suspicious, employees should use the email address in their directory to send a new email to the purported sender questioning them about the suspicious email.","full_width":false,"content_band":[{"acf_fc_layout":"social_callout","blockquote":"Cybersecurity must be made part of the company culture"},{"acf_fc_layout":"content_area","wysiwyg":"

5. Make Cybersecurity Awareness Part of the Company Culture<\/h2>\r\nCybersecurity must be a part of the company culture and discussed regularly in meetings so that it\u2019s always on people\u2019s minds. Whether you use Outlook or another email application, there should be a tool for suspicious emails. When receivers are not sure whether an email is authentic or fake, they should be able to click that icon to automatically forward it to the cybersecurity team to review it and respond that day, whether or not it was a threat. Make sure employees understand there should be no sticky notes near their desks with passwords, even if they work from home. In the office, display cybersecurity posters on the walls and cybersecurity articles on the intranet and in company newsletters to ensure cybersecurity is always top of mind.\r\n

6. Teach Executives About Fines and Penalties for Data Breaches or Non-Compliance With Security and Privacy Laws<\/h2>\r\nThe Payment Card Industry Data Security Standard (PCI DSS) fines vary from $5,000 to $100,000 a month\u00a0for non-compliance. In September 2022, the Securities Exchange Commission<\/a> (SEC) announced that Morgan Stanley Smith Barney LLC (MSSB) agreed to pay a $35 million penalty to settle the SEC charges for failures to protect the personal identifying information of customers.\r\n\r\nNon-compliance with federal laws can cost your organization dearly. As with other training-related business areas, sometimes the surest route to real change is to demonstrate the real impact on your bottom line that cybersecurity awareness can have.\r\n\r\nIf you want to do business with state or federal agencies, you may need to show that all your employees must undergo annual cybersecurity compliance training. If you have contracts with federal agencies and aren\u2019t in compliance, you could lose the business and the ability to bid on other federal work.\r\n\r\nDifferent job roles may need different training. For example, sales and marketing people may need to know privacy laws like the General Data Protection Regulation (GDPR) and people who work in legal and compliance will need to know about incident response protocols and the process for notifying clients after a breach. Training requirements may vary based on roles and levels of responsibility. A privileged user, such as a system administrator, engineer or developer, may have different requirements than a standard user, who may have different requirements than an executive. The best way to keep track of who has taken your training and passed the test is with a learning management system (LMS) or a learning experience platform<\/a> (LXP).\r\n

7. Provide Additional Cybersecurity Training for IT Professionals<\/h2>\r\nWhile everyone at an organization needs basic cybersecurity training to be wary of possible threats like social engineering and malicious links, information technology (IT) professionals need special training to secure your network and the data you hold in the cloud<\/a>. Even if they don\u2019t work in cybersecurity, the IT team needs special training. For example, web developers need to be able to ensure that they are using best practices to write code. If there are holes in the code, attackers can enter your network.\r\n\r\nThere are a number of vendor-neutral industry certifications that are focused on cloud security that cover cybersecurity for a wide range of technologies, tools and platforms. The Computing Technology Industry Association (CompTIA), Certified Information System Security Professional (CISSP), CCSP and Certified Information Security Manager (CISM) are some of the more popular vendor-neutral certifications.\r\n\r\nOrganizations will also need special cybersecurity training to protect their data in their public cloud. Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and Oracle Cloud Infrastructure (OCI) all have different security protocols. Optimal Azure cloud security looks different than optimal AWS security, which in turn is different from the best solution for a multicloud environment. Understanding the different security practices associated with each cloud provider makes it easier to develop a solution that keeps your data secure.\r\n

In Closing<\/h2>\r\nCybersecurity is everyone\u2019s responsibility. Humans are the weakest link in your cybersecurity chain: Ensuring everyone takes cybersecurity awareness seriously can enhance an organization\u2019s overall security posture and create a resilient defense against evolving cyberthreats. The most mature awareness programs are those that have support from leadership. To effectively engage leadership, explain the importance of continual cybersecurity awareness training and effectively managing your organization\u2019s human risk."},{"acf_fc_layout":"social_callout","blockquote":"Cybersecurity is everyone\u2019s responsibility."},{"acf_fc_layout":"content_area","wysiwyg":"[hubspot type=\"form\" portal=\"47185625\" id=\"8e984523-15be-4a3a-adc5-67ef0dbd816c\" version=\"v4\"]