How To Train Employees Against Cyberattacks
This week, companies are struggling to cope with another massive cyberattack that crippled computers worldwide. This attack follows on the heels of the May ransomware attack that affected networks in more than 150 countries. The attacks are increasing exponentially. In 2013, the cost of cyber crime was estimated to be $100 billion. By 2015, that number had quadrupled to $400 billion and IBM CEO, Ginni Rometty, was calling it the “single greatest threat to companies worldwide”.
Cyberattacks have now reached epidemic proportions. The cost of data breaches is expected to reach $2.1 trillion globally by 2019. Everyone—from the largest companies to the smallest—are vulnerable.
We have to start taking a more modern agile approach when it comes to training employees about cyber security threats. When you think about all the time and productivity lost after an organization becomes infected, the costs are becoming insurmountable! Besides this, some companies have been unable to recover the reputational losses that follow a data breach. So, it’s more critical than ever to train your employees properly if you don’t want to risk losing your business.
Here are 5 tips to effectively train employees against cyberattacks.
1. Make Good Security Practice Part Of Everyday Work
With cyber security, there are no second chances. Once the breach occurs, it is too late. We have to entrench the behaviors we want to see from our employees before an attack occurs.
A single training session that happens once a year, at most, isn’t enough to ingrain good security practices in your employees’ minds. Your people will quickly forget what they’ve learned. And when a cyberattack does happen, this means they’ll be more likely to make a mistake that could put your company at risk.
To make sure your people don’t forget what they’ve learned, you need to fit small amounts of security training into their regular workflow instead of throwing a bunch of information at them in a single session. This is one area in which good practice absolutely has to be rote. It’s way too easy for employees to click on an email or follow a link. Teach the basics and then reinforce them on a daily basis through microlearning and proven brain science techniques, like spaced repetition and repeated retrieval, until the information becomes part of what everyone just simply does.
2. Engage Your People In Good Security Behaviors
Good security practices don’t always equate to fun learning. Use gamification techniques like game play, leaderboards, points and rewards to engage employees in the training content. Besides this, find a system that allows you to adapt learning to address any gaps in your employees’ security knowledge. This will ensure employees always receive the personalized training they need to get up to speed, while keeping them engaged. They’ll learn what they need to know and they’ll be far more likely to process and remember the information. An added benefit is that you’ll be able to review metrics that go beyond simple pass/fail scores to understand exactly what each individual employee knows and doesn’t know to help you be more proactive with your coaching.
3. Establish An Accessible And Quickly Searchable Database Of Knowledge
In case your employees can’t remember a critical piece of information, make sure they can find the information they need on a security concern quickly and easily. This doesn’t mean in some obscurely named file in someone’s office or on a clunky computerized filing system. If they have to waste time searching or making calls to get information, you’ve already lost many of them and they’ll likely just take a chance and try something. Make information easy to find and they will use it. Create a knowledge database that is fast, mobile, accessible and easily searched by keyword. Your employees search for personal information on Google several times each day, searching for key security information should be just as easy. Don’t force them to jump through hoops - most won’t bother.
4. Establish A Communication System That Allows You To Reach All Of Your People Quickly And Immediately
The one constant about cyber crime is that it is constantly evolving. No attack is exactly the same as the last.
When a new threat emerges, you can’t push out that outdated training course on your LMS or wait for the next training event to get information to your people. By then it will be too late. You need a way to push out critical information and refresher training to your people immediately. A training system that establishes a line of communication for all of your people and is able to reach everyone instantly, including your deskless workforce that doesn’t have access to corporate email, is a key part of your defense.
5. Don’t Ignore Your Deskless Workers
We are tempted to focus on our desk-based workers when we talk about security threats. Don’t be complacent. Anything with an internet connection has an inherent risk and, in fact, The Internet of Things (IoT) could be the next big security threat faced by your company. Researchers have already discovered that smart thermostats can be used to expose networks to ransomware and the CIA has hacked into systems via Smart TV’s, a tactic that, among others, has already been leaked to hackers. This puts your POS and any other smart or internet accessible device at risk. Your deskless workers need to be given the same training along with the same repetition and review and the same access to information.
Cyberattacks are not going away; and while no company can be completely immune, good training practices can reduce your exposure significantly.