In this interview with Help Net Security, Brent Johnson, CISO at Red tunatalks about the importance of making cybersecurity training a priority for all organizations and why it is often an elusive goal.
There has been a lot of talk lately about the Great Resignation, and companies have found themselves trying to fill positions at all costs. Has cybersecurity training suffered a lot during this process?
In a perfect world, every employee taking on a new role would receive all the cybersecurity training they would need to be able to do their jobs safely. However, as companies scramble to fill positions, there is a high probability that cybersecurity training will be a “check the box” exercise and not relevant to a person’s role or privilege level. . This can lead to dangerous side effects since most businesses and employees are daily targets of some kind of cyber threat. For example, inadequate cybersecurity training leaves businesses even more vulnerable to common threats like phishing and ransomware.
With more at stake than ever to protect sensitive data from being compromised, companies must make cybersecurity a priority for all new hires, ensuring all employees are up to date on the latest best practices to protect themselves. against costly attacks.
How to make cybersecurity training a priority?
Cybersecurity training must become a top-down priority. A successful cybersecurity training program needs the involvement of senior management and it must be made clear to employees that security is taken very seriously throughout the organization. Cybersecurity and associated training programs must be embedded in corporate policies and allocated the necessary budget to be successful; Without leadership investment, good intentions to improve cybersecurity training can never be translated into action.
Why is it important for all employees to be aware of cybersecurity best practices? Is this really feasible?
With companies losing an estimated $15 billion dollars to phishing attacks alone in 2021, it’s clear there’s significant value in employees practicing good cyber hygiene. The other thing about this number that should be noted is how preventable many of the attacks were likely to be through training programs. These attacks can start with a seemingly harmless click, so companies should train all employees, especially those in high-risk positions, on how to spot phishing attacks and email fraud to avoid falling victim.
Simply training on these types of attacks can go a long way toward increasing employee cybersecurity awareness, not to mention potentially saving the company millions of dollars by preventing attacks. Phishing and other social engineering type attacks have evolved, but they definitely have similar flags to watch out for. It is important that cybersecurity programs encompass the old and new tricks used by threat actors.
What could be the obstacles to cybersecurity training and how to overcome them?
Like most training, finding a program that keeps employees interested and engaged can be challenging. But when one wrong click has the potential to cost millions of dollars and ruin a company’s reputation, the stakes are high. While it can be difficult to strike the right balance between too much and too little in a cyber training program, I’ve found that employees are more likely to stay engaged and ask questions if the topic is current and relevant. All businesses need to keep training and reminders current with current cybersecurity-related events and incidents and reinforce best prevention methods.
It can also be difficult to tailor cybersecurity training to specific job roles, and in my experience, most companies resort to giving everyone the same general training. For example, system administrators, while generally more cybersecurity savvy, have greater access and are more valuable targets than a company insider. Training programs need to take this variation in job roles into account and plan their training content accordingly.
Do you think employee training will become an essential part of the onboarding program?
As organizations continue to lose billions of dollars each year due to threat vectors like phishing scams, ransomware, and data breaches, it’s clear that a strong cybersecurity training program is a must for any cybersecurity onboarding program. business. Depending on whether or not a business is subject to any regulatory or compliance standards, cybersecurity training during onboarding is likely already a requirement. Having said that, not all cybersecurity training is created equal.
Many cybersecurity training programs are too general and do not provide employees with the necessary tools to be successful in their specific job or role. Organizations will benefit from making cybersecurity training a strong preventative measure rather than waiting until an attack to invest in this crucial aspect of data breach prevention.