A real-life story
An employee finds a USB drive in the parking lot on his way into work; it’s marked “Bonuses.” The attacker who left this knows he’ll be inside your system within two hours. If the USB had been marked “Porn” he’d be in within 20 minutes.
Employee training in cyber security is essential in today’s ruthless world. Small and mid-sized businesses are increasingly easy targets because they struggle with the resources to protect themselves.
Why is this so serious?
Most small and mid-sized companies are not nearly as secure as they like to think they are, and their managers are scared about the wrong nightmares. For example:
- Most breaches are caused by internal employees, or vendors with your data, – not by an outside hacker.
- Almost 60% of those come from accidents or goofs, including phishing – not from malicious assailants.
- 75% of breaches come from employees working outside the office on laptops, phones, or tablets.
- Senior managers are much more likely to be the biggest offenders – they have the most access to data, and they don’t think the rules apply to them!
What does good training look like?
- Be simple and clear: security guidelines must come with the reasoning behind them – explain why they are necessary, because rules or policies alone do not work!
- Management first, then employees must clearly understand what cyber security means, what you are protecting, and how hacks or goofs can happen.
- Effective training must include regular updates, reminders, discussions, and examples.
Recently, a Snapchat employee responded to a very real looking email purportedly from the CEO asking for payroll information. Oops! Snapchat appropriately said, “When something like this happens, all you can do is own up to your mistake, take care of the people affected, and learn from what went wrong.”
- Give recognition to those who discover a possible problem, and don’t punish inadvertent goofs or whistle blowers even if the alarm is false – that’s better than no alarm at all.
- Get feedback, listen to staff comments and frustrations, and use it to make improvements.
This doesn’t have to be complicated or expensive – but it needs senior management leadership and support. A security-conscious culture can pay off big-time when everyone is engaged as defenders of company assets.
Here are some resources:
- An eBook from Kaspersky Lab – http://go.kaspersky.com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_About_Cybersecurity_eBook.pdf
- Stay Safe Online – employee training – https://staysafeonline.org/business-safe-online/train-your-employees
- SkillBridge cyber security training – http://www.skillbridgetraining.com/index.shtml