Cyber threats are becoming increasingly sophisticated. According to research, cybercrime has climbed to the “2nd most reported economic crime, affecting 32% of organizations”.
Ensuring that employees are properly trained in cyber security should be an important part of onboarding and ongoing learning within any organization. All employees, from interns to the C-suite, should know how to identify cyber security risks to help protect both organizational data and personal information.
However, how cyber security training is done is just as important as the training itself. A recent misfire happened when Tribune Publishing Co. sent practice phishing emails to their employees, letting them know that they had received a bonus ranging between $5,000-$10,000. However, when employees clicked the link, they were informed it was a test they had failed and were redirected to cyber security training.
While playing with people’s emotions like this would be insensitive at the best of times, it's a definite misstep during a pandemic when cutbacks and layoffs had already happened within the Tribune. Stu Sjouwerman, CEO of the cyber security training company KnowBe4 (used by the Tribune to conduct this test), said this about the incident: "Simulated phishing tests need to be sensitive to the existing corporate culture and circumstances". So, how should cyber security training be done?
Your organization should have a cyber security policy in place.
One of the biggest parts to ensuring that employees can recognize cyber security risks for businesses is having up-to-date information and policies available. Your organization should provide cyber security training—either through IT or a third party—and have materials for employees to review.
These materials should also include a clear policy about what type of information employees should and shouldn’t share online, how to set up secure passwords and security questions, as well as what to look out for when receiving emails or other communications, i.e. sender email, typos, out-of-the-ordinary requests.
Attacks can be costly for businesses, with one survey noting that the companies included in their research experienced “more than one cyber attack each month and spent an average of almost $3.5 million annually to deal with attacks”.
Try making cyber security fun with quizzes and contests.
Sending out quizzes can be an interactive (and successful) way to train employees about cyber security threats.
Quizzes can include questions such as how to determine if an email is from a reliable sender, which password combination is best, and how to tell if a link is safe to click—all of which are potential cyber security risks for businesses.
Two-factor authentication can add a second layer of security to your organization.
Another great security measure is setting employees up with two-factor authentication (or 2FA) on their primary accounts. 2FA can dramatically increase digital security and make it much harder for hackers to gain access to accounts.
2FA adds a second step to signing into an account, usually by verifying information through a code sent to a secondary email address or a phone, if the login attempt happens from an unrecognized computer or browser. This means that even if a hacker gains information, they're not usually able to gain access to the account itself—meaning that your employees and your company data are protected.