Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Phishing

Enlisting Employees to Fight Cyber Threats

With another Cybersecurity Awareness Month behind us, this is the perfect time to kick off or refresh a security awareness and training program for employees. The more that non-technical staff employees know about security issues, the better they can recognize, report, and even prevent threats. 

With another Cybersecurity Awareness Month behind us, this is the perfect time to kick off or refresh a security awareness and training program for employees. The more that non-technical staff employees know about security issues, the better they can recognize, report, and even prevent threats. 

Comprehensive security training is a great way for organizations to enlist employees in the fight against cyber threats. At the same time, such training is highly valued by cybersecurity teams which appreciate having knowledgeable individuals who support their own expertise.

Year-Round Training

Most organizations rely too heavily on their cybersecurity pros to protect them from threats, ignoring the painful reality that human error is by far the most common cause of security breaches.

IBM has found that human error is the cause of up to 95 percent of cybersecurity breaches, and estimates that a data breach costs a company $4.24 million per incident on average.

Human error can be drastically reduced by raising all employees’ awareness of cybersecurity issues. The most effective way to do that is using year-round training. Regular training courses, offering theory-based and hands-on learning, are essential so employees can gain and keep knowledge. Occasional training simply doesn’t help employees to develop tangible cyber skills.

Go Beyond Basic Training

In too many cases, organizations expose employees to pretty much the same basic content each October, presenting such topics as ‘how to spot a phishing email,’ ‘understanding malware and ransomware’, and ‘the dangers of opening unknown attachments.’ 

Advertisement. Scroll to continue reading.

While conventional security awareness offerings, such as simulated phishing and video-based training, are important and useful, an over-reliance on them does a profound injustice to the cybersecurity curiosity of employees — curiosity that is best approached through hands-on training. 

Offering cybersecurity training across all departments makes a lot of sense given the sophisticated, multi-pronged attack methodologies used by cyber criminals. 

In general, cross-trained people in DevOps, IT, and other departments can greatly enhance an organization’s overall security culture. 

Employee Hands-on Training is not Difficult

There are plenty of resources (including free ones) that cybersecurity practitioners can use to expose interested employees to security concepts in action.

A good way to proceed is to create an outline that covers basic cybersecurity terminology and concepts, includes an overview of the threat landscape and threat actors, and then delves into the nuts and bolts of cybersecurity, security operations, digital forensics, data analysis, and so on.

Ideally, the security team should present employees with several comprehensive modules offering theory-based and hands-on learning. This process can elevate cybersecurity literacy cross-functionally throughout an organization.

Day in the Life of the SOC

Additionally, cybersecurity teams can host a tour of the security operations center (SOC), or even a more hands-on day in the life of the SOC.  The day visit should be built around modules and challenges that present real IT infrastructure, real threats, and real solutions.

The goal of the visit should be to inspire new cybersecurity advocates cross-functionally and to identify hidden talent ideal for a SOC Analyst position.

As skills are developed over time, Cybersecurity Awareness Month can be used to host more interactive cybersecurity exercises typically reserved for cyber practitioners. This is a great way to build gamification, team accomplishment, and individual recognition into a cybersecurity culture that all employees can understand and value.

Conclusion

To combat constant cybersecurity threats, reduce human error, and cut the punitive costs of breaches, organizations need to provide all employees with advanced, year-round training. Cybersecurity advocates throughout the company are the best defense against threat actors.

Written By

Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Training & Awareness

Google has announced a new training program for cybersecurity analysts and those who graduate will get a professional certificate from Google.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Phishing

The Single Most Important Part of Dealing with a Phishing Attack is Preparing for the Attack Before it Actually Happens.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...