With another Cybersecurity Awareness Month behind us, this is the perfect time to kick off or refresh a security awareness and training program for employees. The more that non-technical staff employees know about security issues, the better they can recognize, report, and even prevent threats.
Comprehensive security training is a great way for organizations to enlist employees in the fight against cyber threats. At the same time, such training is highly valued by cybersecurity teams which appreciate having knowledgeable individuals who support their own expertise.
Most organizations rely too heavily on their cybersecurity pros to protect them from threats, ignoring the painful reality that human error is by far the most common cause of security breaches.
IBM has found that human error is the cause of up to 95 percent of cybersecurity breaches, and estimates that a data breach costs a company $4.24 million per incident on average.
Human error can be drastically reduced by raising all employees’ awareness of cybersecurity issues. The most effective way to do that is using year-round training. Regular training courses, offering theory-based and hands-on learning, are essential so employees can gain and keep knowledge. Occasional training simply doesn’t help employees to develop tangible cyber skills.
Go Beyond Basic Training
In too many cases, organizations expose employees to pretty much the same basic content each October, presenting such topics as ‘how to spot a phishing email,’ ‘understanding malware and ransomware’, and ‘the dangers of opening unknown attachments.’
While conventional security awareness offerings, such as simulated phishing and video-based training, are important and useful, an over-reliance on them does a profound injustice to the cybersecurity curiosity of employees — curiosity that is best approached through hands-on training.
Offering cybersecurity training across all departments makes a lot of sense given the sophisticated, multi-pronged attack methodologies used by cyber criminals.
In general, cross-trained people in DevOps, IT, and other departments can greatly enhance an organization’s overall security culture.
Employee Hands-on Training is not Difficult
There are plenty of resources (including free ones) that cybersecurity practitioners can use to expose interested employees to security concepts in action.
A good way to proceed is to create an outline that covers basic cybersecurity terminology and concepts, includes an overview of the threat landscape and threat actors, and then delves into the nuts and bolts of cybersecurity, security operations, digital forensics, data analysis, and so on.
Ideally, the security team should present employees with several comprehensive modules offering theory-based and hands-on learning. This process can elevate cybersecurity literacy cross-functionally throughout an organization.
Day in the Life of the SOC
Additionally, cybersecurity teams can host a tour of the security operations center (SOC), or even a more hands-on day in the life of the SOC. The day visit should be built around modules and challenges that present real IT infrastructure, real threats, and real solutions.
The goal of the visit should be to inspire new cybersecurity advocates cross-functionally and to identify hidden talent ideal for a SOC Analyst position.
As skills are developed over time, Cybersecurity Awareness Month can be used to host more interactive cybersecurity exercises typically reserved for cyber practitioners. This is a great way to build gamification, team accomplishment, and individual recognition into a cybersecurity culture that all employees can understand and value.
To combat constant cybersecurity threats, reduce human error, and cut the punitive costs of breaches, organizations need to provide all employees with advanced, year-round training. Cybersecurity advocates throughout the company are the best defense against threat actors.