Organizations are increasingly faced with threats from sophisticated criminal organizations and nation-state actors. To mitigate the risks posed by cyber criminals, organizations must secure and protect their proprietary and sensitive information. They must also commit to training their employees to do their part to protect proprietary and sensitive information. Cybersecurity awareness and training programs educate employees about cybersecurity threats, risks and best practices as well as how to navigate the ever-changing and evolving threat landscape.
The importance of raising cyber awareness
Cybersecurity consists of people, policy and technology. Consideration of people and human behavior is the most important of the three due to the risks associated with human habits, negligence and carelessness. The threat landscape is constantly changing and exploiting instances of human error or negligence along with system vulnerabilities. As a result, organizations must take care to provide awareness and training that keeps pace with the evolving landscape – one that focuses heavily on the human factor.
Due to the COVID-19 pandemic and the shift to working remotely for many employees, organizations understand now more than ever that cybersecurity needs to be part of the organization’s culture—whether employees are working from home or in the office at the company’s headquarters. As organizations in the United States (U.S.) and abroad work to meet the challenges of cybersecurity, many C-Suite executives acknowledge the importance of employee training programs and the need for security policies and controls. C-Suite discussions about cybersecurity awareness and training programs involve consideration of the human factor, insider threats and cybersecurity behavior. The analysis typically includes questions and comments about the effectiveness of cybersecurity training and awareness programs.
The status of cybersecurity training
Recently, TalentLMS conducted a survey of 1,200 U.S. employees to gauge their awareness and knowledge of cybersecurity risks. TalentLMS also quizzed employees on fundamental cybersecurity principles. The quiz questions ranged from password strength to suspicious emails. Less than 1% of respondents answered every question correctly.
The most interesting survey responses were that:
- 69% of the respondents actually received cybersecurity training from their current employers, but less than 1% of all respondents answered all quiz questions correctly.
- 77% of employees reported that their company had an established cybersecurity policy, but 19% were unfamiliar with the policy.
- 26% percent of employees shared that they stored their passwords on a piece of paper.
The survey results indicate that only 69% of the respondents actually received cybersecurity training from their current employers. Given recent world events and cyberattacks involving just about every sector, every organization that has employees who use information technology should require their employees to participate in annual cybersecurity awareness and training. Failure to provide cybersecurity training for employees increases the risk of breaches associated with human error.
Further, cybersecurity awareness and training are only part of the equation for success. Organizational leadership must also focus their efforts and resources on creating a culture of cybersecurity through employing the right people with the right attitudes towards cybersecurity, training and testing employees regularly as well as offering rewards and recognition to reinforce behavior that is consistent with good cyber hygiene.
Organizations must establish cybersecurity policies, and most importantly, the polices must be clearly communicated to all employees as well as be available in multiple formats (e.g., company intranet, employee handbook, weekly information security tips.) In the TalentLMS survey, 77% of employees reported that their company had an established cybersecurity policy, which is a pretty high percentage, but the thought of 23% of respondents working for organizations who did not have a policy is unsettling. Even more risky is that some respondents reported that they were unfamiliar with their company’s cybersecurity policy. Every organization that has employees who use IT should require acknowledgment of and agreement to follow all cybersecurity policies.
Protecting proprietary and sensitive information is critical to an organization’s success. One way to protect proprietary and sensitive information such as customer data, employee data, etc. is to maintain strong and secure passwords to prevent unauthorized access to devices. The survey results show that some of the respondents stored their passwords in a manner that could expose their employer to unnecessary risk of a data breach (e.g., in their browser and in plain text). Specifically, 26% of respondents indicated that they stored their passwords on a piece of paper. Employee negligence, such as leaving passwords or sensitive information unattended on a desk, increases the risk of a data breach.
The survey results and responses to the quiz questions make it clear that while many of the respondents received cybersecurity awareness training, a demonstration of habits consistent with good cyber hygiene and application of cybersecurity knowledge is lacking. This lack of discipline and application of knowledge has far-reaching consequences.
“Apart from the conclusion that companies do their cybersecurity training the wrong way, I find it very surprising and worrying that the highest fail rates on our quiz – by a sweeping majority – were reported in tech-related industries,” commented Victor Kritakis, CISO at TalentLMS.
“Also, we saw an unexpectedly high fail rate in the finance industry, where security is very critical. At the same time, we found that employees in healthcare had the best scores. And a possible justification for this is that good control mechanisms, strict legal frameworks and regular audits, as is the case for the healthcare industry in the United States, lead to better informed employees,” added Kritakis.
The findings of the survey have far-reaching implications for organizations that are unable to manage their employees’ behavior as it relates to cybersecurity practices. Failure to manage the employee behavior will increase an organization’s risk for cyber attacks.
Cyber attacks may compromise customer privacy, business operations, intellectual property or employee privacy. Of course, the effects of a cyber attack include both reputational damage and, if applicable, costs associated with a data breach. To mitigate the risks associated with the human factor, and as government and industry continue to work to develop their cybersecurity programs, awareness and training programs will need to include opportunities for trainees to apply knowledge of cybersecurity what to do, what not to do and best practices.
Humans are our strongest ally when it comes to securing proprietary and sensitive information. Consider that a properly trained employee working for a global company that has created a culture of cybersecurity certainly understands that their cybersecurity practices may have an effect on their co-worker in another country. Conversely, if an employee works for a global company headquartered in the United States, their negligence or carelessness in Texas can impact their entire company, including their colleagues in Singapore, if they lack effective cybersecurity awareness and training as well as a willingness to apply the knowledge learned
Another global implication relates to the global supply chain. In the wake of recent cyberattacks, cybersecurity professionals agree that supply chain security is a must have. Thanks to advances in technology, we are globally connected both personally and professionally. With the interconnections between sectors (public and private) and the scale of supply chain risks faced by government and industry, managing risks to the information and communications technology (ICT) supply chains requires organizations to strengthen their security posture.
Training and audits enhance cybersecurity posture
One way to strengthen the security posture of an organization is to effectively train the workforce to mitigate risks associated with human error and recognize and respond to threats. We must all work together to enhance the security of the ICT supply chain.
“Training your employees on cybersecurity should be taken very seriously,” stressed Kritakis. “It shouldn’t be theoretical and boring for your staff but hands-on and offer real-life examples. Also, cybersecurity training should be part of the onboarding process but should be also repeated regularly. The training material should be updated because threats change and become more and more sophisticated.”
Another useful tool is the frequent conduct of audits.
“It is equally important for companies to conduct internal security audits. We’ve seen that these audits help identify compliance gaps and which departments or individuals are more vulnerable to attacks due to lack of cybersecurity awareness. They also help adjust training and policies and see what cybersecurity areas you should focus on – passwords, phishing, etc. Finally, having established security policies helps with employees’ awareness. My advice for companies would be to follow and comply with a standard security framework such as ISO 27001 or, for Europe, GDPR,” added Kritakis.
Cybersecurity awareness and training programs are necessary and should be required as part of a holistic approach to establishing and maintaining a cybersecurity program. Surveys and assessments have demonstrated that cybersecurity training and awareness alone will not improve an organization’s security posture because they are not enough to change or manage employees’ behavior. Changing employee behavior requires a culture of cybersecurity that’s developed by strong cybersecurity leadership and reinforced through controls, policy and ongoing awareness and training.
About the Author: Ambler is an attorney with a background in corporate governance, regulatory compliance and data privacy. She currently consults on governance, risk and compliance, enterprise data management as well as data privacy and security matters in Washington, DC.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.