Security training plays a critical role in improving an organization’s cybersecurity posture.
Small to midsize businesses (SMBs) are aware of the dangers of cyberattacks, and most are doing everything they can to beef up security. But is that enough?
Installing antivirus software and occasionally warning employees not to open suspicious emails won’t protect sensitive data or satisfy a growing number of regulatory requirements. Attacks are constant, attackers are persistent, and their methods are sophisticated. As a result, security and compliance require round-the-clock vigilance.
Managed security services (MSS) — the outsourcing of network security to a managed services provider — is the best option for SMBs that are serious about stopping cyberattacks. Managed services provider providers can provide the necessary focus, expertise and technology that most SMBs lack, at a lower cost than purchasing enterprise-grade tools and managing security in-house.
By outsourcing, SMBs can get out of the security business, save money and focus on core business functions. Real-time network monitoring, patch management, reporting, strategic planning and other valuable services will be managed by a dedicated team of IT experts.
However, outsourcing security doesn’t absolve the organization or its employees of all security-related responsibilities. Every user in the organizations must understand the latest security threats and his or her role in combating them.
Why Security Training Is Critical
The weakest link in the security chain continues to be human beings. The use of email phishing scams and social engineering — a method in which hackers interact with employees to steal credentials, distribute malware and carry out cyberattacks — continues to expand. As sophisticated as today’s cybercriminals are, they just want access to systems and data, and the easiest way to gain access is through employees. Attempting to defeat advanced security software is far more difficult.
The increased targeting of employees underscores the need for security awareness training. Untrained employees make the hacker’s job easy. Too many people take a “share everything,” social media mentality to the workplace, and give their passwords to others without considering the consequences. They also fail to log out of their accounts and click on email attachments and links without considering whether they might be malicious.
Formal training, documented security policies, and enforcement of these policies, are essential to improving network security and ensuring regulatory compliance. All too often, security and compliance are assumed to be the responsibility of a select few. However, employees who fail to follow security policies due to carelessness or ignorance can cause a security breach that brings down the network or compromises sensitive information.
Establishing a Security Training Program
A security awareness program should include both general best practices and the specific responsibilities of individual employees. The training should give employees a thorough understanding of phishing and other hacking methods, and the procedures for reporting a suspected breach to minimize its impact.
Security should be covered in training for new employees and in ongoing refresher training for all employees. In fact, security awareness programs are now required by the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and other regulatory standards.
The biggest problem with most security awareness programs is the absence of clear goals. What behaviors need to change? What is each employee’s role? What is the penalty for violating the company policy, and how will this improve security?
Many programs also tend to focus on certain topics even though they haven’t assessed the risk related to those topics. Organizations need to better understand the true problem, and how employees typically encounter these problems, in order to maximize the effectiveness of their security awareness programs.
Security is an all-hands-on-deck, around-the-clock process, even when security is outsourced to a managed services provider. Every employee needs to be vigilant, and every organization needs to provide its employees with the necessary training to prevent a breach.