“I opened the attachment because the email looked like it was from my boss.”
“I needed to work from home and my Internet has been spotty, so I just saved the documents to a USB drive.”
“I paid the ransom because I didn’t want to get in trouble, but I still can’t access my files.”
Is it any wonder that most security breaches are the result of employee carelessness, negligence, or a general lack of awareness about security threats and best practices?
According to the 2019 Chubb Cyber Risk Survey, seven in 10 respondents said their organization has excellent or good cybersecurity practices. However, only about three in 10 said they receive annual cybersecurity training. More than one-third said they learn about cybersecurity from mainstream media (35 percent) and family and friends (34 percent). Just one in five said they learn about cybersecurity from their employer.
If you aren’t training your employees, is it accurate to rate your cybersecurity practices as excellent or good? Digging deeper into the report, we found more troubling signs that indicate a lack of employee security training. Just 31 percent of respondents regularly change passwords, while 49 percent have shared passwords with other people.
Employee security training is not a new concept, but the importance of training and the training programs themselves have changed. Threats and attack techniques are constantly evolving, so organizations need to offer ongoing training that goes beyond passive manuals and videos. Operate under the premise that nobody cares about cybersecurity and develop a training program that makes cybersecurity part of your company culture.
We recommend using real-world examples of phishing scams, ransomware attacks, and other threats. What do they look like? What should you do when you encounter these threats? If you click a malicious link or open a malicious file, what should you do next? Make your training content engaging and interactive. Encourage discussion and request feedback about what the organization can do to improve security while maintaining a high level of productivity.
Keep in mind that compliance requirements are also evolving and becoming stricter. In fact, employee security training is now a requirement for compliance with the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA) and other industry regulations. To close any security gaps, you may want to bring in an outside provider that will ensure your employee training satisfies compliance requirements and cover the latest threats.
Verteks offers the KnowBe4 program, an employee security training platform that uses simulated phishing, ransomware, malware and social engineering attacks to provide real-world training. Interactive modules, videos, games, posters and newsletters engage users and educate them about the latest security threats. KnowBe4 provides baseline testing to assess how prone your organization is to certain types of attacks, while enterprise-grade reporting generates risk scores at the individual employee level to show how well the training is working.
Lack of security awareness is a fixable problem. Let us help you implement an ongoing employee security training program using the KnowBe4 platform.