Since 2004, National Cyber Security Awareness Month has been observed in October to drive home the message that securing the internet is everyone’s responsibility. No individual or entity is responsible for securing the internet. By following best practices and educating others, we’re each doing our part. Although the clock is about to run out on October, it’s never too late to build a cybersecurity awareness program within your organization.
Every business that stores any type of personal information should have a cybersecurity awareness training program to reduce the risk of a data breach. My advice: Think of cybersecurity awareness training as a culture that needs fostering, not as a task that needs completing. In this day and age, heightened cybersecurity awareness can influence employees’ decisions that could have great impact — positive or negative — on your business and bottom line.
Training will help your employees to identify and stop social engineering-based attacks like phishing scams that are often successful because employees don’t know what to look for. Think about the incidents your organization has seen this year and how many could have been prevented if the user hadn’t:
>> Clicked that link.
>> Opened that file.
>> Emailed that unencrypted attachment.
>> Provided too much detail to an unidentified caller.
A growing threat targeting employees is the business email compromise in which criminals attempt to trick employees by forging emails to those with privileged
access, such as someone who handles payroll. The forged email might appear to be from the CEO or other high-ranking executive with an urgent request to send money using nonstandard methods. This might sound easy to spot, but according to the Federal Bureau of Investigation’s Internet Crime Complaint Center, there’s been a 1,300 percent increase in identified losses totaling over $3 billion related to this scam since January 2015.
Cybersecurity awareness training can be a cost-effective way to help to meet other business objectives. Many businesses today are required to meet regulatory standards such as Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) that in turn require employee education about cyberthreats, appropriate defenses and how to report violations.
Whether your company has an information technology department or not, here are some practical tips to help you start building your program. First, designate a project owner for launching the training. Keep in mind that for most people security is inconvenient. An ideal owner is an executive who can underscore that security is everyone’s job. Remember, culture change doesn’t just happen — it takes planning, resources and time.
Set measurable objectives to help determine whether your training program is successful. Consider what’s most important to your business and build around that, such as the number of cybersecurity incidents over 12 months, and adjust your target as your results come in and your program grows. Tip: Plan ahead to ensure that your annual budget has what you need to keep the program going. Your metrics should show cost savings through reduced security incidents.
For new security training programs, I recommend three general target audiences:
>> One, a course for your IT staff or anyone with administrative privileges on the network covering common security threats and the appropriate responses.
>> Two, a customized course for executives and executive assistants. Executives are a popular target for social engineering attacks and should be made aware of specific threats against them.
>> Three, a general training program for all employees that provides a high-level, nontechnical overview of cybersecurity threats and appropriate responses.
A popular approach is to purchase a computer-based training (CBT) package with a learning management system. This package helps you to build training content that ranges from five to 50 minutes in a series of customized videos and quizzes, bundle it for online distribution and track who has and hasn’t completed training. It also provides a report to help measure success.
Businesses that aren’t ready to purchase and run a program can consider a less formal approach, such as a brown-bag lunch-and-learn by an IT specialist, which can be followed up with reinforcement material in a company newsletter or intranet.
Whatever path you select, it’s important to maintain momentum for your initiatives. For best results, spread the security refresher training throughout the year, saving an annual awareness push for October.
Matt Freeman is director of managed services, which includes security awareness training, incident response, forensic analysis and penetration testing, at Hawaiian Telcom. Reach him at matt.freeman@hawaiiantel.com.