We’ve long maintained that technical means are not enough to protect a business from cyberthreats. It’s entirely possible for a single person to negate the effect of an entire information security team. In many cases, it may be unintentional, the result of lacking basic cybersecurity knowledge, being unaware of threats, or diverted attention. That is why many companies (according to our data, approximately 65%) already invest in employee cybersecurity training.
There, however, complications may arise. The person who decides staff awareness needs to be raised is not necessarily the person responsible for arranging the training. And although the first person sees an obvious problem, the latter may not solidly understand what cybersecurity training is, how to train staff, or even why the training is needed.
Understanding the problem
Let’s imagine that you’ve been tasked with raising cybersecurity awareness. First, what does cybersecurity awareness really mean? To nail that down, we worked with market research firm B2B International to gather input from 5,000 companies around the globe about their understanding of the problem and the impact of individual employees in certain cybersecurity incidents. In short, we found:
- 46% of incidents in the past year involved employees who compromised their company’s cybersecurity unintentionally or unwittingly;
- Of the companies affected by malicious software, 53% said that infection could not have happened without the help of inattentive employees, and 36% blame social engineering, which means that someone intentionally tricked the employees;
- Targeted attacks involving phishing and social engineering were successful in 28% of cases;
- In 40% of cases, employees tried to conceal the incident after it happened, amplifying the damage and further compromising the security of the affected company;
- Almost half of the respondents worry that their employees inadvertently disclose corporate information through the mobile devices they bring to the workplace.
To see the full text of the research (in English), follow the link below, which fully answers the question “Why bother raising cybersecurity awareness?”
Teaching cybersecurity awareness
The “how” part of the equation is also very important. Multiple courses, lectures, and workshops are available. But training means spending time and money; you need to be sure you’ll get results.
Take, for example, the problem of incident concealment. You can gather employees and tell them that reporting cybersecurity incidents is important. They will probably say they understand — and keep concealing the incidents, hoping to evade responsibility.
A better approach is to understand their motivation first. In many cases, employees were informed of the strict rules by their managers or information security officers, but no one really explained the rules. Sometimes, management and the information security team also require training — training on explaining the rules.
Knowing what to teach
To withstand today’s sophisticated cyberthreats, a company has to function as a healthy organism, with various teams having different responsibilities and tasks. Naturally, that means teams need to learn about different things. Corporate management must be aware of risks and thoroughly understand their potential financial and reputational costs. Middle management and information security teams require a clear understanding of looming threats and the ability to take actions that increase cyberresilience, and they also need to be able to communicate appropriately with the majority of staff. As for specialists, knowledge about threats is less important than their skill in avoiding them.
That’s why our approach to training includes differentiating staff by seniority and function.