Rank-and-file employees are often the first line of defense between the sensitive company and customer data an organization is handling and the bad guys trying to breach that data. And occasionally, an employee screws up that defense … badly.
The most recent major breach of this kind is from Microsoft, which was hacked through illicitly obtained login credentials of a customer support representative, thus exposing user metadata and email content. Reports are emerging that users’ cryptocurrency accounts have been drained following the cyberattack.
Research from the Ponemon Institute confirmed what many companies already know (and some have painfully learned): Employee mistakes are considered the biggest threat to sensitive data, cited by 54 percent of survey respondents. And the rank-and-file may not be the only offenders—61 percent of IT employees, who theoretically should know better, share sensitive information by email.
Today’s organizations can’t assume that their employees won’t fall for suspicious emails, use weak passwords, or log in to company systems on personal devices or leave those devices at Starbucks for anyone to find. Strong, impactful security awareness training not only guides employees toward making the right decisions and following best practices, but also provides an untapped source of insight in the form of predictive behavioral data that, when analyzed, can help change behaviors and minimize IT risk exposure.
Companies can take numerous measures to mitigate cybersecurity risk from their employees, including:
- Restricting technology: Advanced security solutions can provide protection from some gaffes, no matter how careless an employee is. Of course, these solutions cost money, face compatibility issues, and pull IT personnel away from other important duties in order to implement and maintain the application.
- Rolling back BYOD: The bring-your-own-device trend has saved companies money and made employees more mobile and comfortable accessing company systems out of the office on their personal smartphones or tablets. However, this trend has also ramped up risk. Cutting back on BYOD options may not be a progressive strategy, but it does reduce that risk.
- Providing less access: Similarly, limiting users from accessing sensitive applications and data cuts down on the risk of a breach—but it also cuts down on efficiency in many ways, not the least of which is that those employees with less access may bug those with more for information and permissions.
- Offering better cybersecurity training: IT security policies protect operations and data from human error—but only if the employees adhere to those policies with the password they choose, the Wi-Fi network they work from, the suspicious emails they open or don’t open, and so on. Strong training reinforces why policies matter and challenges employees to consider the impact of their actions (or lack thereof).
The first three options in this list are reactive, almost punitive. Better training maintains the operational flexibility employees want and companies benefit from—without sacrificing efficiency or security.
Muscle Memory and Diagnostic Data
Athletes aren’t the only people who benefit from muscle memory: Employees behind a desk or in the field can build it for their brains rather than their biceps. An important goal of compliance is for someone, when presented when a challenging and potentially risky situation, executes the correct response without thinking twice—in essence, they know not to touch the hot stove. Quality, relevant training creates and reinforces the right action.
Despite this training that helps develop muscle memory, organizations still suffer through data breaches and embarrassing incidents. Offering training isn’t enough; gathering insight from the training and shaping strategy based on the numbers are necessary to reach the next, more secure level. Look at the data that your training produces and formulate intelligence from it. What cybersecurity issues are employees just not understanding? Are certain employees stronger or weaker in some areas than others? Are employees getting smarter over time? The best training software provides this advanced intelligence so that you can diagnose problems and adjust—and even provide additional—training strategies.
The numbers are suggesting your employees are lacking in some security awareness areas, and, frankly, stern email reminders saying, “Don’t use ‘password’ for your password” are often ignored. Be bold, be direct, and take full advantage of the training resources in your arsenal (and maybe add a few new weapons) to deliver extra effective measures to the employees who need them most.
Adaptive training provides employees additional guidance in real time. With top-notch software, the course adjusts itself to the answers a user is providing. If, for example, an employee’s knowledge of password security appears murky, the software adapts by providing additional password-related questions and scenarios to boost that knowledge. With this type of technology, you ensure no two users’ training programs are alike, but their compliance proficiencies end up in a similar place.
After the course ends, the training shouldn’t. A comprehensive security awareness approach adds focused opportunities to employees who need them indigestible, appealing chunks. Custom checklists, infographics, and flow charts designed by experts let you promote learning any time your team needs it (and not just during formal training courses). Focused, entertaining (even funny!) videos make a great impression and can be watched repeatedly. Micro learning delivers insightful, resonant information, a couple of questions at a time, that shores up problem areas diagnosed by the data.
Most importantly, thinking of security awareness training as something that’s ongoing rather than a one-and-done opportunity can drive better results from your employees. Great, timely training helps your people take ownership of cybersecurity in ways that matter to them. Engage employees in training, and they’ll engage right back.