Employees are the first line of defence when it comes to cybersecurity. Unfortunately, they’re also often the weakest link.
When you see the headlines, it’s easy to think that breaches are a result of sophisticated cyberattacks. But that’s not always the case. They often come about because someone clicked on a malicious link, gave their credentials away to a scammer, misconfigured a system, or failed to patch a system in a timely manner.
According to the Office of the Australian Information Commissioner (OAIC), human error was the source of 41 per cent of data breaches reported between July and December 2021. The most common mistakes reported include personal information being emailed to the wrong recipient and the unintended release of sensitive information.
Given employees play such a significant role in protecting organisations, investing in training can help organisations avoid costly mistakes down the line.
According to the Australian Cyber Security Centre (ACSC), there were 67,500 cyber-attacks reported by businesses in the 2020-21 financial year — that’s one report every eight minutes — with an estimated financial impact of more than $33 billion.
It may not seem like it, but taking care of “low-hanging fruit” by patching vulnerabilities, checking for product misconfigurations and following security best practices will significantly impact an organisation’s risk profile.
The process starts with addressing the knowledge gaps. While people are generally aware that threats are out there, they don’t always know what would happen if they were to make a mistake — like unknowingly clicking on a malicious link or accidentally forwarding confidential documents on a private email chain to a third party.
This is why organisations need to take cybersecurity training seriously. A one-pager with the basic “dos and don’ts” is a good start, but it isn’t going to stick long term.
Of course, investing in training doesn’t mean teaching every staff member to become a cybersecurity expert. It’s about making sure every employee is aware of their role — however big or small — in keeping the organisation safe. They need to be able to identify, manage and mitigate the key risks associated with their line of work.
For organisations looking to build a security-savvy workforce, here are some key things to consider.
Customise security training for different roles
There are standard good practices that everyone in an organisation should follow.
But different teams have different levels of exposure to different threats. That’s why training also needs to be customised depending on each employee’s role within the organisation.
For example, sales teams or executives that spend 80 per cent of their time on email could benefit from training on how to spot malicious emails.
Meanwhile, employees who are responsible for critical systems would need to undertake more advanced cybersecurity training — such as sessions on how to securely configure applications they are responsible for and security good practices specific to their role type. .
As the threat landscape is always evolving, training needs to be a continuous process. This can seem like a big job for organisations to manage internally. But the other option is to partner with third-party experts who specialise in this area.
Provide hands-on learning
Written guides, diagrams and video tutorials are all great resources for employees. But the best way to learn is usually through practice.
Rather than reading about how to tell the difference between a genuine and malicious email, doing a practical exercise could be more effective at helping employees absorb, retain, and apply new knowledge.
For example, employees could be provided with simulated environments — separate from your business systems — where they can safely learn how to navigate different threat scenarios and be rewarded for taking the right steps.
In any training program, organisations need to be able to capture data and access insights. This allows you to keep an eye on your staff’s progress, identify areas of improvement and understand the overall effectiveness of the training.
Cultivate a culture of security
To protect your organisation over the long term, you need to create a culture of security — one where there’s a common understanding that cybersecurity is everyone’s responsibility, not just the technical team’s.
Senior leadership has an important role to play in cultivating the right culture. To set the tone for the rest of the organisation, leaders need to endorse and participate in training programs themselves and give employees the time and space to undertake training. Telling them to get up to speed in their own time isn’t going to inspire them to learn.
It’s also crucial employees feel like they’re personally benefiting from the training — for example, understanding how to protect themselves and their families outside a work setting.
Helping employees improve their personal IT security will also, by default, benefit the corporate environment — especially given the prevalence of hybrid working and BYOD.
Get systems right / Make systems friction-free / Make systems seamless
Assuming (or hoping) that people will never make mistakes, take shortcuts, assume trust or act in self-interest is itself a common human error.
Employees can’t be perfect at all times, especially if they’re continually being asked to make critical security decisions in order to perform a function or get an outcome. For example, a rapidly emerging type of attack against authentication services is “MFA Fatigue”. That’s where users of mobile authentication apps are receiving endless requests to validate and approve access requests.
Users get so fed up dealing with requests that they end up clicking “allow” because it’s easier. This only has to happen a single time with a malicious request, and an attacker gets in.
So, it’s important to ensure that the user doesn’t feel that security systems are a burden that prevents them from being productive. They should be as invisible and friction-free as possible for the end user.
Ultimately, the more savvy your staff are, and the more seamless your systems are, the more secure your organisation will be.