Employee Cyber Security Training Tips

You can tell your employees not to use their cell phones at work, but they are likely using them when you are not looking anyhow. You can instruct them that they should not download anything from an entrusted third party, and yet they are going to see a name they recognize and just go ahead and click anyhow. So what do you do?

Many companies will add a cybersecurity policy into their employee handbook and never speak of it again. That is a huge mistake! Not only should you hold a thorough training on this subject with your employees, but also you should have them attend this training at least twice a year!

Data security training needs to shock the employee enough to realize that human error is one of the leading causes of data breaches. Throw facts and statistics at them. Let them know they play a huge role in the safety of the company and how a large portion of data breaches are completely preventable and have stemmed from user error.

Verizon’s annual Data Breach Investigations Report of 2015 showed that 30% of staff-related e-mail breaches were due to sensitive information being sent to incorrect recipients.

While many prevention tips may seem like common sense to us by now, we tend to get lazy and take shortcuts. Find a way to get your employees to break their bad habits!

  • Educate employees on the types of cyber threats out there so they know the warning signs and how each threat attacks.
  • Never share passwords (even internally) and do not buy one of those internet password notebooks to write in and manage your login information!
  • Never plug in a USB without knowing its origin and expected contents.
  • Lock your computer when you step away from your desk for even a moment.
  • Be cautious what is in view on the monitor before screen sharing in webinars or when anyone else is around.
  • Never share emails that are not related to the work that you are doing as they may contain malicious attachments.
  • Training needs to include the warning signs of a breached system. Why? Once a system is breached, it is critical to remove the threat rapidly to prevent data loss or a follow-up virus or worm.

The crucial take away points are to implement cyber training with ALL employees (C-suite included) right away, and to repeat the training at least twice a year; refreshing the agenda with new cyber threats, statistics and details which have come to light since the previous training.

The Cyber-Security Training Tips Your Business Has Been Looking For

Strictly Enforce a Multi-Tiered IT Security Plan for ALL Staff

As new threats arise, it is imperative to keep policies up to date to protect your business. Your employee handbook needs to include a multi-tiered IT security plan made up of policies for which all staff, including executives, management and even the IT department are held accountable.

  • Acceptable Use Policy – Specifically indicate what is permitted versus what is prohibited to protect the corporate systems from unnecessary exposure to risk. Include resources such as internal and external e-mail use, social media, web browsing (including acceptable browsers and websites), computer systems, and downloads (whether from an online source or flash drive). This policy should be acknowledged by every employee with a signature to signify they understand the expectations set forth in the policy.
  • Confidential Data Policy – Identifies examples of data your business considers confidential and how the information should be handled. This information is often the type of files which should be regularly backed up and are the target for many cybercriminal activities.
  • E-mail Policy – E-mail can be a convenient method for conveying information however the written record of communication also is a source of liability should it enter the wrong hands. Having an e-mail policy creates a consistent guidelines for all sent and received e-mails and integrations which may be used to access the company network.

  • BYOD/Telecommuting Policy – The Bring Your Own Device (BYOD) policy covers mobile devices as well as network access used to connect to company data remotely. While virtualization can be a great idea for many businesses, it is crucial for staff to understand the risks smart phones and unsecured WiFi present.

  • Wireless Network and Guest Access Policy – Any access to the network not made directly by your IT team should follow strict guidelines to control known risks. When guests visit your business, you may want to constrict their access to outbound internet use only for example and add other security measures to anyone accessing the company’s network wirelessly.
  • Incident Response Policy – Formalize the process the employee would follow in the case of a cyber-incident. Consider scenarios such as a lost or stolen laptop, a malware attack or the employee falling for a phishing scheme and providing confidential details to an unapproved recipient. The faster your IT team is notified of such events, the quicker their response time can be to protect the security of your confidential assets.

  • Network Security Policy – Protecting the integrity of the corporate network is an essential portion of the IT security plan. Have a policy in place specifying technical guidelines to secure the network infrastructure including procedures to install, service, maintain and replace all on-site equipment. Additionally, this policy may include processes around password creation and storage, security testing, cloud backups, and networked hardware.

  • Exiting Staff Procedures – Create rules to revoke access to all websites, contacts, e-mail, secure building entrances and other corporate connection points immediately upon resignation or termination of an employee despite whether or not you believe they old any malicious intent towards the company.

“More than half of organizations Attribute a security incident or data breach to a malicious or negligent employee.” Source: http://www.darkreading.com/vulnerabilities—threats/employee-negligence-the-cause-of-many-data-breaches-/d/d-id/1325656

Training is NOT a One Time Thing; Keep the Conversation Going

Employee cyber security awareness training dramatically reduces the risk of falling prey to a phishing e-mail, picking up a form of malware or ransomware that locks up access to your critical files, leak information via a data breach and a growing number of malicious cyber threats that are unleashed each day.

Untrained employees are the greatest threat to your data protection plan. Training once will not be enough to change the risky habits they have picked up over the years. Regular conversations need to take place to ensure cooperation to actively look for the warning signs of suspicious links and e-mails as well as how to handle newly developing situations as they happen. Constant updates about the latest threats and enforcement of your IT security plan creates individual responsibility and confidence in how to handle incidents to limit exposure to an attack.

“Every business faces a number of cybersecurity challenges, no matter the size or industry. All businesses need to proactively protect their employees, customers and intellectual property.” Source: https://staysafeonline.org/business-safe-online/resources/creating-a-culture-of-cybersecurity-in-your-business-infographic

Training Should Be Both Useful Personal AND Professional to Stick

Create regular opportunities to share topical news about data breaches and explore different cyberattack methods during a lunch and learn. Sometimes the best way to increase compliance is to hit close to home by making training personal. Chances are your employees are just as uninformed about their personal IT security and common scams as they are about the security risks they pose to your business.

Expand on this idea by extending an invitation to educate their entire families about how to protect themselves from cybercrime during an after-hours event. Consider covering topics such that may appeal to a range of age groups such as how to control the privacy and security settings on social media, online gaming, etc and how to recognize the danger signs of someone phishing for personal information or money both via e-mail and phone calls. Seniors and young children are especially vulnerable to such exploitation.

Don’t Make a Hard Situation Harder; Remember you WANT red flags reported

Making ongoing security training a priority will greatly reduce repeat errors and prevent many avoidable attacks, however mistakes happen. It can be very embarrassing and a shock to ones pride to acknowledge their error and report involvement in a potential security breach. Your first instinct may be to curse and yell, but this would be a serious mistake. Keeping calm and collected is the key to the trust needed for employees to come to you right away, while they are feeling their most vulnerable.

For this reason, treat every report with appreciation and immediate attentiveness. Whether the alert turns out to be a false alarm or an actual crisis, avoid berating the employee for their mistake no matter how red your face may become.

When situation is under control, take an opportunity to thank them for reporting the situation so that it can be handled appropriately. Remember it takes a lot of courage to step up when you know you were to blame. Help the employee understand what to look out for next time is it was something that could have been prevented such as a user error.

Cyber Training Recap

  • Implement a Multi-Tiered IT Security Plan Strictly Enforced for ALL Staff
  • Training is NOT a One Time Thing;
  • Keep the Conversation Going
  • Training Should Be Both Useful Personal AND Professional to Stick
  • Don’t Make a Hard Situation Harder; Remember you WANT red flags reported