October is National Cybersecurity Awareness month, and phishing attacks and the importance of security awareness training should be top of mind.
Phishing continues to be a popular attack vector. A recent threat report noted an uptick in lures mimicking shipping and eFax services observed in Q2 2018. Industries that experienced the largest amount of confirmed phishing attacks in Q2 2018 included construction, education and marketing, likely because of frequent use of DocuSign in handling digital invoices and quotes caused by remotely based business relationships and employees. Health care also experienced a larger diversity of phishing lures, but no one lure dominated. This is likely because health-care providers interact with diverse groups, such as employees, other health-care providers, managed service providers and patients, so they are apt to use more varied technology making it easier to see different lures as familiar.
Phishing emails have grown increasingly sophisticated, designed to look like emails with legitimate professional branding. Employees need to learn to be wary of emails requesting user account credentials or personal details—and confirm with their IT departments if they see something that doesn’t seem right (spelling mistakes, an odd return email address, other indicators, etc.).
Knowing how to identify a phishing email is extremely important, but it is the just the beginning. Security awareness training highlights several different tactics used by cyber-criminals and describes how to defend against them. Training is important to any individual that has access to company data, so for most companies, that means everyone. Keep in mind though, those in HR and finance are particularly targeted as they have access to financial and employee information.
It’s important to remember that employee education will reduce the risk of a cyber-breach; however, it won’t stop criminals from trying. Learning the signs and triggers is something that can become muscle memory through regular cybersecurity training. It’s up to every organization to mandate and maintain a regular cadence around awareness training. Providing ongoing education and training to employees is the best way to protect your business in the fight against cyber-crime.
Below are some additional tips for employee security awareness training:
- Cybersecurity training for employees should be mandatory—not just as part of new-employee orientation, but as an ongoing practice. It’s important that training is offered in a way that is engaging and memorable, so your employees will retain the information. And of course, policies must be in place to ensure employees take this training seriously.
- Although online training is the more modern approach, there is sometimes still a place for in-person training. In-person training allows for direct interaction with instructors, which can be more engaging for some people. The content can also be customized more easily depending on the needs of the employees. Unfortunately, this method is often more expensive and is usually offered as a “one-time thing.”
- On the other hand, online training allows for consistency of messaging while being cost-effective and easily duplicable. However, with online courses, employers may need to seek out a training program that is more than a “one-time thing”. Solitary, online training can sometimes be unmotivating, so it’s important the training program is engaging and its completion is enforced.
- Consider merging proven brain science with cybersecurity curriculum. One of the most important advances in employee knowledge approaches is something called microlearning—a technique that will totally change the face of cybersecurity awareness training because it moves the needle beyond reach to focus on improving knowledge, sustaining it and enabling employees to apply it in the real-world. Microlearning is a technique of delivering learning content in short, bite-sized bursts (from three to five minutes), several times per week or even daily. When microlearning is delivered in a consistent, ongoing way, you can drive continuous learning, build up knowledge over time and produce real behavior change that’s capable of creating an embedded human layer of security protection across every part of the business. Microlearning addresses the problems associated with traditional SAT and is evolving the industry to think well beyond compliance. It’s being used at some of the world’s largest companies, like Toyota and Walmart, to solve the numerous challenges when knowledge-building in a corporate setting.