The right training for employees can have a huge impact on a company’s security posture
In 2017, a study by analysts at Enterprise Strategy Group (ESG) noted more than a quarter of cybersecurity pros felt a skills shortage was having a significant impact on their organizations. By the end of that same year, additional ESG/ISAA research put the figure at 70 percent.
That’s a dramatic rise, but it’s just one example of how threats are increasingly impacting businesses. Breaches lead to costly downtime, damaged reputations, fines, lost customers and partners. According to Ponemon Institute’s “2018 Cost of a Data Breach Study,” the average financial toll of a breach to an organization is $3.86 million. That is also a figure that has climbed, growing 6.4 percent since last year. For some companies, such a setback is not just damaging, it could mean the end.
By 2021 there will be an estimated 3.5 million unfilled security positions. This has made training of IT staff crucial, not just for staying up-to-speed on emerging threats, but for enabling fewer personnel to do more. But it’s not just IT that needs educating. In Ponemon Institute’s report, “Managing Insider Risk through Training & Culture,” 66 percent felt employees were the weakest link in security.
All employees, to varying degrees, need some type of security training. Unfortunately, the ESG/ISAA study points out that 62 percent of organizations fail to provide the training needed to keep up with business and IT risks.
The following tips can help chief information security officers (CISOs), IT leaders and top executives understand risks and fortify their company’s security position, particularly with security training.
Get Everyone Onboard
It’s widely felt that training is one of the most cost-effective ways to mitigate security risks. In fact, in the 2018 Ponemon study, 22 meaningful factors that decrease or increase the expense of a data breach were identified. The third best way to decrease costs was training, only behind an organization’s incident response team and use of encryption, and tied with business continuity management.
Still, in organizations today, security is everyone’s business. So when beginning or revamping a security program, start by setting the right tone. Since the CISO is a company’s security leader, initiatives should come from that office. It’s also important that leadership, particularly human resources (because they are employee-facing and onboard new hires), show they support these efforts and participate as well.
To cultivate a learning culture, explore resources that can help advance team members, particularly those in IT and security. For instance, certification programs can provide a higher level of skills and expertise. They’re also constantly updated and often tiered for varying abilities. Remember, employees appreciate when leaders invest in their development. Yes, there are plenty of cybersecurity jobs available, but companies that advance employees have a greater likelihood of retaining talent.
Technology vendors are also a great resource. They may offer programs to certify your employees on their solutions. They want to keep your business and providing these opportunities can build loyalty. Vendor training is also often available in varied formats such as recorded sessions, hands-on labs and possibly even onsite visits. As a customer, you have leverage, so use it.
Keep in mind, threats are often brought in by non-technical employees—employee negligence continues to be the biggest cybersecurity risk to business. Conduct formal security training and informational sessions. Promote awareness with internal communications from newsletters to posters. Check out security modules that test malicious email scenarios with employees.
Make no mistake, though, everyone should undergo education. The infamous 2017 breach at Deloitte, one of the Big Four professional services firms in cybersecurity consulting, was the result of an admin who disabled multi-factor authentication for their own account. As for bosses—an extremely attractive target for bad actors—a BAE Systems survey of senior managers found 40 percent admitting they lacked understanding of their own cybersecurity protocols.
Get a Handle with Hands-on
One of the most effective ways of teaching is hands-on, the practice-by-doing method. And there are a number of ways you can do this in security training.
Cyber ranges were introduced by the government and military and use in business is increasing. These ranges enable teams to train for incident response with hands-on practice in safe, sandboxed lab environments that mimic real-world scenarios. Participants learn how to evaluate situations and apply the correct policy and response for specific attacks.
Before trying a cyber range, CISOs should be sure they are appropriate for the individual. After all, a person simply wanting to get their automobile license doesn’t need to become a mechanic. Some of the exercises offered by cyber ranges may go beyond what IT teams need. They could deal with critical infrastructure, a public utility, air traffic control system—the demands for those scenarios could be more than an enterprise IT employee needs.
Another cost-effective, fun route used by enterprises is hosting their own virtual training labs. These can teach teams how to respond to real-world situations, such as a malware attack. Participants train in accurate replicas of their IT infrastructure. If they make a mistake, no big deal—damage is avoided because it’s not a part of the actual network.
Thanks to the ability to do remote virtual IT trainings, the need for travel and related expenses are eliminated. Employees can quickly return to their regular tasks when training is over and apply what they’ve learned to their familiar environment. Companies can even make these programs available on-demand, so employees can fit in training at their convenience.
It Will Happen
Here’s the situation: Your company will get breached. It’s no longer a matter of “if”—it’s a matter of “when.” The only question is, will your employees be trained sufficiently?
Assessing what levels of training are appropriate for various personnel is needed. For IT in particular, that means receiving regular details on emerging threats and effective responses. Still, there are many options available to ensure IT teams (and all employees) are prepared.
Determine your needs, available resources and budget. Threats will continue to climb. You’ll find training is a small price to pay and the best way to lower your risk.