According to research by insurance company Hiscox, more than half of British businesses experienced a cyberattack in 2019. The research reveals that 55% of firms faced an attack in 2019. This was an increase from 2018 when 40% of cyberattacks were reported.
A key reason cited by a majority of companies for being vulnerable to cyberattacks was that they did not feel they were at risk.
A cyber awareness training program is the need of the hour given the increasing vulnerability of all types of companies – private, public, large, medium and small-sized – to cyberattacks. Cyberattacks are also becoming more complex and almost untraceable, which intensifies the resultant damage for companies and makes prevention extremely difficult, time-consuming and expensive.
What is cybersecurity awareness?
Cybersecurity awareness is knowing about cyberattacks, identifying them and taking steps to prevent or thwart such attacks. Creating a cyber-risk-aware workforce is extremely necessary because more often than not, unaware employees inadvertently become the medium for cyberattacks that can bring down companies.
For example, an innocuous email may be the source of a link containing a deadly malware and a cyber-risk-unaware employee clicks it as he or she could not identify it as a cyber threat. Similarly, a password of poor strength could be a gateway to leakage of sensitive data. Cybersecurity awareness training can train people to understand the damaging risks of such poor passwords.
A cyber awareness training program trains employees to not only identify cyber-hazards but also take the right action to defend company data against such hazards. Training usually includes courses on real-life cyberattack challenges and ways to identify and overcome them. Trainees are made cyber-aware through the use of videos and simulations of different types of cyberattacks.
In addition to theoretical concepts and practical steps related to cyber awareness, a good training program focuses on training employees to cultivate the right attitude and approach towards cybersecurity. Cyber-awareness then becomes “part of work” for employees rather than a subject “outside of work,” leading to greater information security.
Key elements of a cybersecurity awareness training program
While the overall course structure of cybersecurity awareness programs may vary, there are some key elements that every such program must cover. These elements include:
1. Password security
Passwords are the gateway to a device and sensitive information. They are the first and foremost line of defence against cyberattacks. The stronger they are, the stronger the protection for your data assets.
Cyber awareness training programs must educate employees to use password best practices to ensure strong passwords. Some classic strong password rules include:
- Use of at least eight characters.
- Use of a mix of characters, including numerals, alphabets and special characters.
- Refraining from the use of common and easily detectable information for passwords. Such information includes birth dates, favourite names, marriage anniversaries, and so on.
- Updating passwords every six months.
2. Information access
A cybersecurity awareness training program must educate employees about responsible data access, especially if they have access to sensitive company information. A part of being cyber-aware is to be aware of the level of privilege employees have to sensitive information access.
In addition to using strong passwords, employees must be cautious when using external networks to send or receive company information. Even if the information is encrypted, transfers through such unknown networks may not be encrypted, which makes the information open to misuse.
Also, data sent through public networks can be tapped, which increases the risk of security compromise. Training programs must offer guidelines to employees on the choice of their networks. They must be trained to make connections secure through the use of appropriate VPN settings.
3. Phishing attacks
Nearly 50% of cyberattacks happening in the UK involve phishing. This percentage is approximately 20% more than the global average.
A cybersecurity awareness program must train employees to identify and thwart phishing attacks. In a typical phishing attack, users are persuaded to click a link, which when clicked may either download malware or direct the user to a tricky website. Successful phishing attacks can result in system sabotage or theft of intellectual property.
Trainees must be educated on the best practices to be used when they sense something inappropriate about an email, message, or attachment. Some best practices include:
- Refraining from clicking or responding to emails, attachments and links which employees do not feel right about.
- Taking the next best step to prevent further damage – employees, for example, can inform authorized personnel immediately about the phishing attack, and request an investigation into the suspicious email or link. This approach can prevent the spread of the erring email or link company-wide.
4. Using personal devices with caution at work
With more and more companies permitting their employees to access company data through their own devices for improved productivity, mobile devices have become common at workplaces.
This development brings with it its own risk to information security. The increase in risk is because mobile devices do not come with built-in protection. As a result, employees need to be cautious when they are downloading new apps, clicking new links or visiting new websites, especially when the mobile devices are connected to the company network.
5. Ensuring the physical security of devices
Forgetting your mobile device on the desk or leaving your desk without locking your laptop are typical examples of failure to ensure the physical safety of your devices. Leaving devices without ensuring their security increases the chances of theft of login information. This puts organizational data at risk as the trespasser can now access information through your login.
A cyber awareness training program educates employees on physical device security best practices that prevent such a breach. These include:
- Locking the device before leaving the desk
- Locking key paper documents in a cabinet
- Shredding papers, hardware and software with sensitive information in a way that offers maximum protection and reduces information vulnerability
To be effective, training on cybersecurity awareness should be ongoing. Steady discussions, conversations and awareness messages must be included as part of training to make cyber awareness a lasting priority on your employees’ minds.
October is celebrated the national cybersecurity awareness month in the UK. Given the cyber attack risks in the nation, companies can take this awareness-spreading month as an annual opportunity to review their cybersecurity awareness policies and upgrade their training methods.
This way, employees will be better prepared for the rapidly changing landscape of the dark cyber-threat world.