The argument for educating employees on cyber security is simple: if employees don’t know how to recognize a security threat, how can they be expected to avoid it, report it, or remove it?
And the stats back up the argument: 90% of cyber security breaches are due to human error (Verizon Data Breach Report, 2017). On top of that, only 38% of global organizations state that they’re prepared to handle a sophisticated cyber attack (PwC, 2017).
Ensuring end-to-end cyber safety and protection poses a major challenge for most organizations. For small-to-midsized businesses, providing high quality, consistent, and updated training at an affordable price can be an even larger challenge.
The BOXX team has had the opportunity to talk to organizations across Canada about cyber security, data breaches, and how training employees can help reduce or eliminate the threat of an attack. We’ve compiled the top 4 things businesses need to know when it comes to turning their employees into a ‘human firewall’.
1. Cyber security awareness training is for ALL employees, not just I.T.
Any employee with access to a work-related computer, email account, or mobile device should undergo thorough cyber security awareness training. This means pretty much everyone. Training should be incorporated into the company’s on-boarding program for new employees, as well as training programs for existing employees.
Training every employee is important as security is less about the power of individuals and more about creating a workplace culture of cyber safety. The ideal workforce should embody cyber security principles and execute them every day.
2. Online training is the way to go, if continuous
Managers and employees alike are looking to replace the traditional in-class training model with a more effective, digital approach. Nine out of ten business owners see online training by as the main tool to train employees on cyber security practices.
Why? Because it provides timely and actionable training for employees who work remotely and/or worldwide. For example, a BOXX client found in-person trainings too cumbersome to organize with employees’ schedules and too expensive (especially with travel). In comparison, online training can be accessed remotely and customized to roles and skillsets. It can also be updated and improved continuously as new threats arise.
A pitfall some companies fall into is running organization-wide security awareness training and thinking that a single course will protect them and their employees in the future. That is not the case. Cyber security training should be an ongoing investment that keeps up with changes in cyber threats. Each year, new threats arise, new malware is created, and new phishing scams are developed. Unless your team stays aware of these changes and are prepared to handle them, the risk of a successful attack rises until it becomes inevitable.
3. Your business may already be required to provide cyber training
Higher expectations from regulators and professional bodies for greater cyber resilience make training a ‘need to have’ in Canada, no longer a ‘nice to have’.
Organizations that fail to train their employees could run the risk of facing sanctions or fines depending on various laws and regulations such as PIPEDA, HIPAA, and globally, GDPR. Organizations in the broader public sector or healthcare industry, as well as financial institutions, require cyber security training for their employees in order to protect critical data.
As of November 1, 2018, all Canadian businesses, large and small, are subject to PIPEDA requirements to report and notify breaches of security to both customers and regulators, and to keep records of all breaches of security safeguards.
4. Keeping Score is Important
Most businesses struggle with the thought of providing education and training. It’s not their forte, and the outcomes or impacts can be difficult to measure. Few training programs offer direct correlation to business results. It is especially complicated in an area like cyber security where the desired effect is the absence of any incident.
It is important that the business have a desired competency level for all employees, and that management can keep track of this level of awareness. Regular reporting and activity tracking will also ensure that no topics or important lessons are ignored.
To start, business owners should take a broad view of their organization to evaluate their company’s weak points. Once that is complete, focus should then be placed on closing those weak spots through both enhancements to technology and employee training.
The key is to ensure that the chosen training program, like BOXX Academy, gives your business the ability to track employee progress, comprehension, and completion.
Taking these four things into consideration will help turn your employees into the human firewall you need to protect your network from hacks and cyber attacks. This will save your business from a world of unnecessary hurt.