The Pew Research Center just released a report that should scare every CISO, risk manager and company executive. The bottom line - your employees know far too little about cybersecurity, you are not doing enough to educate them, and they are the weak link in any cybersecurity program. The study showed about a 50 percent score for most regarding fairly standard cybersecurity questions.
Studies show that approximately 35 percent of cyber breaches are due to employee error. Any cybersecurity program must include training of employees - repeatedly. Studies also show that after training there is a rapid degradation of compliance within a matter of weeks. The cyber criminals know this is an area of weakness and they target it.
Overview of the Training Process
What are employers to do to address this problem? First, understand that regardless of what you think you do have a problem. Human error is going to happen.
Next, companies need to know their area of weakness. Conduct a cyber risk assessment using technical and legal resources to conduct a holistic review of the network policies, education programs, vendor contracts and insurance. Take the assessment to heart and address areas of concern.
In all likelihood, your employee training is weak. It may even be non-existent. That is a real problem. Handing out a cybersecurity policy to employees is not training. A business can have the best software in place, keep it up to date, install defensive software, encrypt data, and issue comprehensive policies for staff. Guess what? Employees will still cause a cyber incident. Here are some important topics to cover with your employees:
- Responsibility for company data – legal obligations of the company to protect data
- Notification procedures for suspected data incidents – empower your employees to speak up
- Strong passwords – educate employees on why using a strong password is important, not just a hassle
- Unauthorized software – train employees on why installing any unauthorized software compromises the whole cybersecurity process
- Internet use – address tactics used by criminals to penetrate a network through fake websites and how malicious software is installed by accessing such sites
- Email usage – teach employees about phishing scams and how to spot fake emails meant to compromise security
- Mobile devices – implement and coach staff on the company’s mobile device policy
- Resource protection – counsel all employees on protecting passwords, locking computers and backing up sensitive information
Treat employees as stakeholders in the cybersecurity process. This is not just an IT issue. Everyone in a company must act as an Information Security Officer. As stakeholders, you cannot just issue policies and expect compliance. Most staff view them as onerous and a hindrance to job performance. Cyber education is needed in order to explain to all why the policies are necessary, and how failure to comply can jeopardize the entire company, and the responsibility each has to play in network security.
Cybersecurity is hard to conceptualize. Employees can visualize why physical security is needed, because they can picture an attack. Employers must teach cyber education in a similar format. For example, explain how an employee’s noncompliance can lead to a breach, such as mailing W-2s to a criminal, can create a situation for their friend in the next office whose stolen social security number allowed a false tax return to be filed in their name. Keep the explanations simple. Short but regular education is better than long sessions sporadically. Avoid technical jargon or ensure it is easily defined.
Consider having employees complete a quiz at the conclusion of the training. It helps reinforce the importance and attention if your staff recognize they will be tested. For those failing, have them go through the training again.
Do not stop there. Conduct some practical verification afterwards. Engage IT or outside experts to send “fake” phishing emails to staff and see which ones now violate the rules. Test what has been taught, because some will fail. Again, those employees running afoul of this experiment require additional training.
Finally, studies demonstrate that the average employee will begin to backslide fairly soon after training. Unfortunately, it is human nature. Employers must conduct training at regular intervals, and repeat the process.
It is Time for Companies to Act
No doubt this training and testing process requires planning, effort and time, but cybersecurity is a difficult problem to tackle. And, the process is nothing compared to time, cost and headaches responding to an actual cyber breach.
No cybersecurity program is foolproof. Mistakes will happen. Companies can backstop this risk with well-placed cyber insurance. But be careful, many cyber insurers impose certain requirements related to the state of your network, as well as exclusions for certain uncovered acts or omissions (such as unencrypted mobile devices). So, understand the insurer’s requirements and weave them into the employee training.
The Pew report is more evidence that America’s business community has a lot more to do in order to become cyber savvy in 2017.
Collin Hite is the practice leader of the Data Privacy & Security Group and the Insurance Recovery Group in Hirschler Fleischer's Richmond office. He can be reached at 804-771-9595 or firstname.lastname@example.org.