Cybersecurity Awareness Training: 6 Tips To Raise the Bar on Security

Ransomware attacks have risen dramatically in the last few years and continue to monopolize the headlines. As a result, in its 18th year for Cybersecurity Awareness Month, Cybersecurity & Infrastructure Security Agency (CISA) has encouraged individuals and companies to #BeCyberSmart. To refocus the attention on cybersecurity awareness, Toolbox asked cybersecurity and risk management experts to weigh in on this growing and costly problem and provide recommendations for cyber awareness training that meets employees’ needs. 

In the hybrid work era, a significant proportion of the workforce is now working ‘outside of the perimeter,’ Daniel ClaytonOpens a new window , VP of global security operations and services, BitdefenderOpens a new window said. Alerting to the fresh realities of handling sensitive data that employees are slowly adjusting to, Clayton explained that they are increasingly using devices that are out of the bounds of security teams, and this could sometimes lead to unintended data exposure, breach, or loss.  A recent report The Psychology of Human Error, from Jeff Hancock, a professor at Stanford University and Tessian, found that 43% of employees have made mistakes that led to compromised cybersecurity posture while 43% have fallen victim to phishing scams.  

According to Gary E. BarnettOpens a new window , CEO, SemafoneOpens a new window , “This is where cybersecurity awareness training and employee education can come into play and ensure that organizations are alert to risks and take proper precautions.” 

In a recent interaction with Toolbox, Sailpoint’s CISO Heather Gantt-EvansOpens a new window shared that in the hybrid era, cybersecurity awareness training could also be a source of community building with gamified training tournaments, lunch and learns, and more. 

“In these circumstances we rely on the workforce to understand the potential risks associated with their situation, take precautions, and make informed decisions. In the past we could be loosely aligned, but highly governed. Today, we must be tightly aligned as we are governed less stringently,” Clayton further added.

While cybersecurity awareness has become a topic of great concern, what organizations should ask themselves is, are they doing enough to secure hybrid workers? What steps can they take to prevent employee’s security mistakes from turning into security incidents?

Check out six actionable insights to level up cybersecurity training for the hybrid work era: 

1. Cybersecurity Awareness Training Must Go From Executive to Endpoint

Rick VanoverOpens a new window , senior director product strategy, VeeamOpens a new window

“In March 2020, organizations had to choose whether to make changes in the right way or to do it right now. They had to choose ‘right now.’ Poor remote access is consistently a top cybersecurity attack vector and it’s only increasing. To mitigate this, awareness training goes from the executive to the endpoint. Everyone must be part of the cybersecurity team. One of the more effective cybersecurity resiliency techniques is user education and this is non-technical. Remember, the bad guys must be right only once, and the good guys must be right all the time.”

James Carnall, VP of services, ZeroFoxOpens a new window

“Start at the top: measure the effectiveness of employee cyber awareness programs and report that to executive leadership. Include cyber awareness in orientation, onboarding, and the annual calendar to encourage employees to think about how their actions relate to cyber security. With the transition to remote workforces, organizations must adjust their cyber awareness education to include Internet of Things (IoT) and mobility, informing staff of devices, technologies, apps, and social media that can pose a risk to employees, their families, and the organization. Informing staff about security best practices is a proactive step towards situational awareness that makes all employees good cyber citizens.”

See more: 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline

2. Make Cybersecurity Awareness Training Mandatory for Employees 

Becky RobertsonOpens a new window , vice president, Booz Allen HamiltonOpens a new window

“The cyber talent pool is small as it is, and unless major changes are made to address cybersecurity education and training needs, the cyber workforce pipeline will not keep up with increasing demand. As threat actors are constantly innovating their way around detection tools, spread-thin security teams simply can’t stay on top of every threat that impacts a distributed workforce. Further, the true effectiveness of tools and plans are often only tested during a full-scale breach. It’s therefore imperative for employees to have cybersecurity awareness training to monitor for threats before they progress.”

See more: Why Proactive Cybersecurity Is Vital To Keep Your Company Safe

3. Cybersecurity Awareness Training Needs To Be Carried Out Regularly

Manikandan ThangarajOpens a new window , vice president, ManageEngineOpens a new window

“While a customary cybersecurity training workshop followed by a short assessment would fulfill the compliance requirement, it doesn’t help much in bringing about change. Like any other habit, security awareness training needs to be carried out continuously. Employees must be made to understand that security is not a nice-to-have but a necessity.” 

See more: How to Build Cyber Resilience in 2021 and Beyond

4. Design Security Training and Tooling To Meet Employees’ Needs and Avoid Shadow IT

Brian MassonOpens a new window , director of security, JobberOpens a new window

“Unless you’re in the business of security, a security-first mindset isn’t going to happen. You’ll get a lot farther if you take a business-first approach. If your security controls make it harder for people to do their job, they’ll circumvent them. Whether it’s through shadow IT or a risk/policy exception, it amounts to the same thing. You need to engage with your people and understand the reality of how they’re working and why. Accommodate it. Ensure your training and tooling allow teams to do their jobs, securely, and they will.”

See more: How To Bolster Cybersecurity Practices for Employees

5. Create Training That Incorporates Employees’ Workflow Changes

Sean PearcyOpens a new window , senior director, cybersecurity services, FlexentialOpens a new window

“I firmly believe that the hybrid work trend will continue even after normalcy returns. That’s why security teams need to address the issues and risks that these remote users are exposed to. Creating training that incorporates how these employees’ workflow changes when at home is key to educating and creating security awareness for these users. Including training on proper VPN usage, using remote access tools, phishing techniques that these employees may be subject to at home or ways to ensure their local network is up to date and safe are topics that need to be included in IT security training.”

6. Implement a PCI DSS Security Awareness Training Program for Employees

Gary E. BarnettOpens a new window , CEO, SemafoneOpens a new window

“The training can introduce and help establish robust internal controls and procedures for ensuring strong data security which will help safeguard customers’ sensitive and personal information. When it comes to payment security, merchants and businesses should implement a PCI DSS security awareness training program for all employees to help the workforce deeply understand how to handle sensitive customer information—no matter their location—and recognize threats that hybrid work has presented.”

How did your company raise and promote cybersecurity awareness in 2021? Share it with us on LinkedInOpens a new window , FacebookOpens a new window , and TwitterOpens a new window .