How effective employee training can reinforce the cybersecurity cordon

Business leaders are alive to the risks posed by cyber-crime – they’ve identified it as the most disruptive economic crime of 2019 and 2020

How effective employee training can reinforce the cybersecurity cordon

By Joanne Wong, Senior Regional Marketing Director Asia Pacific & Japan at LogRhythm

Are your employees all over the data protection detail or slapdash in the way they handle customer data - and about cyber-security in general? If you answered yes, then you’re failing to make use of one of the most powerful weapons at your disposal in the battle against high tech fraudsters and hackers.

As security tools and technologies become ever more intuitive and pre-emptive, courtesy of the power of Artificial Intelligence and machine learning, human failure has emerged as the biggest risk faced by Australian organisations, in their ongoing war against cyber-attack.

And it’s a war that shows no sign of abating. In fact, the reverse. Nearly 50 per cent of the local enterprises surveyed by PwC for its 2018 Global Economic Crime and Fraud Survey: Australian Report claimed to have experienced a cyber-attack in 2017 and 2018.

Business leaders are alive to the risks posed by cyber-crime – they’ve identified it as the most disruptive economic crime of 2019 and 2020 and the biggest danger to their growth prospects.

Tackling the issue differently

The PwC report notes economic offences such as hacking and cyber theft can no longer be tackled using traditional means. A holistic strategy is needed; one that includes investing in people and addressing the human behaviours which render organisations more vulnerable to high tech criminal activity.

Industry research attests to the pressing need for a new approach. The Verizon 2018 Data Breach Investigation Report* found that humans are still considered the weakest link with social engineering, in the form of phishing and pretexting, accounted for a whopping 93 per cent of all data breaches.

Employee education is the key to reversing that statistic but when it comes to cyber-security training, quality and effectiveness can vary enormously. Generic awareness courses, held annually or as part of the induction process for new employees, are of limited use. What we’ve seen really work is an ongoing program of awareness raising and the fostering of a rigorous corporate security environment which sees all employees adopting sensible defensive postures as a matter of course.

Here are some measures that can help boost cyber-safety in your enterprise and encourage a culture in which security awareness is embedded, not imposed.

Tailoring training programs

Training tailored to the needs of participants is invariably more effective than generic programs whose content is pitched at the wrong level, or is not specific to an organisation. Bespoke classes and computer-aided programs cost more but the pay-off is greater. It comes in the form of increased engagement and greater knowledge retention, courtesy of the fact that the information being delivered is real world and relevant.

Making the fight fun

Cyber-security isn’t intrinsically fun but turning it into a game can make it so. Gamification – the use of elements of game playing, such as point scoring, competition and rules of play – is increasingly being used by large organisations to encourage employees to learn about attacks and motivate them to remain vigilant.

Whether it’s simulator training to teach executives how to respond quickly to an incursion or encouraging employees to earn the mantle of ‘security champion’ for raising the alarm on a phishing scam, injecting a little excitement and competition into the security sphere can help keep your workforce engaged and alert. 

All together now

In many organisations, cyber-security is viewed as the remit of the techies in the IT department or external consultants whose primary focus is installing and upgrading cyber-security software. The latter is a necessary measure but it doesn’t contribute to a culture which sees employees take responsibility for flagging threats, heading them as they arise and informing the development of future policies by providing on-the-ground feedback.

Encouraging employees to feel part of the solution does. Some of the ways this can be done include opening channels of communication between the security team and the rest of the organisation and circulating news of attempted attacks and breaches as they occur (whilst being careful not to name and shame individuals who are caught off guard).

Time to act

A climate of heightened risk has become situation normal for businesses, in Australia and abroad, as enterprising hackers and cyber-criminals step up their efforts to infiltrate systems and use illicitly gleaned data for illegal gain. Fostering a robust cyber-security culture can help repel their assaults and ensure the integrity of core systems and customer data is not compromised through employee ignorance or carelessness.