Survey highlights importance of IT security training from day one
Employers should start new employees with cybersecurity training on day one, judging from the results of a recent study.
New employees regularly show a propensity for higher-risk behaviors compared to veteran employees, reports CybeReady, a security awareness training firm.
Generally, workers in their first six months with an organization (about 20 per cent) are twice as likely as veteran employees (about 10 per cent) to click on phishing emails compared to their veteran counterparts, demonstrating increased susceptibility to cyber threats.
One of the reasons behind this is that new employees don’t know the organization that well, says Michal Gil, head of product management at CybeReady, in talking with HRD Canada.
“If you [as a new employee] get a phishing simulation, for example, telling you that you need to upgrade your Teams' password or reset it, you [might not] know that your organization is not even using Teams. They're actually using Slack or something else.”
Another factor is that new employees don’t know their colleagues well enough, says Gil.
“We had someone in our company who got a phishing email from the CEO, telling her to buy gift cards. So that woman automatically clicked on the phishing email and wanted to purchase a gift card for the CEO, because new employees want to please. They don't know anyone, they want to make everyone happy. They want to prove that they're really good, loyal, professional employees.”
One-half or 50% of the top phishing email subjects globally pretend to come from an organization's HR department, according to a separate report.
Reporting phishing activities
Employees considered at high risk of falling to cybersecurity issues (based on a baseline collected from workers) are also far less likely to raise concerns over possible glitches, according to CybeReady’s report based on millions of data points accumulated from training enterprise employees over the past five years.
Low-risk employees tend to report up to 50 per cent more than medium-risk employees, or up to four times more than high-risk employees.
"Our data demonstrate the crucial role employees play in keeping the organization safe, and how administering effectiveness training can truly change employee behavior," says Eitan Fogel, CEO of CybeReady.
"By recognizing the increased vulnerability of new employees and providing targeted training at various stages of veterancy and risk levels, organizations can mitigate cyber risks and thereby strengthen their overall security posture."
Only 2.1% of all known business email compromise (BEC) attacks are reported to their employers, according to a previous report.
Combating ‘boring’ cybersecurity training
Training not only fosters secure habits and empowers employees to avoid phishing emails, but also encourages a proactive approach to reporting such threats, according to CybeReady. And this behaviour change plays a crucial role in protecting organizations from potential consequences caused by employees without the training behind them, it says.
However, employees don’t usually meet cybersecurity training with a lot of enthusiasm, says Gil.
“The biggest problem is that it's boring.”
“They say, ‘We have enough work to do. We don't have time to learn your extra stuff, it's getting in the way of us achieving our goals and all the tasks that we have to complete. Don't waste our time with boring security awareness stuff’.”
Every company in Canada is a target of cybercriminals, according to one expert.
Short and continuous training can make a difference, says Gil, along with simulations.
And even those in upper management should go through the same cybersecurity training as the individual contributors do.
“Upper management, in a way, they’re just like an employee. They can fall for the same phishing simulations as anyone else,” he says, adding that they may be at higher risk of phishing because they have access to more sensitive information.