A sportswriter once suggested to Hall of Fame pitcher Sandy Koufax that major-league baseball players shouldn’t need six weeks of spring training to prepare for the season. Koufax responded: “People who write about spring training not being necessary have never tried to throw a baseball.”
His point was that even those at the top of their game must regularly sharpen their skills to remain prepared, competitive and productive. It’s the same reason everyone in your workforce needs regular cybersecurity awareness training.
For all the software, systems and processes organizations put in place to protect their networks, employees are ultimately the last line of defense against most cyberattacks. Cybercriminals long ago figured out that it is easier to trick people with fake emails and social engineering scams than to hack their way through layers of network security.
Almost all of the leading cyberthreats target people rather than systems. The security firm Proofpoint claims that better than 99 percent of all threats it observed last year could only be launched through a human action such as opening a file, following a link or enabling a macro.
Remote Work: A Whole New Ballgame
Such attacks have only intensified this year as millions of Americans began working from home due to the pandemic. Law enforcement officials report record levels of phishing and ransomware attacks targeting remote employees who lack many of the cybersecurity protections they enjoyed in an office environment.
Surprisingly, an IBM Security survey finds that nearly half of remote employees did not receive any new security training once they began working from home. That likely has contributed to a spike in risky behaviors by homebound workers. Multiple studies find remote employees routinely disregard basic security best practices as they seek more expedient or convenient ways to get their work done. Remote workers admit to regularly opening suspicious emails and web links, using unsanctioned applications and uploading company data to personal devices.
Security awareness programs are essential for correcting such behaviors. They should promote general security best practices and an understanding of social engineering and hacking techniques. Phishing awareness should be a core topic because these are gateway attacks that set the stage for many other threats. Security experts saymore than 90 percent of all successful hacks and data breaches start with phishing scams.
Training materials should remind remote workers of three essential practices for avoiding phishing attacks — don’t open emails from senders you don’t recognize, don’t click on email links if you aren’t certain they’re legitimate, and don’t open email attachments unless they’re expected and come from a trusted source. It’s a good idea to test employees with simulated phishing emails to see if they can recognize current threats and techniques.
Stepping Up to the Plate
Safe web surfing, proper password practices, mobile device security and secure Wi-Fi use are other topics that should be covered in your training programs. Company intranets or self-service portals are great platforms for conducting instructor-led classes, webinars and video training sessions. You can also create a library of security awareness content such as newsletters, videos, whitepapers, posters, emails and games.
It’s important to remember that a single webinar or PowerPoint presentation won’t do much to modify employee behavior. A new study by researchers from several German universities finds security awareness training produces short-lived results, with most employees forgetting much of what they learned within six months. The results reinforce what industry insiders have long believed — that security training must be repeated regularly to produce lasting behavioral changes.
Consistent training and preparation help baseball players stay sharp and keep their heads in the game. Your remote employees can get the same benefits from regular security awareness training. Well-coached employees can safeguard your organization by knowing how to identify, prevent and respond to serious threats. That’s a game-changer for cybersecurity.