How to Start Cybersecurity Training for Employees
12/14/2021
The majority of cybercrime targets employees perceived as a weak link when it comes to being knowledgeable about security.
According to Businessdit.com, an average of 47.63% of small businesses are hit by cyber attacks, and out of the companies that are impacted, nearly 60% of the businesses fail within six months.1 One of the best defenses against such threats is cybersecurity training including making employees aware of security threats, the various ways they might appear, and the correct procedures to follow if an incident occurs.South State’s Treasury Management Digital Product Manager Alex Keene shares more helpful advice below gleaned from her years of experience working in payment fraud prevention.
How do I start cybersecurity training at my company?
The first step in developing a cybersecurity training problem is to ask your employees to answer, “What is cybersecurity?” Test what they already know. Run a Phishing Security Test on all employees to see how many will take the bait and reply to a spoofed email.Your Information Technology (IT) manager could likely run this at no cost to the company, but if you would like some help, there are many free phishing security tests (also called phishing campaigns) you can find online from companies such as KnowBe4, Get Curricula, Terranova Security, Infosec IQ, Gophish, and LUCY Security.
The benefit of starting with testing, other than the low cost and knowing where to concentrate training, is that you get employee buy-in. Employees may discover they don’t know as much as they think they do about phishing. You’ll also see results; susceptibility to phishing email drops almost 20% after just one failed simulation.2
The second step is to determine what training resources you already have. There is no need to reinvent the wheel. Does your company already have a system to roll out training to your employees?
- If yes, this method could be the most effective for your company and it gives you the ability to track who has done what course and when they completed it.
- If no, consider microlearning, which delivers short bursts of content for faster, flexible, affordable and better knowledge retention of vital cybersecurity tips. There are many different types of microlearning platforms that can incorporate images, video, audio and games in addition to text. Choose carefully as you don’t want it to come across like a Twitter or Instagram feed.
The third step is to determine what content to include in the cybersecurity certification. Exercise prudence when evaluating one-size-fits-all training courses. Even a cursory review of “ready-made security awareness training kits” available online shows most are too broad a brush to apply to every company.
You know your company best and you should trust your gut on which one of the many solutions out there will resonate best with your team.
The fourth step is to decide who will develop the content. Will your company create the training material in-house or outsource it to a third party that specializes in cybersecurity training?
It is certainly possible to create the content yourself by doing judicious research on the Internet. Cybrary.it has many free training resources including an extensive Cyber Security Glossary, as does the National Initiative for Cybersecurity Careers and Studies (NICCS).
The reality is, however, that most small businesses don’t have the capacity to develop cybersecurity training and will need to outsource.
Cybersecurity Magazine publishes a list of the Top 150 cybersecurity companies, which they further narrow to ones that offer security awareness training. A good way to compare multiple vendors all at once is to attend a cybersecurity conference. October is National Cybersecurity Awareness Month; however, there are conferences held in various cities throughout the United States all year.
Your company’s final step is to turn cybersecurity training into a habit after the initial training cycle. It’s not realistic to do cybersecurity training only once and have it last you for years. Fraudsters change their tactics, so regular training ensures your employees are aware of the latest trends.
Develop a cybersecurity training schedule that works for your company and stick to it. It’s also a good idea to make cybersecurity training part of your onboarding process for new hires. Recurring, semi-annual cybersecurity training programs are an effective best practice.
As Eleni Zoe from Epignosis (Efront Learning) states, “The purpose behind cybersecurity training for employees is always to alter their habits and behaviors, and create a sense of shared accountability, so that the company is safe from attacks. It’s not difficult to see that a once-off knowledge dump about the topics outlined above is just not enough to achieve this.” She also points out that “Continuous training will also allow you to incorporate policy changes and information about the latest scams into your training.”
According to Cofense3, “the key metric in phishing preparedness is resiliency, or the ratio of users reporting a phish to those that fall susceptible. A ratio of 1 to 1 is a decent start, 2 to 1 is good, and anything above 3 to 1 is exemplary.”
While companies like Cofense offer products that analyze the results of phishing campaigns and provide detailed reports and/or follow-up simulations, it is possible to have a lower-cost program that is just as effective. If you have a method to track the number of clicks compared to the number of emails sent, you can compute your own resiliency score.
As far as reporting rate, there does not appear to be a consensus on what constitutes a healthy reporting rate. Cybersecurity vendors and experts cite different numbers based on industry, company systems and even company culture. The minimum appears to be at least one phishing email per month, although this seems low considering that Symantec’s 2019 Internet Security Threat Report claims 1 in 323 emails sent to small businesses are malicious.
While many of the social engineering attacks target employees with the authority to transfer funds, they are not the only victims. Pretexting scams happen when hackers call different individuals within the company to obtain small pieces of information, then piece together to impersonate a person of authority to pull off a larger scam.
The most successful training programs have participation at all levels of the company. It’s important that your board and executives participate and offer support.
Learn about more fraud protection steps for your business.
It is certainly possible to create the content yourself by doing judicious research on the Internet. Cybrary.it has many free training resources including an extensive Cyber Security Glossary, as does the National Initiative for Cybersecurity Careers and Studies (NICCS).
The reality is, however, that most small businesses don’t have the capacity to develop cybersecurity training and will need to outsource.
Cybersecurity Magazine publishes a list of the Top 150 cybersecurity companies, which they further narrow to ones that offer security awareness training. A good way to compare multiple vendors all at once is to attend a cybersecurity conference. October is National Cybersecurity Awareness Month; however, there are conferences held in various cities throughout the United States all year.
Your company’s final step is to turn cybersecurity training into a habit after the initial training cycle. It’s not realistic to do cybersecurity training only once and have it last you for years. Fraudsters change their tactics, so regular training ensures your employees are aware of the latest trends.
Develop a cybersecurity training schedule that works for your company and stick to it. It’s also a good idea to make cybersecurity training part of your onboarding process for new hires. Recurring, semi-annual cybersecurity training programs are an effective best practice.
As Eleni Zoe from Epignosis (Efront Learning) states, “The purpose behind cybersecurity training for employees is always to alter their habits and behaviors, and create a sense of shared accountability, so that the company is safe from attacks. It’s not difficult to see that a once-off knowledge dump about the topics outlined above is just not enough to achieve this.” She also points out that “Continuous training will also allow you to incorporate policy changes and information about the latest scams into your training.”
How do I measure effectiveness?
According to Cofense3, “the key metric in phishing preparedness is resiliency, or the ratio of users reporting a phish to those that fall susceptible. A ratio of 1 to 1 is a decent start, 2 to 1 is good, and anything above 3 to 1 is exemplary.”While companies like Cofense offer products that analyze the results of phishing campaigns and provide detailed reports and/or follow-up simulations, it is possible to have a lower-cost program that is just as effective. If you have a method to track the number of clicks compared to the number of emails sent, you can compute your own resiliency score.
As far as reporting rate, there does not appear to be a consensus on what constitutes a healthy reporting rate. Cybersecurity vendors and experts cite different numbers based on industry, company systems and even company culture. The minimum appears to be at least one phishing email per month, although this seems low considering that Symantec’s 2019 Internet Security Threat Report claims 1 in 323 emails sent to small businesses are malicious.
Who should participate in company cybersecurity training?
Who to train is just as important as what topics to cover. All employees who use email on your company portal should receive training in how to identify cyberattacks.While many of the social engineering attacks target employees with the authority to transfer funds, they are not the only victims. Pretexting scams happen when hackers call different individuals within the company to obtain small pieces of information, then piece together to impersonate a person of authority to pull off a larger scam.
The most successful training programs have participation at all levels of the company. It’s important that your board and executives participate and offer support.
Learn about more fraud protection steps for your business.
About the Author: Alex Keene manages the marketing, communication, profitability and development aspects of the Treasury management and payment solutions products at SouthState Bank. She has over 25 years of experience in Treasury management product management, sales, operations and payment fraud prevention. Keene received a bachelor's in economics from Southwestern University and a master's in project management from George Washington University.
Disclaimer: SouthState Bank has no affiliation with any of the vendors mentioned in the article above and does not endorse them. The vendors are mentioned as possible resources to consider as you evaluate your cybersecurity training options
1. source: 9+ Small Business Cyber Attack Statistics [2023 Update] (businessdit.com)
2. source: Cofense PhishMe Enterprise Phishing Susceptibility and Resiliency Report
3. source: A Closer Look at Phishing in the Financial Industry