According to a study by Kaspersky Lab and B2B International, the actions of careless and uninformed employees are a leading cause of serious IT security breaches, second only to malware attacks. Even when a security incident is caused by malware, employees’ actions are often a contributing factor.
These study findings point to the widespread need for company-wide IT security training. Such training can mean the difference between employees being a security liability or a security asset. While many businesses know they should be training their employees, they might not know where to begin. Specifically, companies often do not know how often to provide the training, what to cover, and how to make it effective. If your business has these questions, here are some practical suggestions to get you started with IT training.
How Often to Schedule IT Training
When it comes to IT security training, we do not recommend taking a “one and done” approach. Instead, you should provide ongoing training to your employees because cybercriminals are constantly changing their tactics and devising new cyber threats. Common cyber tactics change frequently, which is why it is so critical that your IT team stays current on the latest cyber trends.
According to a Finn Partners survey, only a quarter of employees receive cybersecurity training at least once a month. This number is far below the recommendation of the organization that oversees the United States’ Health Insurance Portability and Accountability Act (HIPAA), which recommends monthly security updates in addition to bi-annual training for all companies.
Although there are expenses associated with providing ongoing training, the costs incurred from a serious IT security incident are much higher. In 2017 alone, phishing and business email compromise (BEC) scams set US companies back $705 million. Cybersecurity training for employees is an investment that can save your business thousands or even millions of dollars in the long run.
What to Include in IT Training
IT training will look different for every company. Tailor your training program to meet your company’s needs. It should cover the specific types of IT security risks that your employees might face on the job. The program also needs to outline the security requirements employees are expected to meet. This is particularly important if your business must comply with any industry or government regulations such as HIPAA or the European Union’s General Data Protection Regulation (GDPR).
Topics commonly covered in IT security training include:
- The importance of strong, unique passwords and how to create them
- The different types of malware (e.g., ransomware, spyware) and how they are spread
- Email security, including how to identify phishing emails and BEC scams
- What employees should do if they receive a suspicious email or encounter another type of IT security problem
- How to safely use the Internet
- Social engineering threats
- How to use mobile devices securely
- Physical IT security measures
- Your company’s specific IT security policies
It is not wise to assume that your employees already know the best practices for cybersecurity. All employees—including managers and executives—should receive basic security training. Some employees might need additional instruction that is specific to their particular jobs.
How to Make IT Training More Effective
Provide Short Training Sessions
IT security training will be pointless if your employees do not remember any of it. Fortunately, there are several ways to help make your IT security training more memorable and effective. For starters, you should hold short training sessions rather than marathon meetings. Bombarding employees with information for many hours will result in information overload, causing them to forget most of it. Instead, provide ongoing training in small chunks to get employees to retain information. It will also be easier for them to fit shorter training sessions into their work schedules, likely leading to better attendance.
Include hands-on activities in the training sessions to help employees remember the information presented. For example, in addition to discussing how to spot phishing scams, you could place the employees into small groups, give them copies of emails, and have them pick out the ones they think are phishing scams. Give them opportunities to practice what they’ve learned.
Share Relevant Information
Another way to increase the effectiveness of your training is to make the information relevant to employees on a personal level. For example, a good way to get employees interested in how to use company-owned mobile devices securely is to start by discussing how they can protect their personal smartphones (e.g., only use hotspots known to be safe and reliable). Once they learn smart security habits in their personal lives, they will be more likely to practice them at work.
Test Their Knowledge
Finally, after employees have completed their training on a particular topic, you might consider testing what they have learned. For instance, after covering how to spot phishing emails, you could send out a fake phishing email with a suspicious link. If clicked, the link could lead to a safe web page that states the phishing email was an IT security training exercise. This type of testing can reinforce what employees have learned. It can also help determine the effectiveness of the training.
It is important to follow up with employees after the test, especially with the individuals who clicked the suspicious link. However, you should never embarrass or scold these employees during this discussion. Instead, you should use this as an opportunity to offer them additional training and resources and answer any questions they might have.
Your Employees Are an Important Part of Your Line of Defense
Educating employees about IT security is important. With training, they can bolster your line of defense against cyberattacks rather than be a weak link in it. To make this happen, you need to develop an effective IT training program that will teach your employees what they need to know to help keep your business secure. If you are uncertain of what to include, contact our team. We are happy to suggest relevant topics based on your business’s IT environment.