IT security hygiene: Prioritising cybersecurity training and awareness
John Trest of VIPRE Security
Cybersecurity remains a critical challenge for both small and large businesses, particularly as workforces continue to work from home, and with the amount of cyber attacks increasing. Yet, a recent survey found that 41% of employees are still not provided with adequate cybersecurity training, and 33% of companies are not offering any cybersecurity awareness training to users who work remotely, as John Trest, chief learning officer at VIPRE Security, reports.
IT security hygiene measures and particularly the lack of them are one of the most common reasons why cybercriminals gain access to business-critical systems in the first place. With humans as the first line of an organisation’s defence, John Trest, chief learning officer, VIPRE Security Group emphasises that the key to reducing cyber threats and mitigating human risk is by prioritising and investing in the right security awareness training.
The threat landscape
Cybersecurity is an issue that affects nearly every industry, and businesses of all sizes. From ransomware, phishing to malware, and new innovative methods and technologies being utilised by attackers, it is becoming increasingly difficult for businesses to stay one step ahead and secure their infrastructure.
Combined with the challenges that hybrid working brings, it creates the perfect storm for cyberattackers to take advantage of. According to the latest report, remote work during the COVID-19 pandemic drove a 238% increase in cyber attacks, as attackers leveraged the fact that employees are away from IT teams, and are working on potentially open networks, or surrounded by new distractions.
Within the rapidly evolving cybersecurity landscape, it is crucial that businesses invest in its IT security hygiene by implementing the right measures to prevent such attacks. However, despite there being a number of technologies available to help improve businesses IT cybersecurity posture, 95% of cyber security breaches result from human error. And therefore, if employees are not educated in how to keep themselves and others safe from an attack these technological investments are set to fail before they even begin.
Training and education
Any effective digital security approach must start with security awareness, by teaching employees about the ever-evolving threat landscape. By having a security awareness programme in place, users are encouraged to adopt safe security best practices and form habits that will keep them and the company’s data safe from bad actors. However, traditional security awareness initiatives frequently fall short in terms of sustaining staff engagement, which limits their effectiveness being a once a year tick box exercise. Instead, it is vital that businesses invest in engaging, frequent training content for their employees to improve workforce retention and to strengthen its security measures. Learners typically forget 90% of what they learn in a class or course in a matter of weeks. Therefore, it is necessary to reinforce training on a regular basis to keep up the retention of information, and thus the knowledge of the learner to apply best practices in the event of a cybersecurity attack or incident.
Adaptive learning is a powerful teaching tool created to complement human learning styles in order to increase security awareness engagement and strengthen the businesses’ overall security posture. By offering employees a personalised learning experience, any weaknesses or needs can be easily identified, and the learning can be tailored to the individual. This especially helps in situations where a course must be deployed to learners at varying levels of understanding on a topic. Often, training administrators must accommodate employees who may be new to the idea of cybersecurity but also employees, such as IT staff who are very familiar with this subject. If a learner can be given content that can adjust itself to the level of their understanding or at least allow a learner to skip material they are already familiar with, then this will help motivate the learner to pay attention as well as make the best use of the limited time they have for training. If adaptive options are available in an organisation’s training, then they should certainly be considered.
Investing in cybersecurity training has become essential for business survival, with research finding that security-related risks are reduced by 70% when businesses invest in training and awareness. It enables organisations to reach the goal of creating a security-conscious culture and protecting them from potential security threats.
Legislative changes
Given the variety of existing regulations, requirements and legal guidelines, it may come as a surprise that until recently, there have been no specific rules in place dedicated to procedures for internal security training and education for employees.
Many companies may have internal rules in place regulating who has the authority to open certain files, for example – but these rules are rarely maintained, reviewed or updated. Furthermore, with the cybersecurity landscape constantly changing and evolving with new sophisticated attack methods, it is vital that employees remain updated and aware of the potential threats they face.
Thankfully, the emergence of NIS 2 (The Network and Information Security Directive 2.0) is expected to place legal requirements on IT security training for employees across Europe, pushing it up the priority agenda for organisations.
The NIS 2 directive outlines that both essential and important entities should implement additional cybersecurity risk-management measures that are commensurate with the cyber risk, including; risk analysis, information security policies, and business continuity (backup management and disaster recovery) ensuring basic ‘cyber hygiene’ practices and offering cybersecurity training. The implementation of the NIS 2 directive should be seen as a positive strengthening cybersecurity resilience across Europe with a specific focus on appropriate training procedures.
Conclusion
Businesses that lack adequate cyber hygiene best practices and measures put themselves at a higher risk of a cyber-attack. A key factor of any organisation’s cybersecurity defence is its workforce, as the responsibility of clicking on a link, or sending an email to the right person lies with the individual. Therefore, business ideas need to prioritise their security investment by making education and awareness a top priority which will continue to be driven with new legal regulations coming into place, such as NIS 2. Companies cannot expect their employees to remain ahead of evolving risks without training. Security Awareness Training enables users to become more vigilant and security conscious, in turn, helping to reduce an organisations cyber risk whilst encouraging secure user behaviour in the workplace and at home.
The author is John Trest, chief learning officer at VIPRE Security.
Comment on this article below or via Twitter @IoTGN