CEO of DKBinnovative, a leading managed IT services firm that offers secure, reliable solutions to small and medium businesses globally.
There is a reason why phishing is one of the most common cyber threats: It works. Phishing, the practice of sending fraudulent emails to obtain sensitive data such as passwords or credit card numbers, is a cheap and easy way for cybercriminals to make money. After all, it’s just a number’s game; it only takes one unsuspecting recipient to make it well worth a hacker’s time.
It’s hard to blame employees (or anyone) for falling for these emails. Many people aren’t naturally skeptical of emails, and when they see an email that appears to come from the corporate office or a reputable business, their first instinct is likely to click on it.
Additionally, phishing scams are getting more sophisticated all the time. While most people wouldn’t wire money to someone they’ve never met, they might fulfill an odd request from their boss, such as sending money, buying gift cards or logging into a fake portal for an “emergency” password reset.
Instead of allowing your employees to be your company’s most susceptible targets, it’s important to educate them on cybersecurity. Here’s why:
1. Your company can avoid cyber breaches.
MORE FOR YOU
Avoiding a breach is an obvious benefit (and the main purpose of cybersecurity training, really). But why focus on training and not another measure?
Human error accounts for the vast majority of successful breaches. Proofpoint’s 2020 User Risk Report (registration required) found that only 49% of respondents knew the definition of phishing. Baby boomers outperformed other generations in identifying key cybersecurity terms.
This lack of understanding indicates a huge gap in education and a huge opportunity as well. It’s difficult to expect your employees to keep your data safe if you don’t provide them with the tools they need. Aside from financial, productivity and reputation losses, breaches can also affect morale. No employee wants to be unwittingly responsible for causing your business harm.
2. You can ensure your company meets security requirements.
Training your employees will help you keep on top of the long and growing list of compliance and reporting requirements. A one-time training won’t cut it. Make sure your training program is ongoing so that you receive updates as requirements change and so that you educate new employees.
Much like cyber breaches, the costs of non-compliance reach beyond the financial. In addition to a fine, your company can suffer reputational and productivity costs due to audits and remediation efforts.
3. Your employees might be able to earn CPE credits.
When working with your internal or external IT team on setting up your training program, ask if the training can earn your employees continuing professional education credits. This is a win-win for your organization and employees.
Employees who are interested in continuously developing their skills (or are required to because of their job function) will appreciate you taking the guesswork out of training. They will especially appreciate you paying for it. If employees earn credits, you might also find they are more motivated to complete the training.
Making Cybersecurity Training A Success
Beyond understanding the importance of cybersecurity training, it’s also important to keep a few best practices in mind when getting your program started:
1. Commit to ongoing training. Hackers are constantly changing tactics, so keeping your employees aware of trends requires ongoing education. This doesn’t have to interrupt productivity; you can greatly mitigate your cybersecurity risk with just 10 to 15 minutes of training a month.
2. Tailor your lessons. Customize your training to fit the needs of your firm, and consider the compliance requirements in your industry. If you’re in health care, for example, you’ll want to spend significant time on HIPAA.
3. Make it fun. Gamify the process so your employees don’t consider training another chore. Consider holding contests for gift cards or even just bragging rights.
4. Keep them motivated. Consider rewarding your team for successfully identifying phishing scams. I recommend ongoing phishing testing as part of your training program (i.e., sending fake phishing emails to see if your team can spot them). Keep score every time an employee identifies and reports a scam email, whether fake or legitimate. Name a winner every month or quarter, and hand out gift cards to the winners.
Training can be effective and inexpensive, especially compared to the expense of a breach, which a report by IBM placed at a total average cost of $3.86 million. Training is not an expense; it is an investment.