Can employees learn not to make cyber security mistakes?
We’ve long maintained that technical means are not enough to protect a business from cyber threats. It’s possible for a single person to negate the effect of an entire information cyber security team. In many cases, it may be unintentional, the result of lacking basic cyber security knowledge, being unaware of threats, or diverted attention.
There, however, complications may arise. The person who decides staff awareness needs to be raised is not necessarily the person responsible for arranging the training. And although the first person sees an obvious problem, the latter may not solidly understand what cyber security training is, how to train staff, or even why the training is needed.
Understanding the problem
Let’s imagine that you’ve been tasked with raising cyber security awareness. First, what does cyber security awareness really mean? To nail that down, Kaspersky worked with market research firm to gather input from 5,000 companies around the globe about their understanding of the problem and the impact of individual employees in certain cyber security incidents. In short, Kaspersky found:
- 46% of incidents in the past year involved employees who compromised their company’s cybersecurity unintentionally or unwittingly;
- Of the companies affected by malicious software, 53% said that infection could not have happened without the help of inattentive employees, and 36% blame social engineering, which means that someone intentionally tricked the employees;
- Targeted attacks involving phishing and social engineering were successful in 28% of cases;
- In 40% of cases, employees tried to conceal the incident after it happened, amplifying the damage and further compromising the security of the affected company;
- Almost half of the respondents worry that their employees inadvertently disclose corporate information through the mobile devices they bring to the workplace.
Teaching cybersecurity awareness
The “how” part of the equation is also very important. Multiple courses, lectures, and workshops are available. But training means spending time and money; you need to be sure you’ll get results.
Take, for example, the problem of incident concealment. You can gather employees and tell them that reporting cybersecurity incidents is important. They will probably say they understand — and keep concealing the incidents, hoping to evade responsibility.
A better approach is to understand their motivation first. In many cases, employees were informed of the strict rules by their managers or information security officers, but no one really explained the rules. Sometimes, management and the information security team also require training — training on explaining the rules.