Smarter MSP has written frequently about the positive impact of employee training on cybersecurity readiness. Education and training are the cheapest and most effective weapons one has against bad actors.
A recent report on cybersecurity and privacy underscores the vulnerability many companies still face when it comes to the end-user. For instance, a full quarter of employees still believe clicking on a link or an email attachment poses little risk. And only 25 percent of those surveyed were very confident they could identify a social engineering attack if one occurred.
“This shows me that MSPs and CISOs still have a lot of work to do,” shares Jonathan Fisher, an independent cybersecurity analyst in Montreal who looked at the report.
While 40 percent of those surveyed said they understand “very well” what a phishing attack is, the number drops significantly for equally troublesome threats like business email compromise, spear phishing, vishing, and smishing.
Frequency of cybersecurity training
One of the striking things about the report is it shows how the frequency of training drives home the urgency and refreshes best practices. Those who underwent training once a month were almost a third more likely to understand the dangers of clicking a suspicious link than those who underwent twice a year training.
“Frequency equals urgency,” states Fisher. “If you are just half-heartedly training people by giving them a once or twice a year refresher, that says that cybersecurity isn’t critical.” Companies can resolve this by making cyber awareness part of someone’s job.
“A monthly or bi-monthly cybersecurity awareness seminar would do wonders to drive up the importance of the issues,” suggests Fisher. “And if the company isn’t going to do it, or doesn’t have the resources, an MSP should make training part of their service package.”
Government, healthcare, and education entities are behind others in awareness of the cyber dangers out there. Consider this part of the report:
Employees in the government and healthcare space are significantly less confident about addressing several important issues relative to security best practices. For example, only 14 percent and 22 percent of government and healthcare employees, respectively, are very confident that they can describe to their senior management the negative impacts posed by cybersecurity risks; by contrast, 47 percent and 50 percent of technology and finance employees, respectively, are this confident.
“That’s not good. I’d rather see these figures in some other space, like automotive or manufacturing. Seeing these numbers in two pillars of informational society is disappointing,” laments Fisher. “The government often lags, but in healthcare, there is no excuse for the lag.”
COVID strikes cybersecurity
One of the often-overlooked aspects of many offices emptying and workers headed for home is that regular refreshers and training programs were put on hiatus or shelved. The statistics bear that out:
- 23 percent had their training cease indefinitely as soon as the lockdowns began.
- 22 percent had their training stop temporarily as the lockdowns began, but then resumed.
- 55 percent of employees had continuous cybersecurity and data privacy training throughout the lockdowns.
“That’s a lot of room for people to get rusty and, if there is decent turnover, for some employees not to be getting cybersecurity training at all,” warns Fisher.
Life’s a breach
Interestingly, only 42 percent of employees believe it is likely or very likely that a significant privacy breach would result in damage to their employer’s reputation. Another 38 percent believe it is expected to be lost revenue for their employer, and 34 percent believe their organization would receive significant fines from regulators.
“That shows a lot of employees `just don’t get it.’ A lot do understand, but many still don’t,” Fisher says. So, what is an MSP to do?
“On some level, you can only do so much. But every MSP must ask themselves: are we doing enough? Is the client doing enough?” advises Fisher. The MSP and client need to work hand-in-hand to increase the effectiveness and frequency of security training.
Give workers a run-down of what can happen to their company when it gets hacked and how it might impact them. “Make it personal,” suggests Fisher.
Carrot or stick?
Some companies come down hard on employees that fall for a phishing email or have sloppy cyber hygiene. Such penalties can include withheld pay and a reduction of benefits.
“I am not a fan of that route, but if you are going to take a punitive approach, you have to spell out clearly in advance what is expected and what the penalty is,” notes Fisher.
Fisher thinks the carrot is far more effective – and less costly. It can include bonuses or extra time off for employees who embrace holistic cyber-hygiene. “Make them stakeholders and part of a positive process, and you’ll see better results,” advises Fisher.
Photo: Andrii Yalanskyi / Shutterstock