Cybersecurity awareness training is the most potent weapon MSPs can use to defend against breaches and cybercriminals. However, it is essential to remember that the training is not a one-and-done proposition, it needs to be updated continuously, and the trainers need training too.
“I’ve seen MSPs create their own amazing user training programs and continue to use the same programs year in and year out, and while some information will remain the same, in the IT space, 2018 might as well be 1918,” says Dave Rigby, a cybersecurity trainer in Pittsburgh. “The cybersecurity landscape is constantly changing, so that training that was effective yesterday may not be today.”
In fact, TalentLMS, a training firm, reports that 69 percent of surveyed recipients said they received cybersecurity training for their employers, but when asked to take a basic quiz, 61 percent failed.
“This is a startling statistic illustrating the gap between trainers and those being trained. Part of the problem is that the training is often outdated, you to constantly update the training and do it in user-friendly ways,” Rigby notes.
SecurityWeek agrees with the assessment that updating cybersecurity awareness training is critical:
In cybersecurity, threats, and the solutions to fight them, are constantly evolving, so your security operations center needs to have staff that’s up to date on both.
And, according to InformationWeek, cybersecurity experts think training after an infraction is also an excellent reinforcement tool besides regular cybersecurity training:
Rather than just checking boxes, some companies are looking to deliver cybersecurity education at the point of an infraction, strengthening the reinforcement of the message and improving the company’s cyber security posture.
Rigby recommends that cybersecurity awareness training should include a comprehensive set of topics to help individuals understand the various threats in the digital world and how to protect themselves and their organizations against them. These include:
Password security: Employees should be taught how to create strong passwords and how to protect them from theft. This includes not sharing passwords, using two-factor authentication, and regularly updating passwords. Password security has become a much more important topic over the past five years, and training needs to be updated to reflect this.
Phishing: Phishing attacks are one of the most common forms of cyberattacks. Employees should be taught to identify phishing attempts, including email, text messages, and social engineering attacks. That part of cybersecurity training has stayed relatively consistent over the past few years; however, Rigby warns the phishing methodology has become more sophisticated, and training should reflect updated phishing threats.
Malware: Malware is malicious software that can infect computers and steal data. Employees should be taught how to identify and avoid malware, including using anti-virus software and keeping their devices up to date.
“But malware has changed so much; you must update training to reflect the latest threats. Many MSPs and CISAs don’t do that,” Rigby advises.
Social engineering: Social engineering uses deception to manipulate individuals into divulging confidential information. Employees should be taught how to recognize and resist social engineering tactics.
“The social engineering methods have become much more sophisticated, and training needs to include some of these changes,” Rigby says.
Data protection: Employees should be taught how to protect confidential information, including the proper handling and disposal of data, as well as the use of encryption and other security measures.
Incident reporting: Employees should be taught how to report incidents, including the steps to take if they suspect a cyberattack has occurred or if they accidentally reveal confidential information.
Mobile device security: With the increasing use of mobile devices, employees should be taught how to secure their phones and tablets, including passcodes and encryption, and avoid using unsecured Wi-Fi networks.
“You’d think the pandemic would have changed this, but far too many training programs still focus on traditional workstations, not mobile devices,” Rigby says.
Remote work security: With more employees working remotely, cybersecurity awareness training should include best practices for secure remote work, including using virtual private networks (VPNs) and other security measures to protect against cyberattacks.
“However, VPNs are not foolproof, and that part of the training must also be updated,” Rigby says.
Compliance: Depending on the industry, employees may be subject to regulatory requirements for data privacy and security. Cybersecurity awareness training should include information on compliance requirements and how to meet them.
Overall, cybersecurity awareness training should be an ongoing process, with regular updates and reinforcement to ensure that employees stay up to date with the latest threats and security best practices.
Photo: Andrey_Popov / Shutterstock