Cyber Awareness Training Requirements for Employee Security
Annual cyber awareness training requirements are popping up everywhere, and from everyone.
You’re being asked to deploy a cyber awareness program and train employees on cybersecurity annually because your business can put your customers, your vendors, your employees, and your business at risk. The increasing risk from each of those stakeholders translates to a requirement for annual cyber awareness training for your employees.
Who Requires Cybersecurity Awareness Training?
We mentioned four stakeholders with an increasing risk — your customers, your vendors, your employees, and your business. Requirements for cyber awareness training from each of the stakeholders come from varying risks with a common denominator — people.
We’ll describe how and why these stakeholders require employee training.
Your Customers — If you’re selling B2B, meaning that your customers are other businesses, it’s likely that you’ve seen a requirement for annual cyber awareness training for employees already. The reason is that you put your customers at risk in two ways.
- You likely hold sensitive information of your customers. That might be Personally Identifiable Information (PII) like a name, social security number, mothers maiden name, date and place of birth, etc. You might hold credit card information (many retailers), confidential information (law firms, accountants, doctors, consulting firms, etc), or their customer list. Just by holding this information your customers are at risk, so they require basic best practices like annual cyber security awareness training for your employees. One important tip for reducing this risk for you and your customers is to only hold information that is necessary to do business. This is one of my favorite requirements in the new GDPR regulations, and something that our team has always practiced. Only keep information that you need to provide the service that you offer. You might want to keep dates of birth, social security numbers, credit card information, etc. on file, but if all you really need is a username and login, then don’t keep anything else.
- The second reason that you put your customers at risk is that the bad guys can use your business like a Trojan Horse to access your customers. For example, the Target hack back in 2013 started with their HVAC company. Hackers know that it’s difficult to get inside a large organization with strong security and infrastructure, while it’s relatively easy to get into a small and medium size business with a minimal investment in security. Because of these risks, your customers now require their vendors (you) to deploy cyber awareness training for their employees.
Your Vendors — That’s a nice segway to the second group. Your vendors. As companies, especially small businesses, outsource functions like HR, IT, Finance, etc., they integrate more closely with third parties and give up control of their security. Third party risk assessments are now commonplace as organizations attempt to minimize the risk of their customers, vendors, partners, etc. One of the biggest triggers for our customers to contact us the first time is when they complete a third party risk assessment that asks if they have an annual employee cyber awareness program in place for training employees.
Your Employees — Employees may not require employee awareness training in the sense that they demand it, ask you to check the box that you’ve done it, or heck…even think about it. But their information is at risk and it’s your job to protect it. Names, address, social security numbers, W-2s, addresses, passwords (for everyone’s sake, please do not store passwords as plain text. This is too common, and too preventable), etc. are types of information that you own and put your employees at risk.
You Business — Your business has its business-critical crown jewels. That might be the data in your CRM, Intellectual property, PII, strategic plans, or other key competitive information. The crown jewels often make up a large portion of the value of the company, so protecting them is vital for the organization.
Why is Cyber Awareness Training So Important?
Cyber awareness training is a vital part of any information security program. The reason is that most cyber breaches start with some type of human error. According to egress that numbers about 62%. When a business starts to identify the risks in its security posture — people are always one of those risks. Their people, and the people in organizations connected to them.
Security training is one of the best ways to manage and minimize this risk. The goal of training is to help employees to identify and mitigate security risks. Learn more about starting and deploying an information security awareness training program.
How Often Should You Run Security Training?
In every check list, compliance document, risk assessment, etc. you’ll see the word annual. That’s because continuous, annual training is key to raising awareness for employees and minimizing the risk for a business. We recommend training employees at least once a year, and reinforcing training with quarterly phishing campaigns. Continuous programs like this keeps information security in front of an employees mind, and reminds them that they play an integral role in keeping the organization safe.
What Does a Good Employee Cybersecurity Training Program Look Like?
A good employee cybersecurity training program should train employees on common threats that they are likely to face. This should include physical security like guest access, locking computer screens, and USB device use, and cybersecurity best practices like web browsing, email use, social engineering, etc. We list the most important topics in What is Security Awareness Training?
Since one of the most common threats for employees is phishing, a good security training program should include simulated phishing attacks. We recommend running these quarterly, and tracking employee opens and clicks year over year to see how they respond and improve. Here’s an example of one of the phishing examples available in the Wuvavi Phishing Simulator and how employees can identify these lookalike attacks.
One common factor in most successful phishing emails is trust. If an attacker can establish trust with the recipient, the likelihood that the recipient performs a desired action increases significantly. Establishing trust is easy if the attacker can look like something the recipient already trusts. For example – Amazon. Almost everyone knows Amazon and has an account, so it’s easy to establish trust quickly with an Amazon lookalike email and trick the recipient into providing their password or confirming their credit card information. Two Best Practices to Identify a Lookalike Phishing Email.
1. Check the actual sender to confirm the sender is who you expect it to be (in this case Amazon).2. Hover over links in the email to confirm they are going where you expect.Be aware that attackers are becoming more sophisticated and improving their craft. While a link may be easy to spot as being fishy, it may be cleverly disguised. For example, by replacing the ‘o’ in Amazon with a zero (Amaz0n), or a similar character, a recipient may miss the slight change.
You can build your own cyber awareness training program, or use an out of the box solution. Wuvavi is an enterprise grade employee cybersercurity platform designed for small and medium sized businesses. Wuvavi allows companies from a single employee, to hundreds, to thousands to sign up and deploy a cybersecurity awareness training and phishing program in minutes. You can try it out at no cost with a 14 day free trial (no credit card required).
Good For Your Customers, Your Employees, and Your Business
Traditionally, cybersecurity has sat in the hands of IT. As the impact of cybersecurity increases along side the risks, we’re finding that cybersecurity is something that should be managed by all stakeholders in an organization. Cybersecurity should be used as a differentiator to increase confidence with customers and prospects, and ensure the long term success of your business.
Originally published at wuvavi.com on August 9, 2018.
