Information Security Training for Employees How To

Information security training for employees increases awareness of information and cyber security risks for general employees. Traditionally, information security has been placed solely on the shoulders of the information technology team (IT), but cyber criminals have found it’s easier to gain access to an organization through their employees than by finding a way to bypass security infrastructure.

As employees became the target, the need for training has increased. Information security training for employees is not new — in fact the Fortune 500 and large organizations with sensitive information have been training their employees for decades. However, the need for small and medium sized businesses to deploy information security training for employees is relatively new, and growing quickly.

Industry Demands for Information Security Training

The traditional industries that require information security training for employees are those that hold sensitive information. The most common or well known companies that have invested in awareness training include the following.

  • Banks
  • Healthcare
  • Law Firms
  • Fortune 500 organizations
  • Software/Technology
  • Government/Military

However, information security training for employees has grown beyond these sensitive industries. Companies that would have never considered cybersecurity awareness training a few years ago are now embracing the investment. Industries like the following:

  • Accounting
  • Manufacturing
  • Lawn care
  • HVAC
  • Construction
  • Small consulting businesses
  • Retail
  • Farms
  • Financial Planning
  • Family owned business
  • Title Insurance and Clearing
  • Junk Yards
  • Small doctors office
  • Physical Therapy
  • Dental
  • Eyecare
  • Pharmacy
  • Nonprofit

Why Would a Small Business Care?

This list of less traditional businesses investmenting in information security training for their employees may be difficult to believe or digest. Here’s why a few of them are making the investment.

Title Insurance and Clearing

Social Engineering in the title insurance industry is increasing rapidly. In 2016, the FBI reported $19 million that was stolen/attempted to be stolen from home buyers. In 2017, that number increased to $969 million. Teaching employees about information security, social engineering, and how to identify a phishing attack will solve this problem.

HVAC

Hacking an HVAC company may not be the retirement plan for a hacker, but it might be in their path. There’s two examples of that. First, automated ransomware attacks are increasing in frequency. These attacks do not care about the industry, size, or people that are attacking; they are simply playing a numbers game. The goal is to install malware within as many companies as possible, and have a small percentage of them pay the ransom. If they can install malware in 100 companies, and receive a $2,500 payment on 10% of them, that generates a $25,000 pay day with very little effort. Secondly, companies like this can be the trojan horse that hackers use to walk into their bigger vendors. Take for example that infamous Target hack. Where did it start? The hackers gained access to their HVAC company. Therefore, many large organizations are now requiring all of their small business vendors to deploy information security training for employees.

Retail

Retail stores often have to comply with PCI Compliance which ensures all companies that use credit cards maintain a secure environment. However, the risk doesn’t start with credit cards. Take for example the story for an employee that received a call from someone impersonating the FBI demanding itunes gift cards in payment, and actually took money from the drawer, bought gift cards, and provided them to the “agent.” Training retail employees on information security maintains PCI compliance, and reduces the risk of other types of breaches like in this FBI impersonation.

Nonprofits

Nonprofits have tight budgets and live on reputation that drives donations. Their employees and volunteers are often less tech savvy than in, say, a software company, and their IT infrastructure is less secure making them an easy target. Hackers increasing target these nonprofit employees, so training them on information security awareness reduces the risk of a breach.

How To Provide Information Security Training for Employees

Information security training programs have many variables including topics and content, simulated phishing attacks, timing, delivery, tracking employee progress, and certifying completion.

  1. Topics and Content

An information security training program should cover all aspects of information security important for a general employee. While phishing is a hot topic, it’s not the only topic in information security, so an awareness program should cover much more. Here’s a basic list of topics that should be addressed, although this list is not exhaustive it shows the breadth of topics that should be covered.

  • Physical Security
  • Document Management
  • Guest Access
  • Locking Computer Screens
  • Passwords On All Devices
  • USBs
  • Cyber
  • Encrypted Connections
  • Web Browsing
  • Emails
  • Social Engineering
  • Phishing
  • Pretexting
  • Quid Pro Quo
  • Wifi Access
  • Password Management
  • Installing Software
  • Social Media
  • Suspicious Activity and Red Flags

2. Simulated Phishing Attacks

Phishing is a hot topic for a reason — it’s one of the easiest ways to gain access to an organization, and one of the hardest factors to control. Learn more about phishing with these 6 Examples of Phishing Attacks and How to Identify Them. That’s a great article and includes a SlideShare.

A simulated phishing attack is when a company send safe phishing emails to employees with the goal of raising awareness of the risk and training employees on how to identify a phishing email. Phishing programs typically track whether an employee opens and clicks links within the email. A good simulated phishing attack trains employees on various types of phishing emails and provides immediate feedback to the employee if they click on a link.

Simulated phishing attacks raises awareness in the organization for employees. By running simulated attacks, organizations can put their employees to the test and identify high risk employees for additional training. Learn how to run a phishing test.

3. Timing

Information security training for employees should not be a one and done endeavor because the threat is ongoing. The timing and cadence for an information security program is critical. Information security training should be required during onboarding to show the importance of security to the organization. Learn more about creating a culture of cybersecurity awareness.

Best practice is to train employees one to two times per year with quarterly simulated phishing campaigns.

4. Delivery

Information security training for employees should be delivered through various channels. First, it should be at least mentioned weekly in team meetings to keep security front of mind. Second, information security training should be delivered in a way that employees can access training when they have the time — whether that’s bringing the organization into the conference room or providing an online training program that can be accessed anytime and from any device.

5. Tracking Progress and Certification

Finally, an information security training program must be able to track progress of each employee and certify they’ve completed training. This is required to maintain compliance when security training is part of a requirement from insurance, customers, or industry standards.

A cybersecurity awareness program can be developed in house. Developing a training program is an opportunity for IT, HR, and leadership to work together to define how cybersecurity fits into the business goals, and what policies, programs are important for employees to follow. You can consult with outside companies to develop a program, or utilize an out of the box information security training program.

Deploying an Employee Cybersecurity Program

While you can develop a program in house, and for some organizations that may be the right decision, it’s much easier and cheaper to use an out of the box solution. Wuvavi specializes in information security training for employees and provides the only enterprise grade employee awareness program designed for small and medium sized organizations.

The team at Wuvavi came from a small business that needed to implement information security training for employees to comply with a customer request and new business insurance. All of the services available for training employees were tailored for the Fortune 500, and made training their smaller organization complex and expensive. The Wuvavi team wanted to build a program that was affordable for small and medium sized businesses, and easy to deploy. The main goal has always been to create an employee awareness program that any sized organization can sign up and deploy in under three minutes.

The process is simple.

  1. Sign up for a free trial or view pricing
  2. Add employee emails
  3. Enroll them in training and/or phishing
  4. Track their progress

Wuvavi provides an enterprise grade employee awareness program that’s simple to use and affordable for SMBs.

Before you go

Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) — the world’s leading employee cybersecurity awareness platform for small and medium sized business. Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers reduce their employee related cybersecurity risks and create a culture of awareness in their organization.

Originally published at wuvavi.com on August 2, 2018.

Wuvavi