Why We Love This Q1 Top Cybersecurity Control: Cybersecurity Training for Employees
One simple click of a link can open the door for attackers, leading to a serious ransomware attack or expensive data breach. According to IBM, the two most expensive types of cybersecurity incidents are phishing and business email compromise, which both cost businesses a whopping $4.9 million on average—and are caused by simple human mistakes. Cybersecurity training for employees is key to effectively defending against these types of attacks. IBM’s latest report shows that effective cybersecurity training for employees reduces the average cost of a breach by $247,758, and more importantly, it can prevent breaches from occurring in the first place. That’s why cybersecurity training for employees is our Top Security Control for Q1 2024 (you can see our full list of 2024 Top Security Controls here).
Unfortunately, not all cybersecurity training for employees really works. In this article, we’ll discuss factors that influence the success of your cybersecurity training program, which include the audience, delivery methods, content selection, format, frequency, consequences, and more. Read on for practical tips that will help you improve your cybersecurity training for employees, as well as a checklist for key components.
Everyone Needs Cybersecurity Training
Shockingly, only 56% of organizations train everyone, according to the latest “State of the Phish” report by Proofpoint—and a mere 35% run phishing simulations, which are an effective means to train users to resist the ubiquitous threat of phishing attacks. It’s no wonder that there are so many holes in our “human firewalls” when nearly half of organizations leave people out of cybersecurity training programs. Why are so many people not included in training programs? Often certain roles aren’t viewed as important enough to require training, or executives are considered too busy, or employees resist participation in training programs (engagement is key, as we’ll discuss in more detail later).
Whatever the reason, the simple fact that many employees are left out of training erodes security culture and leads to critical gaps in knowledge. For example, only 42% of employees knew that exchanging multiple emails doesn’t mean a sender is safe—which explains the rash of devastating business email compromise scams that caused over $2.7 billion of dollars of losses in 2022.
As a first step, make sure everyone in your organizations is enrolled in cybersecurity training for employees, and routinely review engagement so that you can fine-tune your program.
Provide Specialized Training for Specific Roles
There is no such thing as an unimportant position when it comes to security. Cybercriminals target anyone they can, from the intern to your chief executive officer and everyone in between. Make sure everyone in your organization is included in your cybersecurity training program. In addition, it’s wise to have specialized or targeted training for people in specific high-risk roles, such as:
- Finance staff. Everyone with access to financial information needs training to resist attacks and scams. Even simple mistakes—such as accidentally emailing a scammer a list of customer emails—can result in targeted attacks against customers, major financial losses, and reputational damage. The rise of AI has enabled hackers from around the world to create effective phishing messages, making them difficult to spot. More devastating attacks can trick finance clerks into wiring money to a hacker’s account, paying fraudulent invoices, or purchasing gift cards and sending the codes to a hacker. Make sure everyone involved in finance is aware of common scams, including the latest tactics. Check out LMG’s short video on common business email compromise attacks, which you can share with finance staff and executives.
- Executives. All too often, executives are left out of cybersecurity training for employees because they are too busy or feel that their staff should protect them. Unfortunately, this can lead to devastating consequences, since executives often have special influence over the company’s public image and elevated access to information and resources. For example, when Twitter CEO Jack Dorsey’s account was hacked in 2019, it was a major black eye for the social media giant. “Whaling” attacks are social engineering attacks that specifically target executives. Cybercriminals research executive targets, often combing social media profiles, public news sources and videos, and even gathering information from data brokers and the dark web to craft specially-targeted attacks. It’s critical for executives to stay aware of the latest cybersecurity threats, including “whaling” and tactics similarly focused on executives.
- HR staff. Fake requests for W2 details are rampant, especially during tax season when hackers attempt to file fraudulent tax returns with the IRS and steal refunds. Attackers also try to lure HR staff into changing employee direct deposit information or providing sensitive employee personal information that can be used for identity theft and fraud.
- Sales team members. Attackers often solicit customer information so they can send fake invoices and similar scams to your customers. Your sales team is nice and friendly—and often all-too-ready to help a scammer.
- IT / Help Desk. Your technology teams hold the keys to the kingdom when it comes to accessing technology resources, including cloud apps, sensitive data repositories, remote login, and more. In the now-infamous MGM attack, hackers contacted the IT help desk and reportedly convinced IT staff to reset a user’s multifactor authentication, claiming they had lost their phone. This opened the door for a devastating ransomware attack, which caused an estimated $100 million in losses.
- Customer-facing positions, including call centers. With the rise in voice cloning and deep fakes, cybercriminals are escalating attacks against all customer-facing staff, leveraging weaknesses in authentication processes. Often, customers resist strong security measures and may even expect longtime business contacts to recognize their voices. Scammers take advantage and try to convince your employees to transfer funds or take other actions. For businesses that offer customer portals, scammers routinely call to reset passwords so they can break in.
- New employees. Cybercriminals routinely watch LinkedIn and other professional sites and flag new employees as easy targets. One very common scam is for criminals to text or email a brand new employee, posing as the “boss” or an executive. If the new employee responds, the criminals often ask the victim to purchase gift cards, saying it’s urgent and the boss is in a meeting. Then, the victim provides the codes to the criminals. These types of scams are extremely common, and are often very embarrassing for the new employee, as well as costly for the organization.
While it might seem like a lot of work to provide specialized training for specific roles, modern cybersecurity training platforms can actually make this very easy. For example, the KnowBe4 on-demand platform, which LMG’s team offers as our managed training solution, enables you to group employees based on their role, and includes specialized training programs you can offer automatically throughout the year. You can also supplement these trainings with other awareness options. You can even set up a collection of videos and awareness materials aimed at new employees, executives, IT staff, or any other roles, and then have these automatically scheduled throughout the year.
How to Maximize Your ROI from Cybersecurity Training
How can you ensure your cybersecurity training program is actually effective? Here are key tips for maximizing your investment:
- Variety. Experts agree that truly effective cybersecurity training for employees includes a variety of components, such as on-demand training videos, live instructor-led training, phishing simulations, chat reminders, contests, and more. See our checklist in the next section to ensure your cybersecurity training program includes key components.
- Frequency. Cybersecurity needs to stay top-of-mind for employees throughout the year. Annual training is simply not enough to meet today’s threats. Instead, make sure to plan regular, bite-sized training and awareness opportunities, which are more effective than infrequent, longer training sessions. Importantly, be careful not to bombard employees with too much communication: for example, staff may “tune out” email reminders that are too frequent. Make sure to routinely review your engagement and results in order to fine-tune your cybersecurity training and awareness frequencies.
- Quality. You need employees to be truly engaged in cybersecurity awareness training in order for it to be effective. To accomplish this, make sure your training program has high production quality and that the material is up-to-date and relevant for your team.
- Align with Your Policies and Procedures. Your training must be backed up by clear and effective cybersecurity processes. For example, your staff will be scammed by voice phishing attacks if you don’t have an effective process for vetting callers—not because they aren’t aware of potential scams, but because the “right” response according to your company policies may not be clear or effective.
- Share Real and Relevant Attacks. In cybersecurity, mistakes happen—whether it’s staff clicking on phishing emails or a minor cybersecurity incident. While these experiences can be painful, they are also learning opportunities for the organization. Often, security teams use actual phishing emails or real scams as examples in future training in order to demonstrate to employees that they really are targeted and illustrate actual consequences. When appropriate, sharing real examples can be a very effective means of increasing employee awareness.
- Consequences. More than half of organizations have formal consequences for employees that fail to complete cybersecurity training successfully, and an additional 26% are “considering it or will implement one soon,” according to Proofpoint’s latest “State of the Phish” report. Typical consequences include counseling from the employee’s manager or the infosec team, formal disciplinary action by HR, impact on the annual performance review, or simply removal of access to IT resources.
Checklist of Cybersecurity Training Components
Make sure your cybersecurity training for employees includes a variety of components in order to maximize effectiveness. Here is a checklist of items to include, along with tips for implementation:
1. On-Demand Training Platform
On-demand cybersecurity training has emerged as a foundation of effective cybersecurity training programs, for the following reasons:
- Scheduling Flexibility. Employees can watch videos and read materials on-demand, at their own pace and time frame.
- Formats. You can mix and match a variety of formats to address different learning styles, from video to newsletters.
- Assessment. Industry-leading platforms include quizzes and other forms of evaluation so you can measure the effectiveness of training.
- Adaptability. You can configure your training platform to provide follow-up training to employees that demonstrate gaps in their knowledge.
- Reporting. Routine reporting on employee performance and engagement can help you understand and communicate the effectiveness of your program, identify gaps, and adjust as needed.
Tight for time? You can outsource management of your on-demand training platform completely, and allow experts like LMG to set up your training, fine-tune it, and provide reports regularly.
2. Live Training Options
Human interaction is key to an effective cybersecurity training program. While on-demand is convenient, many employees are more engaged when there is a live instructor, especially if they have the opportunity to ask questions or respond to polls.
For remote and hybrid teams, a live webinar is a good way to supplement routine on-demand training, and ensure there’s an opportunity to answer any questions from your team. For in-person teams, consider a lunch n’ learn or similar live session. Whether you have an experienced CISO or fractional CISO who can conduct internal training or you outsource to an experienced cybersecurity trainer, offering a live training session once or twice a year can help to reinforce the importance of your program and key ideas.
Check out LMG Security’s free live monthly training webinars for fun and engaging live seminars that are open to all!
3. Phishing/Vishing Simulations
Simulated phishing emails are a highly effective way to measure your employees’ resistance to cyber attacks, while at the same time training them. They can also be very easy to set up—for example, the KnowBe4 platform offered by LMG includes built-in automated phishing simulations, which can be auto-generated based on the latest trends, or manually configured to test specific scenarios. You can configure the system to send random phishing simulations throughout the month or launch them on a specific date and time. Employees that click on the link can receive immediate feedback on their performance and get automatically assigned follow-up training.
Many platforms also include a “Phish Alert” button or similar plugin which can be integrated into Outlook or your email of choice, so users can quickly alert your team when they receive phishing attacks. As part of a phishing simulation test, you can train your staff to use this tool and also assess effectiveness.
You can also conduct fully customized phishing simulations, which can be useful for testing high-risk teams such as your Help Desk, Finance staff, and others.
Since voice phishing (vishing) attacks are on the rise, it’s becoming increasingly important to test your employees’ resilience to attacks over the phone. Consider conducting a voice phishing attack at least annually, especially for high-risk roles such as customer-facing staff, finance teams and the Help Desk. Vishing simulations can help you identify gaps in caller authentication processes and training exercises.
4. Internal Chat Reminders
Does your team use Slack, Teams or other tools to chat internally? Make sure to include these in your cybersecurity training program for employees. According to Proofpoint, only 31% of organizations leverage internal chat channels for cybersecurity training, meaning there’s plenty of opportunity to ramp up. A monthly reminder from a key executive or leader within your company can really help keep cybersecurity top of mind!
5. News and Announcements
How does your organization share news and announcements? Whether you have an internal team web page, a company newsletter, or announcements at team meetings, create a schedule for regular cybersecurity reminders. Consider tying these reminders to a recent news article or trend, so that employees understand why cybersecurity is a priority today (and every day!)
6. Contests and Gamification
Cybersecurity contests and “gamification” strategies are fun and effective methods to increase engagement and awareness. These can be simple and quick, such as “spot the phishing email” contests where a prize is raffled off to employees that successfully report a phishing email. Many on-demand cybersecurity training platforms also support gamification, so that staff from different departments can compete to see who earns the most points for completing training.
Cybersecurity awareness training for employees has never been more important. With the rise of AI-enabled phishing messages, voice cloning, deep fakes, and more, employees need to stay alert all the time to resist scams and attacks. Make sure your cybersecurity training program for employees is effective by ensuring you include your whole team, provide a variety of training opportunities, and keep cybersecurity top of mind all year long. Contact LMG’s experienced team if you would like assistance with cybersecurity training, phishing, and awareness.