The pandemic set a major shift toward remote work across the globe. As of May 2023, nearly 8% of employees work from home full-time, while more than 25% work a hybrid model. While many employees enjoy the flexibility that WFH brings, the use of employee-owned devices, unsecured connections, and improper device usage leave companies vulnerable to a host of network intrusions. This is why training employees on cyber security is a must.
Why is training employees on cyber security important?
When it comes to cyber security, you must take a proactive approach. According to the National Institute of Standards and Technology, organizations “should assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.”
Here are three quick statistics that highlight the importance of training employees in cyber security awareness:
- 95% of cybersecurity issues are caused by human error.
- There is a hacker attack every 39 seconds.
- The global average data breach cost was $4.45 million in 2023.
How to train employees on cyber security: 10 tips for success
To minimize the risk of a network intrusion, it’s necessary to bolster your first line of defense against external threats—AKA training your employees on cybersecurity best practices.. Here are our expert tips for how to train employees on cyber security, both in-person and remote.
1. Develop a cyber security policy
It’s hard to get your employees to follow the rules if they don’t know what they are. The question is, do you know what they are?
The first step to training employees on cyber security is developing a company-wide cyber security and device policy. These policies should be formally documented and shared with all employees upon hiring. But don’t let it stop there. Engage in discussions with employees about security policies periodically throughout employment, and test them periodically to ensure ongoing adherence to policies.
2. Help your employees understand cyber security
The next step to getting employees acquainted with cybersecurity education is to outline a clear message about your company’s cyber security policies, training, and plans in place. Such a message needs to be understandable, relatable, and diversified.
- Understandable – Avoid technical jargon that may confuse employees and cloud your message. When possible, use simplified terms that are accessible to the non-tech-minded layman.
- Relatable – When talking about external threats, make it less about the central network and more about personal computer safety and home network intrusion. This way, employees can personally relate to the danger if it’s framed in terms of their phone or laptop. This enables them to have a personal stake in the security plan: no one wants to be the reason for a data breach that affects the whole company.
- Diversified – A simple email outlining everything may not be enough. Think about how many emails the individual employee receives. By diversifying your communications strategy, you can ensure that employees read the message instead of dismissing it as just another announcement.
3. Make following protocol a priority
In the event of a data breach, it’s important for employees to know the proper protocol. This should include steps such as reporting any suspicious activity, changing passwords regularly, and keeping software up to date. Make sure these protocols are clearly communicated and emphasized to your employees.
In addition to external threats, educating employees about internal threats is crucial. This includes actions such as sharing confidential information with unauthorized individuals or using company devices for personal use. By creating a culture of security awareness within the company, employees will be more likely to report any suspicious behavior from their colleagues or themselves.
4. Provide regular cyber training and updates
All employees should undergo cyber security training during their onboarding process, but regular training is important for all employees. Cyber security training should cover potential threats and how to prevent them. This can include phishing scams, social engineering tactics, and malware protection. It's also important to have a designated IT team or individual who can handle any security incidents that may occur.
And on that note…
5. Take advantage of online cybersecurity courses
There are plenty of online resources for training employees on cybersecurity awareness, and not all of them have to be paid.
For management:
- The FTC (Federal Trade Commission) website has educational resources for small business owners and managers. They also have cybersecurity quizzes to test what you learned.
- This cyberdefense learning toolkit from the Department of Homeland Security is specifically designed for small business owners as well.
- The Center for Internet Security’s 20-step organizational control program teaches good cyber defense habits, identification of suspicious behavior, and generates a skills gap analysis.
- The Federal Virtual Training Environment provides a comprehensive 6-hour course for managerial-level members, divided into 30 modules.
For employees:
- The National Institute of Standards and Technology has a list of free and low-cost online training content specifically designed for employees, including webinars, short courses, quizzes, and certification.
- This webinar series from the National Cybersecurity Alliance releases one video every other month, starting in November 2019, and ending in November 2020.
- ESET offers a free one-hour training course that teaches best practices for remote employees. The paid version includes dashboard tracking of employee progress, a phishing simulator, and certification and LinkedInLinkedin badges.
- FEMA’s IS-0906 course on workplace security awareness takes only 1 hour and tackles risks, prevention measures, and response actions for remote employees.
5. Encourage taking great care of your devices
A Forrester survey found that 15% of company breaches are caused by lost or missing devices. Whether it’s a corporate or personal device, training your employees about cybersecurity includes bringing awareness that their gadget acts as a gateway to your organization’s network. This makes it important to take care of their device and use it properly, even in the confines of their home.
Help increase good device ownership by conducting the following:
- Teach the difference between personal and corporate usage.
- Make it mandatory to have a work account that’s subject to monitoring, restricted installations, and web filtering.
- Beware of old-fashioned loss and theft.
- Make sure security patches and OS updates are followed.
A device management and monitoring solution, such as our Multi-OS Device Remote Management can help mitigate risk by automating the push updates and tracking the device’s status and its location at all times. But this should only serve as a backup, and end-user security best practices should rest with the employee.
6. Teach employees how to spot suspicious activity
Improve your employees' eyes in spotting suspicious activities to enhance their cybersecurity awareness by teaching them to watch for the following signs:
- Sudden appearance of new apps or programs on their devices.
- Strange pop-ups during startup, normal operation, or before shutdown.
- The device slows down.
- New extensions or tabs in the browser.
- Loss of control of the mouse or keyboard.
Encourage your employees to report suspicious signs immediately. Even if it turns out to be a false alarm, it might still be beneficial to the employee by clearing up errors in their device that hamper productivity.
7. Reinforce confidentiality
Working from home tends to make people more complacent, which extends to cybersecurity. Drill the importance of passwords and authentication even if they work in their PJs. Just because they’re relaxed doesn’t mean security has to be.To avoid cybersecurity threats regarding confidentiality, train your employees by conducting the following:
- Enact periodic and unique password changes.
- Teach employees about the dangers of using universal passwords, and use real-world examples from past data breaches. They might even want to see if their personal account passwords have been pawned.
- Discuss the rationale behind VPNs, multi-factor authentication, and other secure log-on processes and why they are important (despite being time-consuming).
- To combat unsecured storage of company data, provide concrete examples of stolen data incidents caused by an errant thumb drive or compromised personal Dropbox account.
8. Examine individual cases of cybersecurity breaches
Unlike an office environment with a controlled network, your employees’ home computer security can vary widely. Some may connect through their home Wi-Fi, while others may use connections from the public Wi-Fi at a coffee shop.Some may have older devices that are no longer supported by security patches, and it may be necessary to address those concerns by:
- Encouraging employees to use their company-provided devices. If it’s BYOD, check the device brand and model year to see if there are outstanding exploits.
- Do a security sweep of home networks. For example, some older routers may have weaker WEP protocols instead of WPA-2, or some may even have the default password!
- Pay attention to nomad employees and devise a security policy for them since roaming data or public Wi-Fi hotspots bring their unique threats.
9. Require backup of important data
Emphasize that data belongs to the company and must be backed up regularly to prevent loss in case of device failure or cyber-attack. Encourage employees to use company-provided cloud storage solutions or external hard drives for backups—never their personal devices—and remind them to back up their work at the end of each day, especially if they have made significant changes or additions. Here are some tips to keep in mind:
- Regular backups are a vital part of maintaining good cybersecurity practices.
- Provide information on how to set up automatic backups using software programs or built-in features on devices. This can help ensure that important data is always backed up without requiring manual intervention from employees.
- Encourage employees to periodically check their backup files to make sure they are intact and usable in the event of a cyberattack.
10. Make cybersecurity awareness an ongoing conversation
On average, corporate workers spend up to a quarter of their workday on email-related tasks. This makes a one-shot email message about cybersecurity a poor choice, since they may not be able to appreciate the significance or absorb the information in one sitting.Here are some best practices to take with outlining a cybersecurity announcement to your employees:
- Use different approaches to cybersecurity education, such as regular announcements or newsletter updates.
- For each update, follow the KISS rule: Keep It Short and Simple. This way, they can glean the message and retain the information amid their hectic day.
- Follow current trends. If there’s a new type of crypto-malware or exploit that crashes phones with a single message, make sure it reaches your members.
- Use eye-catching tactics each time to get them to absorb the message. Instead of listing dry statistics or do’s and don’ts, try colorful infographics. For long topics, try a video explanation.
- You can even try cybersecurity tests to see if the lessons stick. For example, as part of its email safety education, HP sends out test phishing messages and congratulates employees who report it to IT.
Final Thoughts
Training your employees about cybersecurity awareness allows them to understand how they play a role in protecting your company. Rather than being just another cog in the organization, they are the first set of eyes that guard against external threats.
Effective cybersecurity awareness relies on clear communication and continuous education for a robust defense against evolving security challenges. Encouraging vigilance and good cybersecurity awareness is something your employees will carry well beyond the confines of the office.