Cybersecurity training is absolutely critical to ensuring that your business remains secure and that unexpected doors aren’t left open for hackers to gain access.
A Stanford University study entitled ‘The Psychology of Human Error’ found that 88% of all data breaches are caused by employee error. This figure rises with the Global Risks Report from the World Economic Forum that puts this statistic as high as 95%.
People present the biggest risk to an organisation’s security posture, but they can be its biggest asset. With the right training and consistent reminders, people can move from being a vulnerability and a risk vector to a human firewall that protects the business from harmful threats.
“Cybersecurity awareness is one thing, companies are obliged to ensure that their employees are aware of the risks and what the different risks actually are,” says Martin Potgieter, CIO of Nclose. “They need to know how their poor password choices affect the security of data and systems, they need to understand what a malicious website looks like and when they should be wary of entering personal information into forms or websites. There are a lot of digital security boxes to tick, and every person in the business should know about them and how to tick them properly.”
When people are constantly and consistently reminded of the security risks, they are more aware of their actions and how these actions can impact the business and their own personal security. This is essential, especially when looking at how different personality types respond to different forms of security threat.
For example, the person who’s always looking for a good deal can be easily lured by a phishing email that promises a magnificent discount; or the person who reacts with fear to an email from the bank that tells them their account will be frozen unless they enter in their details, right now. These are clever hooks and buttons designed to make people make mistakes, but they can be managed with the right training.
“It is quite frustrating for IT people because they are going, ‘Wait, I taught you not to do this and you just did it again’,” says Potgieter. “It seems like a simple thing on the surface – don’t click the links – but you’re actually dealing with different people, that have had varied experiences and backgrounds. Which means you need to keep reminding them of the risks and how these risks are presented. If you keep on with training and awareness, the differences are tangible. People stop themselves, they think for a moment, then they act, or not.”
Without training, the business is setting itself up for failure. You can have the most expensive firewall, the best managed security services, the most extraordinary anti-virus solution and the most up-to-date zero trust framework and every one of these systems will be bypassed when someone clicks on a link, shares their password and lets an attacker into the building through the back door.
“Training also needs to be extensive and expansive,” says Potgieter. “Core cybersecurity awareness training should cover the main security breach points – such as passwords. People still use easy or familiar passwords without realising how easy they are to crack. Once a hacker targets someone in a business, they can use readily available social media information to start guessing passwords, and is a quick and easy way for hackers to get into the entire business.
“Training, reminders, consistency and awareness,” concludes Potgieter. “These are key parts of any security strategy. If people remember the risks and understand the impact, they will become part of your security solution, not part of the problem.”