According to HR Magazine, organizations that invest $1500/annually in a formal training program see 24% higher profit margin and an increase in employee productivity. While this is a great reason to train your people, the fact that 60% of small businesses close within one year of a cyber-attack or that a Ransomware attack, on average, can cost a business $133k is in my opinion a more pressing reason. I admit, I am comparing performance training to cyber security training. Both are very important! IT and business leaders must evolve their beliefs that employees should know better and that the thousands of dollars in technology will prevent attacks. Please note that I am not suggesting that organizations do not need security tools in place. Firewalls, end-point protection, NAC, CASB, UEBA, etc. are all vital components needed to defend your systems and data. But attackers are looking for the chink in the armor…they are targeting employees who can bypass your defenses with a simple click of the mouse. People-centric attack is the number one attack approach.
To those organizations that are frustrated with the poor results from phishing exercises…have you trained your people? It is unrealistic to expect that employees with little understanding or exposure to cybersecurity, should know what to do…or what not to do.
Now let’s talk about training. For those organization who can afford it, online training is a fantastic mechanism to reach the masses. Online training solutions provide the ability for employees to train at their convenience, regardless of location. These solutions provides short modules, designed to be on-going, engaging, relevant and digestible. But this approach may be financially challenging for some companies and may not be ideal for those employees who are doing five other things at their desk, while the video runs in the background.
Another option is live, onsite training. This approach provides the personal, human touch where employees have an interactive experience and can ask questions. Of course, this too has its challenges around scheduling and reaching remote workers.
In my opinion, the ideal solution is a combination of the two options. Source 44 can customize a 40-60-minute live session which focuses on cyber security basics and meets the needs of the business and its employees. Follow this session with regular online videos that dive deeper into specific topics, which were introduced during the live session. Every six months perform a phishing and/or social engineering exercise to determine the effectiveness of the training, and of course to justify the spend to senior management. Wash and repeat. Some employees may respond better to one method over the other. Annual live session can be performed with more advanced material. The best of both worlds.
Phishing attacks have increased by 65% since last year and account for 90% of data breaches. Companies that fail to equip their employees with the knowledge to defend themselves and the organization, will undoubtedly fall victim to an attack. It is just a matter of time.