Employee training is best cyber crime protection
People can be greater part of defense solution than tech measures aloneJune 2nd, 2022
Cybersecurity is here to stay. However, there are large problems with how we see cybersecurity threats as rare, occasional awareness events and how businesses treat that risk.
Nothing can bring a business to its knees faster than a cyber breach that compromises connectivity, disrupts processes, or contributes to a loss of funds. Businesses must realize 90% of cyber crime can be traced back to human error, and there will be 6 billion phishing attacks this year targeting businesses of all sizes, according to CyberTalk.org. The only way to make a difference in the current epidemic of cybersecurity attacks is to increase the focus on the people of an organization, not just focusing on the hardware and software systems in place.
Helping people in an organization change daily behavior is important because cybercrime is on the rise. “In 2021, the average demand made by ransomware attackers was $131,000, and the average cost to recover from a ransomware attack was $1.27 million,” Max Pitchkites reports in Cloudwards.
Globally, a ransomware attack occurs every 11 seconds, according to a report from Agio Healthcare.
The Internet Crime Complaint Center, a division of the FBI tasked with receiving and tracking cyber crime, shows a huge increase in attacks since the beginning of COVID-19, indicating that cyber crime and the losses associated with it continue to rise. It’s not if your organization will be attacked, it’s when. If you live in Kansas, you know that tornadoes are going to come every year, and you are urged to prepare for those events because the risk is real. Business owners and leaders need to know that cyberattacks and breaches are a real risk and that there are ways to help prepare your employees for these events.
Leaders who believe it won’t happen to them are being naive. Attacks are up across all industries, with the most attacks occurring in the health care and construction sectors. In the past two years, 89% of health care organizations have experienced a data breach. If we look at the past three years in health care, over 93% have experienced a data breach, according to PrivacySharks.
The risk of human error is what needs to be fixed—or focused on—when it comes to cybersecurity awareness. And this change generally doesn’t happen overnight.
Improving behavior is built through incremental changes, which through time and reinforcement create the desired behaviors that minimize risk. It is impossible to lose 30 pounds by going to the gym for one hour once in January. Likewise, training employees once a year to improve critical behaviors isn’t achievable through annual let’s-check-the-box training. Creating positive behavior changes requires regular, consistent events that can be part of an organization’s culture, evolve with changing attacks, and focus on bringing companywide cybersecurity hygiene to a higher standard.
Our current state of increasing risk and mounting breaches would benefit from a brief history lesson from other industries looking for behavior change. W. Edward Deming is a famous U.S. engineer and statistician who, under the direction of General MacArthur after World War II, helped dramatically improve the manufacturing industry in Japan. In addition to developing the Deming Method, he wrote groundbreaking books and established the Deming Institute. One of the core features of the method involves helping every person within the manufacturing process own their area and take responsibility for continuous improvement. Daily meetings, signs, matrixes, and key performance indicators center on reducing a common goal and risk.
In Japan, this aided in perfecting the manufacturing process by creating a more efficient product at the end. There are lots of steps in manufacturing, so if you wait until the end to inspect, you end up disposing of the faulty part or product, resulting in wasted time, energy, and material. Instead, the Deming Method turned manufacturing into a continuous improvement process. Toyota would not be the company it is today without the Deming Method.
Cybersecurity needs to take a lesson from the Deming Method and have cyber education be a continuous process, always moving toward improved behavior, awareness, and engagement. Specifically focusing on the people, ownership, and education to make the behaviors throughout the organization change.
Today, most organizations still feel that the information technology team is responsible for cybersecurity throughout the organization. It’s akin to having the quality inspector in one of the Japanese plants mentioned earlier responsible for the poor quality of a product at the final quality inspection stage. It takes all of the individuals who work on the product to be part of the solution and own their part. Cybersecurity needs to have everyone in their own roles and responsibilities own their part of the solution. When an organization makes the mental shift to giving all employees the responsibility for continuous improvement, a dramatic shift will occur. Behavior change and ownership of responsibility will replace the checkbox mentality created by a yearly, dry training. Training needs to be engaging, individualized, and consistent.
The individual is where the greatest risk—and potential for the greatest strength—is. The people in the process can have the largest impact on lowering or improving the cyber risk of an entire organization. Any business owner or company executive should reflect on these questions:
•Does your organization communicate and train employees in cybersecurity and compliance at least every month?
•Does your organization allocate resources, time, and funding to make cybersecurity a focus and priority?
•Does your organization include specific cybersecurity training unique to the company or does it rely on general cybersecurity materials?
•Is the training endorsed, promoted, and used by the leadership of the company?
There are now resources and platforms on the market to help both small businesses—under 100 employees—and medium to larger organizations run custom, easily managed, and well-reported programs to reduce the risk of a cyberattack being successful. New platforms and resources can offer all organizations the ability to train, customize and deliver content weekly and monthly.
Depending on the organization, the security or IT team can manage cybersecurity training, and it can also be assigned to a training or human resource group. No matter who has the management role of a program, they have two choices: Build a custom training program in-house or use an existing training platform with up-to-date content as a baseline in managing a program.
Over the past 10 years, many companies have entered the market. Most of those vendors are attached to large cyber hardware companies, with a few vendors solely focused on the training of employees and staff. Often, the decision on cybersecurity training is evaluated on cost. This area of products and services isn’t a commodity. There are a lot of variables that can make a huge impact in reducing the risks of the organization. When evaluating cybersecurity platforms, here are a few key areas to think about beyond cost.
Is the platform:
•Rewards focused, not scare tactics?
•Easy to administer?
•Easy to add the organization’s own cyber policies and content?
•A cadence of daily or weekly information?
•Smaller doses of information that build upon themselves?
•Centered around group achievement, rather than just individual tracking?
•If a phishing platform is integrated, is there real-time training immediately after phishing?
All organizations need to realize that cybersecurity is here to stay. Accept the fact that attacks and incidents are going to increase the risk of a cyber breach. These cyber breaches can and will compromise the processes and financial stability of any size organization.
Businesses must realize 90% of the cyber crime can be traced back to people and the decisions that general employees make. The largest single area of focus for leadership should be on the training of employees. Human error is at the root of cyber crime and demands the focus from IT and leadership teams.
As numbers of attacks and specifically ransomware numbers climb, leaders should think more on what resources they are giving to training employees and how this will help reduce the risk to the organization. People are the key. Focus on the employees and staff. The problem with cybersecurity is that the “people” part of the solution is often overlooked. Training an organization’s staff and employees is the biggest area of effective behavior change that can really reduce the risk for businesses of all sizes.
Heather Stratford is the CEO and founder of Spokane companies Drip7 Inc. and Stronger International Inc. and has expertise in cybersecurity and IT training. She can be reached through LinkedIn or other social media.