The human factor: can workers be taught to avoid mistakes?

54

We have long said that technology alone is not enough to protect a company from cyber threats. One person can offset the effects of the work of the entire IT security department. In many cases, it is not intentional, but results from a lack of basic knowledge about cybersecurity, lack of awareness of threats or simply carelessness. This is why many companies (according to our data, about 65% of them) have already invested in training their employees on cybersecurity.

However, complications can always arise. The person who decides that staff awareness should be increased is not always the one who is responsible for organizing the training. And while the first person sees the problem, the second person may not understand what cybersecurity training should be, how to train staff, and even why it is needed.

Understand the problem

Imagine your job is to raise awareness about cybersecurity. What – in your opinion – is it about? To find out, together with the research company B2B International, we decided to collect information from 5,000 companies around the world. We checked how they perceive this problem and what, according to them, individual employees have an impact in specific incidents related to cybersecurity. In short, the situation looks like this:

  • 46% of incidents last year were related to the accidental breach of cybersecurity rules in the company by employees.
  • Of the companies that dealt with the malware, 53% said the infection might not have happened if it weren’t for the action of an inattentive employee, and 36% blamed it on social engineering, which is the fact that someone has deliberately manipulated an employee.
  • Targeted attacks involving phishing and social engineering achieved a success rate of 28%.
  • In 40% of the cases, employees tried to cover up the incident, increasing the damage and exposing the company to even greater security issues.
  • Almost half of the respondents are concerned that their employees will inadvertently reveal company information via the mobile devices they bring to work.

The full text of the study (available in English) is available by clicking on the banner below. The report comprehensively answers the question of whether it is worth increasing awareness of cybersecurity.

How to teach cybersecurity awareness

The way we do it is also important. There are many courses, lectures and workshops available. However, training takes time and money: you need to make sure it will be successful.

Take, for example, the problem of concealing an incident. You can do a meeting with employees and say that reporting such incidents is important. They will likely reply that they understood – and will continue to do so, in the hope that they will avoid responsibility.

Therefore, it is better to understand the motivation of their actions first. In many cases, employees have been informed by their managers or IT security officers about strict rules, but these have not been explained. Sometimes management and the information security department also need training – how to explain the rules.

Know what to teach

In order not to be overcome by today’s complex cyber threats, the company must act as a healthy organism with different departments having different tasks and different areas of responsibility. Naturally, this means that they have to learn many new things. The company’s management must be aware of the risks and understand the potential costs associated with them – both financial and reputational. The middle-level management board and the departments responsible for information security must have thorough knowledge of emerging threats and be able to take actions increasing cyber resilience. In addition, they must be able to properly communicate with the majority of staff. For specialists, knowledge of the risks is less important than the ability to avoid them.

Therefore, our approach to training uses a distinction between personnel by rank and function.