Many companies start the new year with ambitious goals in mind, so they ramp up hiring in the 1st quarter to help fulfill their objectives. HR will do the recruiting and then oversee orientation and compliance training on a variety of topics to help the new hires settle in, including cybersecurity awareness education. But despite these efforts, employees remain the weakest link in cybersecurity defense.
That’s a problem because the cost of a data breach is staggering—in 2017, the average cost was $3.6 million worldwide, and a 2018 study found that employee negligence was the primary culprit in data breaches. A Dell end-user security survey underscored the scope of the challenge, finding that although most employees receive cybersecurity training, 72% are willing to share confidential information.
Even when employees receive annual training and understand the importance of protecting company data, many still fall for phishing scams, business e-mail compromise schemes, and other hacker strategies. So, what can HR departments do to reduce data breach risks for their companies in 2019? Rethinking the current training program might be the answer.
In many companies, the IT department conducts security awareness training. Some IT pros do a great job, but too often, IT-led employee training focuses on cybersecurity through the IT lens and fails to emphasize the human element. New employees have a lot coming at them. Security awareness can feel like just another boring compliance requirement, unless it’s done right. Here are three tips that can help:
- Make it real: Cybersecurity training should address the human element, taking into account the psychological, behavioral, and economic aspects of hacking. It should also be tailored to employee demographics, taking into account staff age, levels of technical expertise, and other factors. The risks should be described in terms employees can understand, emphasizing the threat not only to company data but also to personal bank accounts, family and social media information, etc.
- Make it sticky: Let’s face it: Cybersecurity training sessions can be boring and/or cheesy. But they don’t have to be. HR can form an alliance with the marketing team to create fun, informative presentations that attendees can relate to and remember. Make modules short and entertaining. Most of all, make training actionable, with information employees can apply in their everyday lives, on and off the job. Eye-catching graphics and copy can make cybersecurity training sticky.
- Make it measurable: Employees will take cybersecurity training more seriously if they know they’ll be tested on their knowledge. Consider staging an ethical hacker phishing test or allowing an unescorted visitor to test workplace defenses. Not only will testing give employees more of a stake in retaining their cybersecurity training, but it will also give HR a baseline against which to measure the success of future training sessions, which allows for continuous improvement.
As the endless parade of headlines about high-profile data breaches makes clear, the threat from hackers isn’t going away. In fact, cybercriminals are turning to more sophisticated techniques to ensnare unwary employees, such as phishing scams where hackers impersonate company CEOs and trick employees into revealing W-2 information. An updated cybersecurity awareness training program can help employees avoid falling for these schemes.
With these three techniques, HR can make training more interesting and memorable, which will reduce the risk of a costly data breach. Another indispensable part of a mature cybersecurity program is participation at all levels. When employees see executives and other key influencers within the company taking cybersecurity seriously, they’re more likely to regard good security practices as a core part of their job responsibilities, too. That’s the beginning of a cultural change that puts cyber safety first.
Jonathan Steenland is the chief operating officer for the National Cybersecurity Center (NCC). NCC is a nonprofit organization that provides cybersecurity leadership, services, education and training, and a cybersecurity community for public officials, business executives, and the workforce.