[BreachExchange] Why it’s important for organisations to train staff in cybersecurity

[Destry Winant]

https://latesthackingnews.com/2019/01/27/why-its-important-for-organisations-to-train-staff-in-cybersecurity/

Breaches are an ongoing issue that organisations face on a day to day
basis. For as long as risk carries a level of uncertainty, preventing
it is hard to do. But there is a difference between accepting this
fact and doing nothing about it and accepting this fact and using all
reasonable efforts to mitigate breaches from taking place. One of the
measures observed in practice that organisations are failing to take
is in training staff on cybersecurity. Here are just some of the
reasons why the efforts of training staff requires more attention.

Social Engineering

Cybersecurity is beyond the IT team as staff play a significant part
too. As the drivers of an organisation, hackers commonly use them as
vectors. This is especially evident when we look at the cyber kill
chain’s first stage. It requires gathering information about the
target. Here are where they exploit weak spots to obtain relevant
information to carry out intended attacks. Hackers use social
engineering as just one of the tactics but it is the most common as
they can deploy it easily. They know about the lack of training that
exists amongst staff in general and it sometimes just takes targeting
one person.

It is important for staff to be aware of social engineering because
together they make up more than the Board and IT team. Examples of
areas organisations should elude staff to include social media content
and being manipulated into allowing unauthorised visitors onto the
work site. In addition, phishing emails are still on the rise,
advancing each time and show no signs of slowing down anytime soon.
Staff need training on avoiding being targets of this.

Human error leading to breaches

Recent articles have referred to significant flaws within
organisations. As Kaspersky Lab’s recent article reveals, it still
stands as one of the highest causes of breaches yet is dealt with so
poorly. Organisations are not learning from other organisations’
failures reported publicly. One being with Gloucestershire Police
whose employee accidentally emailed personal data belonging to victims
of child abuse to unintended recipients. This is the most crucial
reason as to why training is so important. Not only can errors occur
from sending emails to the wrong recipients, but also by using
compromised removable media, losing mobile devices containing business
data and poor security management around these devices.

Other Benefits

Staff training should be part of an organisation’s cyber hygiene to
help maintain security. Benefits of implementing training will allow
the following:

Staff will know what is vital information to share and with whom

The more knowledge staff have the more they understand and enables
staff to adopt it into their everyday operations. Cybersecurity
requires a team effort as well as staff individually taking
responsibility for their actions when dealing with data. An example is
with software and applications. Departments tend to download and use
tools that will aid with daily tasks that IT are not aware of. This is
known as shadow IT. If the IT team do not know the software exists, it
is hard for the team to maintain security within the organisation. If
staff are made aware of the need for security and dangers around
potential extensions and applications, they will know when to liaise
with the IT team and other relevant employees.

3 Important factors to consider when implementing training programmes

1. Have training for staff from the Induction stage and maintain it
throughout their employment life cycle.
2. Have an online communal area, that allows staff to continue to
engage in the topic. They can also share knowledge and best practice.
It is crucial to have someone lead this to keep the momentum of
discussion going. An organisation can additionally carry out workshops
where necessary, if possible and where there are resources to do so
3. IT or the in-house person responsible for IT, must receive adequate
training themselves to lead in maintaining security and be the point
of contact for staff queries. IT staff should also be aware of the
common threats and its developments to provide the organisation with
appropriate technical and network security.