The Critical Role of Employee Cybersecurity Training

I recently had the opportunity to represent AT&T Business as a contributor to a new book about cybersecurity called The Digital Big Bang: The Hard Stuff, The Soft Stuff, and The Future of Cybersecurity. This collective work was brought together by Phil Quade, a friend, former Chief of the NSA Cyber Task Force, and current CISO at Fortinet. Phil reached out to us and other security experts across industries and regions to gather their experiences and expertise into a single security resource. For our chapter, we focused on the value of employee training as an important defense against cybercrime.

The Value of Cybersecurity Training

At AT&T Business, we deal with all areas of cybersecurity. We like to tell our business customers that any strategy that doesn’t account for the people working in the organization is likely to fail. While almost everyone is now aware of scams and phishing, many still often click on malicious links and infected files in their email!

And this simple act can bypass all of the elaborate security planning and technologies that an organization has put in place and bring their operations to a staggering halt. Not with the latest, most sophisticated attack, but with one innocuous-seeming but convincing email. It’s the sort of thing that keeps business leaders up at night.

According to one recent study, 91% of cyberattacks and resulting data breaches begin with a phishing email. That’s just astounding! So why aren’t companies doing everything they can to prevent this? Training users to identify potentially dangerous emails and simply not clicking on links or open attachments seems like an obvious strategy. But for too many organizations, it’s not.

If Your Organization is a Target, so are your Employees

Security is a huge concern for us at AT&T because we are a constant target. Every day, every hour, every minute, we face relentless attempts to disrupt our business, steal information, or otherwise wreak havoc on our network. And if we’re a target, that means our employees are a target.

This is true for every organization, and it’s where the conversation needs to change and evolve. And the risks go well beyond phishing attacks. The use and risks of shadow IT, social media, and mobile device are equally challenging.

Of course, employees shouldn’t be seen as security liabilities – they are part of the solution! You just need a plan for turning them into a critical part of your cybersecurity risk mitigation strategy.

What is it worth to build and implement a plan to educate your employees about cyber risk? There’s a good chance that whatever value you place on it, you’re underestimating it. One wrong click can mean millions of dollars’ worth of losses, along with your brand value, reputation, and even the company’s ability to survive.

Engage Employees by Helping Them See We’re All In This Together

It starts by helping your employees realize that they are an essential part of the organization. This gives them a sense of ownership and responsibility that will often cause them to think twice before making an offhand mistake. Making that happen requires an effective training and education program that provides employees with the opportunity to:

• Understand, even at a basic level, what the threat landscape looks like and acquire good cybersecurity habits they can use to address those threats. 
• Embrace their role in mitigating risks. Good security behaviors can’t be something they feel are burdensome, or they won't practice them. They need to understand the context and significance security plays within their own specific roles, including an awareness that cyber incidents affecting the organization also affect them.
• Practice effective cybersecurity-focused behaviors consistently and vigilantly so they become muscle memory.

A good approach is to promote the reality that “we’re all in this together.” The cybercriminal community has an army, so the employees need to act like an army. It also helps when tips and tactics have broader applications. You can keep employees engaged with a regular cadence of interesting and relevant topics like detecting suspicious links, retaining sensitive docs, and safe social media behavior that they can apply at work as well as at home. 

Common Elements of Any Security Training Program

While any awareness plan should be unique to your organization, the best ones generally tend to include these three elements 

1. Starting at the Top. We see the most impact when CEOs, board members, and top executives all lead by example. They need to embrace them publicly and then practice what they preach.
2. Sharing the Responsibility. Create a steering group that includes members from across your organization, including leadership.
3. Training Your Users. Develop security awareness courses to teach people about topics like how to avoid phishing attacks and safely use social media. Supplement that training with an awareness campaign that includes a regular cadence of posters, email, and even short infomercials that require a quick acknowledgment.

Together We Are Stronger

Herd immunity is why many horrible diseases that plagued humanity in the past no longer exist. And everyone working together is still the best way to prevent many of the problems that plague our modern digital society. Inoculating our networks—and digital lives—from cyberattacks, however, will take a little more than a simple vaccine. It will require innovation, cooperation, and embracing and adopting new technology.

But perhaps most importantly, it means learning. Start by learning how you’re vulnerable, make simple changes, and share those insights with others. Then, repeat the process.