Skip to Main Content

Search Access One

Let’s find what you’re looking for. Search our resources, blog, pages, and any other content on our website.

Should your business have a cyber security training program? The answer is yes, and it doesn’t matter what industry you are in or if your business is large or small. In fact, 43% of cyber attacks are against small businesses. Companies of all sizes in all industries are increasingly the targets of cyber attacks, and the cost to respond to an attack is rising every year.

In 2022, many different types of cyber attacks are predicted to increase, ranging from supply chain attacks to attacks on hybrid workplaces to more sophisticated ransomware attacks. Here are some of the cyber security facts you need to know1:

  • A successful cyber attack causes a data breach when hackers gain access to your company data. In 2021, the average cost of those attacks was $3.86 million. That cost increased in 2021 to $4.24 million.
  • If a data breach involved remote work, the cost was an average of $1.07 million higher than if there was no remote work.
  • Human error accounts for 95% of successful cyber attacks.
  • Hackers exploiting vulnerabilities resulted in 3% of data breaches, while there was a human element in 85% of breaches.
  • Stolen or misused credentials that allow employees to login to business systems were a factor in 61% of data breaches.
  • Phishing emails are a common hacker tool, and 20% of employees will be prone to click on links in those emails; of those, 5% will enter their credentials on a phishing website.
  • A zero trust cyber security strategy will reduce the average cost of a breach by 1.76 million.

The fact is that your employees are the weak spot in your cyber security strategy. To complicate the issue, remote work increases that threat because employees working from home introduce new vulnerabilities into the equation. A cyber security training program is no longer a luxury, it’s a necessity.

Free Ebook: Protect Your Business Against Zero-Day Attacks

Why You Need a Cyber Security Training Program

Cyber security awareness training consists of educating your employees about the types of cyber threats, how to spot them, and how to avoid them to keep themselves and the company safe. By arming your workforce with knowledge, you can turn them from the weakest link in your cyber security strategy to effective participants in the war against cyber threats. The benefits you’ll receive far outweigh the effort you put into that training. Your workforce:

  • Will become more aware of the threats that exist and the devastating toll a successful cyber attack can take on them and their livelihood.
  • Will be more confident that they can carry out their role in preventing cyber attacks, which will keep your systems running.
  • Will become more aware of the importance of ensuring compliance, and they’ll be more careful about how they handle sensitive data.
  • Will become partners in helping you to reduce cyber threats.

Customer confidence is another benefit you’ll see from avoiding cyber attacks. Even if a successful attack is easily managed, customers are paying more attention to them at every level. According to Ponemon Institute2, a company’s share values dropped by 5% after the announcement of a data breach. Further, 31% of consumers stopped doing business with companies affected by breaches, and 65% lost confidence in those companies. Training your workforce to avoid cyber threats is a wise strategy for every company.

How to Create a Cyber Security Training Program

Your training needs to be more than offering a Cyber Security 101 Training course on a periodic basis attended by employees with an interest in cyber security. To be effective, you need a program that is incorporated into your company’s culture. Follow these steps to make sure your program meets your needs.

1. Get Support From C-Level and Senior Leaders

You need support from your leaders for two important reasons. First, your employees need to know that senior management thinks cyber safety is critical for the health and growth of the organization. Employees always pay more attention to things that their company leaders talk about to encourage participation. You’ll also need support for setting policies and procedures that will reinforce your program.

The second reason is that you will need support for a training budget, and your employees will need to be allowed time to attend training and/or complete training modules. In fact, you may even need to make the training a requirement, regardless of how busy they are with other projects. Without leadership support, those things will be difficult to accomplish.

Therefore, your training should start with company leaders. They need to understand the cyber threat landscape, the repercussions from a successful attack, and the role that they and your employees play in preventing cyber attacks. You can then get their support for creating a program that will be effective in reducing your risk. It’s often helpful to give the program a name so that you can refer to it as a company initiative.

2. Conduct a Risk Assessment

Every company is different when it comes to cyber security. Assess your systems to determine where you have the highest risks to help you prioritize the topics you need to emphasize in your training.

For example, is your company using a remote or hybrid workforce approach? If so, your risks are higher and you’ll need to put more emphasis on how employees access your systems, the devices they use, how they maintain login security, and more.

3. Obtain Support From Key Departments

Several departments should be involved in creating a cyber security training program. You’ll need allies in Information Technology, Human Resources, and, if you don’t have standalone departments, those individuals responsible for legal and compliance.

4. Develop a Communications Plan

You’ll need to keep key players aware of the progress you’re making with the training and the results you’re seeing. Keep the entire workforce involved by publishing articles in a company newsletter or posting updates in company online resources. Solicit feedback from the organization to determine what they like or dislike about the training and suggestions for improvement.

Free Whitepaper: Keep Up With Modern Cyber Security Standards

How to Design Your Cyber Security Awareness Training

Choose a training approach that makes sense for your company. Consider your company’s size and culture to determine if your training should be in person or online. Also consider the type of terminology and examples that most of your employees will understand. Not everyone wants a gaming training approach, but it does need to be high quality, interesting, and easily accessible.

Include an overview of the cyber security landscape and the impact a serious cyber attack can have on your company and your employees. Messages from senior leadership concerning the importance of taking cyber security seriously will also help to set the stage.

Cyber security awareness training can cover a wide range of topics. For each topic, be sure to include the actions the employee needs to take if they believe they’ve found a threat. These are the most important topics to include in today’s environment.

Email Threats

One of the most common ways hackers gain access to data is using your email system. Train employees on how to spot phishing emails. Reinforce the fact that they shouldn’t click on any link in an email or open an attachment unless they know the sender.

It’s also important to cover the topic of lateral phishing where a hacker takes over an email account of one employee and then sends phishing emails to others. It may be difficult to convince employees not to respond quickly to requests in an email from their supervisor, but they do need to stop and consider if the request makes sense.

Passwords

Emphasize the importance of setting strong passwords and changing them regularly. Set a standard for using unique passwords for each account they access and using different passwords for personal and business accounts. Include information about the dangers of using open authorization (OAuth) to reduce the number of passwords they use. For example, many authentication processes will offer the ability to login using Facebook or Google credentials.

Data Security

Make sure that employees understand how and when they are accessing sensitive company data. Reinforce the need to limit access to that data and to avoid sharing sensitive data in an insecure manner or sharing with people who don’t really need access.

Working Remotely

If your employees are working remotely, either as part of a hybrid workforce model or just from their mobile device when they are out of the office, it’s imperative that you address how to do it safely. Follow best practices for remote work, but what you teach will depend on how your remote workers are set up. You may need to discuss their devices, how they access central servers or the cloud, how they use WiFi, and more.

Train on physical security also. Leaving a laptop unattended while an employee gets a refill of a drink in a restaurant could be a problem.

Free Ebook: Learn How to Successfully Execute a Hybrid Work Model

Third-Party Software

You probably work hard to avoid shadow software, but if your employees use third-party software that is either sanctioned or unsanctioned, train on the threats they could be exposed to.

The Cost of Cyber Security Awareness Training

The cost of cyber security awareness training will vary depending on the size of your company and the partner you use to develop and present it. It could range from $10 to $60 per employee per year – and sometimes more. That’s a very inexpensive cost when you compare it to the alternatives.

For example, consider the statistics surrounding phishing attacks,3 a type of attack that is directly related to human error. These are just some of the effects experienced by victims of a successful phishing attack:

  • 60% lost data
  • 52% had compromised accounts or credentials
  • 47% of those affected became infected with ransomware

And, according to IBM, a data breach caused by phishing attacks cost victims an average of just over $4.5 million. That makes the cost of training look like a rounding error.

There’s no doubt that cyber security awareness is critical given the number of cyber security threats that exist and the consequences of being a victim. As cyber security experts, Access One can partner with you to help you assess your risks, monitor your systems, develop a disaster recovery strategy, and train your employees. To keep your company safe from threats, contact Access One today.

 

 

Sources

1 | https://www.cybertalk.org/2021/12/02/alarming-cyber-security-facts-to-know-for-2021-and-beyond/

2 | https://www.hipaajournal.com/ponemon-study-reveals-impact-data-breaches-organizations-reputation-8846/

3 | statistics surrounding phishing attacks