The lack of cybersecurity and employees who know how to use it can endanger your company. Are you ready to lead the charge towards workplace cybersecurity training?
Workplace cybersecurity training is the process of training the individuals in an organization on best cybersecurity practices. Workplace cybersecurity training is used to ensure that all individuals within an organization are properly and continuously trained on cybersecurity practices necessary to keep the organization safe. This type of training is primarily for those who are not in security positions and subsequently may not have a working knowledge of safe security operations. A few examples of workplace cybersecurity training include: how to detect phishing emails, how to avoid social engineering, best practices for setting passwords, and best practices for keeping sensitive data safe. This article will help you understand the information employees need to keep your organization’s data secure. Every individual in an organization plays a part in safe security practices. Workplace cybersecurity training ensures your team has the resources in place to make that happen.
Why Is Workplace Cybersecurity Training Important?
It's easy to assume that cybersecurity is something only your information security team, IT department, or leadership has to worry about. It’s also easy to assume that because those people are in place, everything is safe. The truth is that bad actors often target individuals within an organization to gain access to sensitive information. Your investment in employee training will show that workplace cybersecurity is a priority of the organization and a shared responsibility. It can protect your company from potentially devastating legal, productivity and economic consequences.
There can be civic and governmental penalties for data breaches, as well as legal ramifications. Breaches can be subject to a myriad of legal problems that can be very painful and challenging for an organization to navigate and can take years to resolve. When an organization’s data is breached, that organization may be subject to lawsuits and held liable. Here are some additional resources to learn more about potential legal liability. Areas of potential legal liability for you to be aware of include third-party vendor, customer data, and government data being leaked.
Data Breaches
The implications of data breaches are far-reaching and can be highly damaging to an organization. According to IBM, the average cost of a ransomware attack in 2022 averaged $4.35 million. In addition to the financial burden of a cyber breach is the sometimes lethal loss of brand trust. Consumers and other organizations may not be willing to work with an organization who has had a data breach. At the least, it can have ripple effects as that trust takes time to regenerate. Bad actors do not need much to start a ransomware attack. All it takes is a single employee clicking on a bad link in a phishing scam email, or one employee picking up a random flash drive off the ground and plugging it in their computer to see what happens. Clicking on a malicious link from a phishing scam email can give a hacker access to your company’s internal network. Plugging in an infected flash drive can upload a virus onto your computer that may allow the bad actor access to your company’s internal network. Here are two examples.
The largest candy corn manufacturer in the United States, Ferrara, was hacked. The ransomware attack scrambled and encrypted their company data, and as a result, their production plants were entirely shut down. In this type of ransomware attack, the perpetrators held valuable data hostage that was essential for plant operations to function.
Uber was also targeted and breached in a cyber attack. It is possible that the personal information of over 77,000 Uber employees may have been leaked online.
Increase Awareness
Everyone in your organization is a potential target of a cyber attack. Unlike in the movies, where there is a lone actor attempting to hack directly into a company's files, many cyber threats involve sophisticated attempts to leverage human error within an organization to gain access to sensitive information. The sensitive information bad actors seek include:
Customer lists
Customer personal information
Customer payment information
Employee personal information
Company data (can be held for ransom)
Company passwords
Access to third-party partners (they may be tunneling through your organization to another organization's data)
Types of Workplace Cybersecurity Training
Effective workplace cybersecurity training incorporates several different types of training to ensure that each employee is properly prepared to keep your organization’s information safe.
Online vs In-Person
Depending on the size of your organization and budget, you might want to combine learning on a computer and in-person training. Here are some pros and cons of each.
In-Person Training
If you have a security team in an IT department and someone within it is good at presenting, group training can be effective because your people get to meet with a trusted team member and colleague. These training scenarios can build connections and rapport with your security operations team.
Online/Individual Training
If you don't have a cybersecurity expert on hand to teach classes or your organization is too large for in-person training to be practical, you will likely need to use a more individual approach. This can include online learning software, online conference training, or a combination of the two. Online conferences gather your employees together and train them live, and they can also be recorded for future use. If your team has a learning and management team or a security team that can train your employees, it may be less expensive than buying or subscribing to online learning modules. However, one benefit of using an online learning module is that it can adapt to the various and demanding schedules of the individuals in your organization. Many organizations prefer the flexibility of providing the training through an online learning platform where individuals can go in at a time they schedule for themselves.
Knowledge vs Practice
Workplace training should contain both educational and experiential components. Since cyber threats have real-world implications, it is important to have a hands-on component where each individual can learn for themselves through repetitive practice. This is a tactical approach that is designed to supplement your educational modules. It tests the retention and understanding of the information. Some organizations implement hands-on practice sessions in the form of a quiz with required and tracked scores, and other organizations gamify the process.
Ongoing Training
It’s one thing to be taught something, but it’s another to be able to apply those principles in a real-world environment. A critical component of workplace cybersecurity training is ongoing training that tests employees' knowledge. This type of training may take the shape of simulated phishing attacks or other approaches that test whether your employees are able to practice what they have been taught. This ongoing training is especially useful because it has measurable results and provides a framework for individual compliance and ability. Since these attacks are orchestrated and monitored by your security operations team, you will be able to track who successfully reports the simulated attacks and who falls victim to it. Your team will then be able to provide additional training to those who need it.
What Should Be Included In Workplace Cybersecurity Training?
There are a few things to keep in mind when determining what should be included in your company's workplace cybersecurity training.
Include anything that may be required under federal and local laws.
Make sure to review your company policy in the training so employees are clear on what you expect and any consequences of failing to meet those expectations.
Consider what information will best prepare them for the types of attacks that are most likely to come their way.
Here are a few examples of the things that should be included in a workplace cybersecurity training.
Company Policies
Everyone in your organization needs to understand what your company policies are and how to comply with them. Here are ten examples of common cybersecurity policies.
Company, personal, and private information being sent through encryption software
Mandatory password changing every 45-90 days
Minimum password complexity requirements
Required use of a VPN when not on company internet
Use of secure employee ID to get into company offices
No tailgating at company offices (Tailgating is when an employee opens a door with their secure ID and then allows others to pass through the door without scanning their IDs.)
Rules requiring where company information is stored, such as not allowing company information to be stored on personal devices.
Disabled flash drive ports on company equipment
Restrictions to third-party software that can downloaded on company equipment
Types of Cyber Threats
The methods and tactics that bad actors use continually increase in sophistication and complexity. It’s no longer enough to know what a phishing email is (even though that is important). As of this writing in 2023, here are some of the types of cyberthreats to include in your workplace cybersecurity training.
Phishing attacks
Spear phishing
Whaling
Smishing
Vishing
Spear phishing
Malware
Trojan
Virus
Spyware
Ransomware
Spam messages
Removable media such as flash drives
Social engineering
Tailgating
Pretexting
Baiting
DDoS attacks
Best Practices
Here are some examples of cybersecurity best practices that you may want to include in your workplace training and policies.
Strong password requirements. Strong passwords are at least 12 characters long, contain no recognizable words, do not contain repeating strings of three identical characters in a row, and combine capital letters, lower case letters, numbers, and symbols.
Changing password requirements. Passwords should be changed frequently. It is a best practice to require passwords in your company to be changed every 45-90 days.
Not repeating passwords across platforms. Many people use one password for everything. If someone uses one password and that one password gets compromised, then that bad actor may be able to get access to all of their accounts, including work accounts. Using a unique password for each site and software is the safest practice.
Use a VPN when not on company secured wifi. Not all internet networks are secure. Public wifi, for example, is not secure, and bad actors could be lurking on public wifi with the potential ability to gain access to whatever you are doing online. When you need to use a public network, it is a best practice to use a VPN. A VPN, or virtual private network, creates a secure and unique access point that cannot be tracked or monitored.
Do not leave company equipment unattended and unsecured, even when traveling.
Use a privacy screen filter. These filters go over your monitor and obscure the view of the screen from anyone not directly facing the monitor. This limits the potential for people next to you in a public place to look at your screen and see private information.
Tips for Running Workplace Cybersecurity Training
Starting a workplace cybersecurity training program from scratch or updating an existing one can feel like a daunting task. Here are a few tips to keep in mind for running a workplace cybersecurity training.
Tip 1: Train Regularly
Regular training may be required by law depending on your industry or location. Regardless, it is important to train people regularly for a few reasons.
Ever-changing threats.The first reason it is important to train regularly is that cyber threats are ever-evolving, and people can only focus on so many things at a time. Right after a training your people may be hyper-aware of potential threats, but over time they will fall back into old patterns and be caught up in the whirlwind of their daily jobs. A regular cadence of training keeps cyber safety top of mind and keeps them apprised of the evolving threat landscape.
New employees. Another good reason to train regularly is to make sure that all of the people who are joining your organization are trained and have the resources they need to uphold your company policies.
Tip 2: Make Cybersecurity Training a Priority
Workplace cybersecurity training is one of those things that likely won’t happen, or won’t happen well, if it is not an organizational priority. Here are two ways that your organization can show that cybersecurity is a priority:
Host a password party. Have a company-wide party where everyone in the organization goes in and changes their current passwords to unique strong passwords for every site they have a password to.
Opt into two-factor authentication. Two-factor is a quick way to make data safe and add a layer of protection against phishing scams and other potential threats.
Tip 3: Provide Additional Resources
An annual training is a good starting point, but it will not be enough to combat the ever-growing threat of cyber attacks. In addition to formal training, your people need up-to-date resources and a way to reach out if they have questions or concerns. It's a good idea to set up a company cybersecurity resource center where your people can find answers to common questions and report any concerns that they have.
Topics
Tyler Fisher, PHR
Tyler empowers Talent Acquisition professionals, HR business leaders, and key stake holders to develop and execute talent management strategies. He is igniting the talent acquisition process through: team building, accurate time to fill forecasting, driving creative talent sourcing, and fine-tuning recruiting team effectiveness.
Any organization that has one or more computers or digital devices onsite should implement workplace cybersecurity training.
The needs of an organization and the amount of information individuals need to know vary. In general, presentations should be limited to 60-90 minutes, so break up the types and lengths of your training.
Every member of an organization who uses a digital device can be the target of a malicious attempt to gain access to sensitive company data. Bad actors often tunnel into an organization through social engineering attacks against the employees of a company. These social engineering attempts are not limited to those employees who work in a security-related role.
There are outside consultancy firms who can conduct workplace cybersecurity training, and there are also software solutions that can deliver your workplace cybersecurity training.
The lack of cybersecurity and employees who know how to use it can endanger your company. Are you ready to lead the charge towards workplace cybersecurity training?
Workplace cybersecurity training is the process of training the individuals in an organization on best cybersecurity practices. Workplace cybersecurity training is used to ensure that all individuals within an organization are properly and continuously trained on cybersecurity practices necessary to keep the organization safe. This type of training is primarily for those who are not in security positions and subsequently may not have a working knowledge of safe security operations. A few examples of workplace cybersecurity training include: how to detect phishing emails, how to avoid social engineering, best practices for setting passwords, and best practices for keeping sensitive data safe. This article will help you understand the information employees need to keep your organization’s data secure. Every individual in an organization plays a part in safe security practices. Workplace cybersecurity training ensures your team has the resources in place to make that happen.
Why Is Workplace Cybersecurity Training Important?
It's easy to assume that cybersecurity is something only your information security team, IT department, or leadership has to worry about. It’s also easy to assume that because those people are in place, everything is safe. The truth is that bad actors often target individuals within an organization to gain access to sensitive information. Your investment in employee training will show that workplace cybersecurity is a priority of the organization and a shared responsibility. It can protect your company from potentially devastating legal, productivity and economic consequences.
There can be civic and governmental penalties for data breaches, as well as legal ramifications. Breaches can be subject to a myriad of legal problems that can be very painful and challenging for an organization to navigate and can take years to resolve. When an organization’s data is breached, that organization may be subject to lawsuits and held liable. Here are some additional resources to learn more about potential legal liability. Areas of potential legal liability for you to be aware of include third-party vendor, customer data, and government data being leaked.
Data Breaches
The implications of data breaches are far-reaching and can be highly damaging to an organization. According to IBM, the average cost of a ransomware attack in 2022 averaged $4.35 million. In addition to the financial burden of a cyber breach is the sometimes lethal loss of brand trust. Consumers and other organizations may not be willing to work with an organization who has had a data breach. At the least, it can have ripple effects as that trust takes time to regenerate. Bad actors do not need much to start a ransomware attack. All it takes is a single employee clicking on a bad link in a phishing scam email, or one employee picking up a random flash drive off the ground and plugging it in their computer to see what happens. Clicking on a malicious link from a phishing scam email can give a hacker access to your company’s internal network. Plugging in an infected flash drive can upload a virus onto your computer that may allow the bad actor access to your company’s internal network. Here are two examples.
The largest candy corn manufacturer in the United States, Ferrara, was hacked. The ransomware attack scrambled and encrypted their company data, and as a result, their production plants were entirely shut down. In this type of ransomware attack, the perpetrators held valuable data hostage that was essential for plant operations to function.
Uber was also targeted and breached in a cyber attack. It is possible that the personal information of over 77,000 Uber employees may have been leaked online.
Increase Awareness
Everyone in your organization is a potential target of a cyber attack. Unlike in the movies, where there is a lone actor attempting to hack directly into a company's files, many cyber threats involve sophisticated attempts to leverage human error within an organization to gain access to sensitive information. The sensitive information bad actors seek include:
Customer lists
Customer personal information
Customer payment information
Employee personal information
Company data (can be held for ransom)
Company passwords
Access to third-party partners (they may be tunneling through your organization to another organization's data)
Types of Workplace Cybersecurity Training
Effective workplace cybersecurity training incorporates several different types of training to ensure that each employee is properly prepared to keep your organization’s information safe.
Online vs In-Person
Depending on the size of your organization and budget, you might want to combine learning on a computer and in-person training. Here are some pros and cons of each.
In-Person Training
If you have a security team in an IT department and someone within it is good at presenting, group training can be effective because your people get to meet with a trusted team member and colleague. These training scenarios can build connections and rapport with your security operations team.
Online/Individual Training
If you don't have a cybersecurity expert on hand to teach classes or your organization is too large for in-person training to be practical, you will likely need to use a more individual approach. This can include online learning software, online conference training, or a combination of the two. Online conferences gather your employees together and train them live, and they can also be recorded for future use. If your team has a learning and management team or a security team that can train your employees, it may be less expensive than buying or subscribing to online learning modules. However, one benefit of using an online learning module is that it can adapt to the various and demanding schedules of the individuals in your organization. Many organizations prefer the flexibility of providing the training through an online learning platform where individuals can go in at a time they schedule for themselves.
Knowledge vs Practice
Workplace training should contain both educational and experiential components. Since cyber threats have real-world implications, it is important to have a hands-on component where each individual can learn for themselves through repetitive practice. This is a tactical approach that is designed to supplement your educational modules. It tests the retention and understanding of the information. Some organizations implement hands-on practice sessions in the form of a quiz with required and tracked scores, and other organizations gamify the process.
Ongoing Training
It’s one thing to be taught something, but it’s another to be able to apply those principles in a real-world environment. A critical component of workplace cybersecurity training is ongoing training that tests employees' knowledge. This type of training may take the shape of simulated phishing attacks or other approaches that test whether your employees are able to practice what they have been taught. This ongoing training is especially useful because it has measurable results and provides a framework for individual compliance and ability. Since these attacks are orchestrated and monitored by your security operations team, you will be able to track who successfully reports the simulated attacks and who falls victim to it. Your team will then be able to provide additional training to those who need it.
What Should Be Included In Workplace Cybersecurity Training?
There are a few things to keep in mind when determining what should be included in your company's workplace cybersecurity training.
Include anything that may be required under federal and local laws.
Make sure to review your company policy in the training so employees are clear on what you expect and any consequences of failing to meet those expectations.
Consider what information will best prepare them for the types of attacks that are most likely to come their way.
Here are a few examples of the things that should be included in a workplace cybersecurity training.
Company Policies
Everyone in your organization needs to understand what your company policies are and how to comply with them. Here are ten examples of common cybersecurity policies.
Company, personal, and private information being sent through encryption software
Mandatory password changing every 45-90 days
Minimum password complexity requirements
Required use of a VPN when not on company internet
Use of secure employee ID to get into company offices
No tailgating at company offices (Tailgating is when an employee opens a door with their secure ID and then allows others to pass through the door without scanning their IDs.)
Rules requiring where company information is stored, such as not allowing company information to be stored on personal devices.
Disabled flash drive ports on company equipment
Restrictions to third-party software that can downloaded on company equipment
Types of Cyber Threats
The methods and tactics that bad actors use continually increase in sophistication and complexity. It’s no longer enough to know what a phishing email is (even though that is important). As of this writing in 2023, here are some of the types of cyberthreats to include in your workplace cybersecurity training.
Phishing attacks
Spear phishing
Whaling
Smishing
Vishing
Spear phishing
Malware
Trojan
Virus
Spyware
Ransomware
Spam messages
Removable media such as flash drives
Social engineering
Tailgating
Pretexting
Baiting
DDoS attacks
Best Practices
Here are some examples of cybersecurity best practices that you may want to include in your workplace training and policies.
Strong password requirements. Strong passwords are at least 12 characters long, contain no recognizable words, do not contain repeating strings of three identical characters in a row, and combine capital letters, lower case letters, numbers, and symbols.
Changing password requirements. Passwords should be changed frequently. It is a best practice to require passwords in your company to be changed every 45-90 days.
Not repeating passwords across platforms. Many people use one password for everything. If someone uses one password and that one password gets compromised, then that bad actor may be able to get access to all of their accounts, including work accounts. Using a unique password for each site and software is the safest practice.
Use a VPN when not on company secured wifi. Not all internet networks are secure. Public wifi, for example, is not secure, and bad actors could be lurking on public wifi with the potential ability to gain access to whatever you are doing online. When you need to use a public network, it is a best practice to use a VPN. A VPN, or virtual private network, creates a secure and unique access point that cannot be tracked or monitored.
Do not leave company equipment unattended and unsecured, even when traveling.
Use a privacy screen filter. These filters go over your monitor and obscure the view of the screen from anyone not directly facing the monitor. This limits the potential for people next to you in a public place to look at your screen and see private information.
Tips for Running Workplace Cybersecurity Training
Starting a workplace cybersecurity training program from scratch or updating an existing one can feel like a daunting task. Here are a few tips to keep in mind for running a workplace cybersecurity training.
Tip 1: Train Regularly
Regular training may be required by law depending on your industry or location. Regardless, it is important to train people regularly for a few reasons.
Ever-changing threats.The first reason it is important to train regularly is that cyber threats are ever-evolving, and people can only focus on so many things at a time. Right after a training your people may be hyper-aware of potential threats, but over time they will fall back into old patterns and be caught up in the whirlwind of their daily jobs. A regular cadence of training keeps cyber safety top of mind and keeps them apprised of the evolving threat landscape.
New employees. Another good reason to train regularly is to make sure that all of the people who are joining your organization are trained and have the resources they need to uphold your company policies.
Tip 2: Make Cybersecurity Training a Priority
Workplace cybersecurity training is one of those things that likely won’t happen, or won’t happen well, if it is not an organizational priority. Here are two ways that your organization can show that cybersecurity is a priority:
Host a password party. Have a company-wide party where everyone in the organization goes in and changes their current passwords to unique strong passwords for every site they have a password to.
Opt into two-factor authentication. Two-factor is a quick way to make data safe and add a layer of protection against phishing scams and other potential threats.
Tip 3: Provide Additional Resources
An annual training is a good starting point, but it will not be enough to combat the ever-growing threat of cyber attacks. In addition to formal training, your people need up-to-date resources and a way to reach out if they have questions or concerns. It's a good idea to set up a company cybersecurity resource center where your people can find answers to common questions and report any concerns that they have.
Topics
Tyler Fisher, PHR
Tyler empowers Talent Acquisition professionals, HR business leaders, and key stake holders to develop and execute talent management strategies. He is igniting the talent acquisition process through: team building, accurate time to fill forecasting, driving creative talent sourcing, and fine-tuning recruiting team effectiveness.
Any organization that has one or more computers or digital devices onsite should implement workplace cybersecurity training.
The needs of an organization and the amount of information individuals need to know vary. In general, presentations should be limited to 60-90 minutes, so break up the types and lengths of your training.
Every member of an organization who uses a digital device can be the target of a malicious attempt to gain access to sensitive company data. Bad actors often tunnel into an organization through social engineering attacks against the employees of a company. These social engineering attempts are not limited to those employees who work in a security-related role.
There are outside consultancy firms who can conduct workplace cybersecurity training, and there are also software solutions that can deliver your workplace cybersecurity training.