The conventional wisdom about security training needs an update — and for reasons that may surprise you.
Cyberattacks are rising in frequency, severity and the damage they cause. Since the weakest link in any networked chain is the user, employee training is a vital part of a comprehensive program that also requires world-class software and savvy policy.
You know all that, but there are other, less obvious reasons to invest in better training that even the most grizzled IT security veteran may not fully appreciate.
The 2017 IBM X-Force Threat Intelligence Index report showed that a shocking number of incidents come from insiders, employees and other trusted people. Seventy-one percent of attacks against healthcare companies fall into this category, while 58 percent of incidents in financial services, the most-attacked sector, originate from insiders.
The majority of these insiders are inadvertent actors — mostly employees who were tricked into initiating the attacks. These numbers expose the inadequacy of today’s normal training programs. They’re not frequent, memorable or thorough enough. In other words, they’re not working.
The bottom line is that training has not kept up with the evolution of cyberthreats or their remedies. That’s why it’s more important than ever to implement the best possible tools to protect sensitive data. But decision-makers must remember that even the best software cannot stop all threats.
For example, any employee with access to any phone anywhere at any time is potentially vulnerable to social engineering. The reality of bring-your-own-device (BYOD) environments is that employees may be connecting to company resources at all hours and exposing their devices to threats in arbitrary locations and over insecure networks. That’s why great software and solid policies must be accompanied by more frequent and better training.
Of course, training exists to educate employees about threats. Don’t click on that suspicious email link. Don’t insert that thumb drive you found in the parking lot. Don’t keep your password on a note card stuck to your monitor.
But security training should be about far more than just teaching employees to avoid common errors. Below are five surprising reasons why training is vital.
Accelerating threats affect employees most directly by causing unwanted changes in how they work. Security rules implemented without follow-up can feel like an imposed burden. Good training makes employees feel like partners in these policy changes.
