“Stay vigilant! Think twice before clicking! Be skeptical!” You will often hear this advice from cybersecurity experts, and rightfully so. The majority of cyber-attacks that impact small and mid-sized businesses are due to negligent behavior of a user within the business. Although instructing people to stay vigilant is technically the right guidance, it doesn’t provide users the tools and education they need to effectively adopt this new behavior. Fortunately, there is a solution that is proving to be quite effective: Cybersecurity awareness training.
Explain The How and Why
Traditionally, cybersecurity awareness training has focused on the “What”: What to look out for, what not to click on, what to do with passwords, etc. This training isn’t very successful, though, because it fails to explain the motivations and techniques of hackers. People need this background information to connect the dots between all the different strategies attackers use. This also helps users be vigilant beyond what they were explicitly trained on.
One of the most effective cybersecurity training strategies is to tell a story about an actual cyber-attack from the perspective of both the victim and the attacker. Typically, attackers employ multiple techniques and stages to their attack. Demonstrating how each of these pieces worked, and highlighting all the opportunities the user had to stop it, is an incredibly effective way of teaching people the critical thinking and caution they need avoid falling victim to a cyber-attack.
Train Often and Keep It Relevant
Effective cybersecurity awareness training is not a one-time endeavor. Firstly, people need reoccurring training to reinforce their knowledge and keep the objective top of mind. Secondly, the strategies threat actors use to compromise businesses changes constantly. Training users on the latest techniques is essential to the efficacy of their defense.
Mature managed I.T. service providers (“MSPs”), such as Digital Boardwalk, deliver strategic training curriculums with courses throughout the year. The training regimen has a schedule that is strict enough to hold participants accountable to completing their training, yet flexible enough to allow them to work the training into their busy schedules. The training is also designed to be engaging and entertaining to further support participation.
Perform Knowledge Checks
Another important aspect of cybersecurity awareness training is routine knowledge checks. One form of knowledge checks that mature MSPs employ are called “Phishing Simulations.” On a routine basis, a fake phishing email is sent to all users within the organization. At first glance, these emails appear to be legitimate and from trusted sources. Hidden within the email, however, are intentional “giveaways” that educated users should be able to identify. Optimally, users will report the email to their I.T. service provider and question its legitimacy. For those that “take the bait” and take action on the email, they are redirected to additional education and are flagged for more training.
Conclusion
Users within your organization play an equal role to your MSP in protecting your business from cyber-attacks. Simply telling them what to do and not do is insufficient, though. A strategic cybersecurity awareness training program can provide your team all the tools and education they need to stay vigilant and avoid becoming a victim of cyber-attack.