In the past couple of years specifically due to Covid-19 pandemic the world has seen an exponential growth in adaption of technology and this adaption is leading the global population towards digitalization & being inter-ever connected.
One of the harsh and troubling reality of this digitalization is the ever rising, costly and damaging occurrence of cyber-attacks. These attacks happen to the extent of paralyzing economy of certain states/countries, bringing critical services and its infrastructure to stand still. This tendency will keep on increasing because of the availability of advance tools, sophisticated methods and ever declining cost of acquiring them. The signs of technology dependence are increasing everywhere. The International Telecommunication Union (ITU) recently report a significant increase in new broadband connection as well as rise in overall broadband data usage owing to remote working, digital entertainment and cheaper data. Most organization have prioritized offering of digital consumer tools, strengthening their digital environment, investing in cybersecurity tools. All these decisions will help them achieve better cybersecurity policies, help board take effective security decisions, help government form more precise regulations and more. But all of these will be still ineffective in reducing the risk and threat level against the weakest link (The Human Factor).
More than 80 percent of the reported cyber-attacks across the globe have happened because of human error. We believe that this percentage can only be reduced when people are educated, trained i.e. made aware about the risks, threats and mitigation. It might come as a surprise to many but in hindsight educating users greatly brings down the IT spending as well as the cost of a cyber-attack. Here are 5 simple and cost-effective methods we recommend that organizations/users should implement.
Security Training should be a regular event.
Many organizations organize annual security training for their employees, but in current scenario such trainings are of no use. Security landscape changes every other week if not everyday. So when they learn about new threats annually those learnings are effectively ineffective. Organisations should plan monthly or bi-weekly trainings. When we say trainings, it does not mean it has always to be in-person. It can be virtual, through newsletters, emails etc. These trainings can be tailored to specific content based on teams or in general keeping the entire organisation in mind.
in training/education process. Reading emails, newsletters, listening to speakers on regular basis can become monotonous for employees and also a less effective way of training over a period of time. To keep user engaged and measure the effectiveness of the training gamification is a great process. These can be quizzes on training imparted, signup the users on several gamification platforms, if budget permits have your own internal platform development.
Have targeted training program.
One size fits for all does not work in the field of technology. Identify the risk to your assets, organization for e.g. some organisations/business are more prone to DDOS attacks,while others are prone to Ransomware attacks. So design your training based on your risks and threat factors. The same rule can be applied in selecting supporting security technologies.
Yes, it’s for you as well.
Training should follow a top-down approach in an organization. Each different role in the organisation contributes to a security risk factor and thus each should be educated. Its for the developers to learn about secure development , where as its for the decision makers to learn but crisis management. When everyone in the organisation is involved in this process it will help answer the “why’s” for the people at the top.
Penalty is not the solution.
Several employees might not perform well in the training/education process. Do not penalise them, instead have a positive approach of finding out the reason and have them take the training again to evaluate their performance.
These are just basic tips that can help any organisation help reduce their risk and threat level. There are free training tools and resources available which organisations can use. Comment below with a list of tools, methods & more suggestions to improve trainings/educating for users.