cybersecurity training employees

(Source – Shutterstock)

Should cybersecurity training for employees be mandatory?

As organizations fortify their cybersecurity, they also need to prioritize cybersecurity training for their employees. Over the years, cybercriminals have improved their cyberattack methods and are now focusing their attacks on employees.

Social engineering attacks, phishing emails, and business email compromise attacks remain some of the biggest threats targeting employees in any organization. In fact, Gartner predicts that by 2025, the lack of talent or human failure will be responsible for over half of significant cyber incidents. The number of cyber and social engineering attacks against people is spiking as threat actors increasingly see humans as the most vulnerable point of exploitation.

A Gartner survey conducted in May and June 2022 among 1,310 employees revealed that 69% of employees have bypassed their organization’s cybersecurity guidance in the past 12 months. In the survey, 74% of employees said they would be willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.

Gartner research also shows that over 90% of employees who admitted undertaking a range of unsecured actions during work activities knew that their actions would increase the risk to the organization but did so anyway. Human-centric security design is modeled with the individual — not technology, threat, or location – as the focus of control design and implementation to minimize friction.

As such, there is no denying that the weakest link in any organization will always be the employee. No matter how much organizations invest in cybersecurity to fortify the organization or send employees for cybersecurity courses, if employee awareness isn’t there, chances are they will end up being targeted by cybercriminals.

The cost of insider threats

In order to keep employees vigilant when it comes to cybersecurity, organizations first need to ensure they are well-prepared to deal with any incidents. This includes having the IT and security team ensure patches are updated and visibility over access to company data is available.

IBM’s Cost of Data Beach report indicates that stolen or compromised credentials, such as logins, passwords and such, were not only the most common cause of a data breach but also took the longest time to identify — 327 days. A cyber attacker can be using stolen credentials without the organization realizing it at all. IBM also stated that stolen credentials cost US$ 150,000 more than the average cost of a data breach.

Apart from stolen credentials, employees using their personal devices for work or using work devices for personal reasons are also big problems. For example, if an employee uses a company laptop for browsing the internet or social media, they could accidentally click on links or enter websites that have been compromised.

Another problem is some employees tend to open emails and click on links without checking the sender. This has led to many employees, especially those in the finance department of an organization, being continuously targeted by cybercriminals.

Making cybersecurity training mandatory for employees

To change this, cybersecurity training needs to not only be mandatory but be frequent. Businesses should consider having employees do a training exercise every quarter or twice a year if possible. Studies have shown that when such exercises are done, the number of employees failing remains high.

Businesses also need to ensure employee access is immediately removed when they leave an organization. The same applies to third-party users accessing the system. While zero-trust security frameworks provide visibility, security teams still need to double-check on these.

Depending on the company budget, not every organization will be available to afford such programs as well. However, it does not mean they can take cybersecurity lightly. Businesses need to first ensure their devices are secured and also that their senior executives and board members know how to deal with such situations.

At the end of the day, continuous cybersecurity training is probably the best option. No matter how much investments or modern technology in cybersecurity is invested in, if an employee decides to go rogue or click on unsecured links using office devices on the company network, the outcome can be drastic.