Three tips for improving your company’s cybersecurity training

Article by Chrystal Taylor, SolarWinds Head Geek

Despite many companies investing more money than ever in advanced cybersecurity tools and technology, experts believe cyberattack costs for U.S. businesses will rise dramatically in 2023.

Professional cybercriminals and nation-state threat actors carrying out highly sophisticated attacks continue to make the biggest headlines. However, based on trends, it’s safe to assume many incidents will still result from incredibly effective and hard-to-spot threats such as phishing and social engineering attacks.

Attacks such as these—despite requiring less technical ability—are still effective at getting past even the most advanced cybersecurity technology today because they prey on human error, which—according to a study by IBM—is responsible for 95% of all cybersecurity breaches.

To combat these threats and reduce the likelihood of human error leading to an incident, companies supplement their cybersecurity technology with employee training programs. When implemented effectively, these programs can improve employee cyber knowledge and reduce the risk of an employee falling victim to an attack. At a time when the average breach costs millions, this training is more important than ever.

Here are three tips to consider to help improve your company’s cybersecurity training program.

Simulate attacks to improve behaviors

The old adage “practice makes perfect” rings true¾especially when it comes to cybersecurity training. But how can companies “practice” spotting and preventing various types of cyberattacks? Through simulations!

There are few better ways to teach employees how to recognize, avoid, and report potential threats than simulating the attacks they may encounter in the real world.

Thankfully, several companies and programs—many delivered in an easy-to-use software as a service (SaaS) model—exist today to help organizations strengthen their security by generating phishing, malware, and other common cyberattacks employees may face. These test campaigns are then carried out against staff members, who are required to spot and prevent these hacking attempts.

These simulations of real-world, relevant scenarios can help increase employee vigilance and better prepare staff for threats they may face in a no-stakes environment. An environment of positive reinforcement means employees are more likely to report suspected phishing/smishing attempts¾even when it turns out their suspicions were unwarranted. This may mean more reports to check, but more awareness ¾and wariness ¾of employees.

Reduce fear fatigue with small steps and add context around threats

It seems like every week a new cyberattack makes headlines. This inundation of news has led to a dangerous phenomenon known as “fear fatigue,” which is defined as the “desensitization from repeated exposure to the same message over time.”

According to a survey conducted by Malwarebytes, 80% of the respondents reported some level of “fear fatigue” related to cybersecurity. This fear fatigue is dangerous and can result in careless behavior capable of leading to significant cybersecurity vulnerabilities and risks.

To combat fear fatigue and remind employees their actions are critical to the overall security of the company, organizations can begin by taking small steps. Companies could consider starting by implementing company-wide password protocols. Mandating employees change their passwords every several months and implementing two-factor authentication are simple but powerful reminders for employees to be active participants in their company’s overall cybersecurity posture.

Companies could also consider adding context to communications around cybersecurity to help employees understand the real-world consequences of a potential incident. One example is by noting the potential monetary impact a cyber incident may have on employee bonuses and salaries, among other things.

Implement a zero-trust, least-privilege environment and become Secure by Design

Despite every company’s best efforts, relying on employees to prevent cyberattacks will never be a completely foolproof plan. Therefore, every organization should also look to implement zero-trust cybersecurity and an environment of least privileges.

At its core, the zero-trust cybersecurity security model closely guards company resources while operating under the “assume breach” mentality. This means every request to access company information or services is verified to help prevent any unauthorized network access.

Similarly, an environment of least privileges can act as a safeguard against unwanted access to software, services, servers, hardware, etc. from accounts that don’t need that access. Ensuring proper access controls with regular assessments and updates helps restrict the attack surface greatly.

At a time when more companies are embracing long-term hybrid workplaces, zero trust, and least privilege are powerful tools to help prevent and mitigate vulnerabilities.

Moving forward, organizations should create products and software that are Secure by Design, with safety features built in. Taking a Secure by Design approach means focusing on people, infrastructure, and software development to enhance the company’s security infrastructure. If organizations follow this new model, it can help prevent and mitigate future cyberattacks.

---

---

---