Cybersecurity Awareness Month: Train employees to be first line of defense

This October looks quite different from previous years, as IT oversees staff who are no longer centrally located, creating a larger attack surface for bad actors. Awareness is key, experts say.

istock-1165968532.jpg

Image: iStock/Blue Planet Studio

Maintaining good cyber hygiene is always essential for an IT department, and it's equally important that IT remind company employees of the looming threat of cyber breaches. October marks Cybersecurity Awareness Month, and it's particularly relevant this year as many people are working remotely, spread out in the wide-ranging locations they call home, rather than housed within a company building. The greatest cyber risk are employees, generally the source of breaches, not for ill-intentioned reasons but for lax cyber hygiene.  

SEE: Identity theft protection policy (TechRepublic Premium)

A cybersecurity expert warns that during Cybersecurity Awareness Month it is time for the enterprise to emphasize training that doesn't just keep their employees from putting the business at risk, but "empowers them to become the organization's first line of defense."

"We need to focus on what defines awareness," said Dan Callahan, cyber training director at Capgemini North American. "How can an employee's actions impact the well-being of the company or fellow co-workers? Executive leaders need to consistently communicate and educate their teams about cyber risk across every business unit within the enterprise."

Last year's Cybersecurity Awareness Month presented a different set of issues than this year's. "The Work From Home [WFH] model provides challenges since employees that may have been hyper-aware of security concerns when working in the office may now be a bit more relaxed or distracted at home," Callahan said."The more employees working from home, the larger the threat landscape, which provides more opportunities for the adversary to attack."

Six cybersecurity strategies 

TechRepublic asked experts their top tips on how companies can improve or stress cybersecurity awareness.

  1. Use Cybersecurity Awareness Month to connect with employees about cybersecurity: "It's really important to project a positive, optimistic attitude about employee resilience: Use stories to help people see how cybersecurity connects with their lives, promote positive narratives that empower people to take control of their digital lives, at work and at home and use humor to delight people. Why? Because delighted people are more likely to listen to what you have to say! Use them year round and get more people interested in the role cybersecurity plays in their lives," said Tom Pendergast, chief learning officer at MediaPro.

  2. Open up communication between IT and employees: "Our past research indicates that the majority (75%) of employees say they either usually or almost always follow the advisory of their IT department. IT teams just need to make sure they are providing this guidance on a regular basis," said Andrew Homer, vice president of security strategy at Morphisec.

  3. Invest in people, in addition to products: Companies need to put efforts toward "flexibility and constant improvement, stability in flexibility, real implemented planning and solutions," said Samantha Isabelle Beaumont, senior security consultant at Synopsys.

  4. Focus on minimizing risks, and make training fun: "Sessions need to be entertaining [and] have educational and humorous content. Customize training, and incorporate team-specific humor into the content. Training needs to be digestible and consumable in bite-sized sessions. Break an hour of training up into five- to 10-minute chunks that the staff can take on demand. Training needs to connect to the audience's personal life. Use personal at-home security and data privacy examples tied back to business and their day jobs,"  said Rick Holland, chief information security officer, vice president of Strategy at Digital Shadows.

  5. Customize training to specific role requirements: "Each employee should be equipped with the necessary knowledge and skills to identify and respond appropriately to role-specific threats. A robust threat intelligence and incident management capability can help inform awareness campaigns of emerging and common threats that each role is likely to experience." Training needs to be: Emotionally stimulating, personally relatable, and ingrained in memory. Frequently deliver micro-content, using apps, email reminders and posters to deliver messages in smaller, digestible doses, rather than overwhelming the employee," said Daniel Norman, senior solutions analyst at the Information Security Forum.

  6. Make cyber awareness pragmatic and realistic: "Executive Leadership needs to embrace and advocate the importance of cybersecurity by directly communicating with employees. Show empathy when speaking about the WFH model, but also provide a sense of urgency to ensure employees are situationally aware that their actions at home can still impact the company. Explain the adversary's point of view. How can an employee be a target? What information on social media profiles," or other accessible information, "could be valuable for an attacker to know? Stop speaking in general terminology, and remove buzzwords. How does it impact the business or mission of the company? Be more specific on business or safety impacts to the company, employees or community," Callahan said.

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

The psychological impact

With an added workload--more responsibilities and the expectation to ensure everything in the enterprise is updated, for all leaders and employees--those in charge of the company's cybersecurity are likely overburdened. "We also sometimes forget about the impact of the pandemic on the security teams themselves," Callahan said. "If they were working in a security operations center (SOC) and thrived on being within a team atmosphere, how are they dealing with the WFH model? Are they burning out and making unforced errors? It's not always about the traditional technical solutions or the typical training that was conducted in the past. Organizations need to take a deeper look at the impacts of this disruption on their employees across all job roles."

Working from home is extra difficult for IT personnel. "The surge in WFH employees has placed a great deal of pressure on IT and security departments. Security professionals were not only tasked with the challenge of quickly creating a remote environment, but they also had to handle the larger attack surface created by such a work style while working themselves remotely. Attackers are actively targeting the vulnerabilities created among distributed teams," Homer said.

Also see