Training program

your current cybersecurity awareness training program isn’t working | Compliance point

[co-author: Stephen Haley]

The human element continues to fuel the breaches. This year, 82% of offenses involved the human element. Whether it’s the use of stolen credentials, phishing, misuse, or just a mistake, people continue to play a very big role in both incidents and violations. Source: Verizon 2022 Data Breach Investigation Report

Don’t Let Your Employees Be Your Cybersecurity Weakness

As business owners, you know that cybersecurity is critical to the well-being of your business. No matter how sophisticated your security systems are, they are only as strong as the people using them. Inevitably, human error will be the weak link in any cybersecurity strategy. If you’re like most organizations, you lead your staff through the annual “security awareness training” regiment feeling good that all employees have passed the annual training milestone. The problem is, in most cases, this does not work! Ransomware incidents are increasing year on year, with the average cost in 2021 being $1.85 million according to a recent Sophos Ransomware study. Unsurprisingly, Verizon recently released data breach investigation report identifies the main culprits as stolen credentials and phishing attacks. This is a clear indicator that the typical annual security awareness training program for our employees does not work ! While annual training is a good start to reducing your business risk, it is not enough to protect your business from cyberattacks. The CompliancePoint Cybersecurity Team identified these 3 steps to reduce the risk of a cybersecurity breach or ransomware attack, help mature your security awareness program, and save money on cyber insurance premiums.

  1. Move from an annual security awareness program to a bi-annual security awareness program focused on interactive role-based training. Semi-annual cybersecurity training sessions will show your employees the importance of this initiative and keep in mind what they have learned.
  2. Establish a quarterly phishing campaign regiment that evaluates and reports on the organizational effectiveness of the employee security awareness training program. The objective is to ensure 100% employee saturation across campaigns.
  3. Improve the training of your incident response team by introducing breach and attack simulations as a way for your organization to gauge the effectiveness of its security controls.

Organizations need to realize that the longer it takes them to respond to a cyberattack, the more expensive it will be. By implementing the measures described above, you will address a cybersecurity weakness and increase your organization’s ability to respond quickly and effectively to a cybersecurity incident.