News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

Employee education a critical weapon against cyber threats

The better an employee's understanding of cybersecurity risks is, the greater their potential to participate in reducing these risks, as well as the associated costs of a breach. The average cost of a cybersecurity breach can range between R1 million for small businesses to around R40 million for large enterprises.
Employee education is a critical weapon against cyber threats. Image supplied
Employee education is a critical weapon against cyber threats. Image supplied

This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says it is easier to hack a human than a network.

“Make your people hack-proof by training them to be cybersecurity risk aware. Sound employee knowledge can be your network’s best proactive defence mechanism,” he says.

He points out that training can’t be purely theoretical. It should be accessible and practical so that it translates into behavioural change.“When we talk about behaviour change, it boils down to creating awareness of cyber threats, encouraging the continued, prudent use of applications and internet resources, and empowering employees with the tools to know what to do if they notice something is wrong.”

Continuous learning is required

Organisations can best achieve behavioural change that sees every employee participating in the cybersecurity strategy through continuous micro-learning that ensures retention of knowledge. Ueckermann explains that training programmes should offer companies a mechanism for providing bite-sized cybersecurity awareness tools to employees in an accessible way.

This encourages their receptiveness to the information, an understanding of the information and prompts a “want” as well as an ability to put that knowledge to use. These bite-sized chunks of information should be adapted to the employee’s risk profile. A personal assistant to an executive, for instance, would be deemed to have a high-risk profile because they have access to a lot of confidential and personal information.

The speed of the curriculum can also be customised so that people can train at a comfortable pace and don’t become overwhelmed by too much information, too soon and too fast.

IT security awareness initiatives should make a splash and then follow with engaging pieces of information in intervals to keep people interested and keen to adopt what they’ve learned. What you want is a team that not only supports your IT security strategy but is also empowered to identify faults or potential threats and know what to do to fix them. That is when employees become part of the solution instead of being one of the biggest risks to IT security”
Ueckermann describes an IT security awareness programme as having four steps

  1. The launch: when cyber risks are explained in the context of an increasingly connected, digital world. Cyber threats affect everyone, from large corporations to individuals. Employees should move away from just understanding the role they play and move towards understanding they are part of the solution.

  2. Train: Implement training, for instance, using training platforms, and sign off and communicate security policies around the use of email and internet resources.

  3. Motivate: Keep people interested and motivated to support the IT security strategy. Use email banners and the company newsletter to keep them updated. This can be combined with incentives or built into KPIs.

  4. Empower: where employees are in a state of control when it comes to identifying potential problems as well as knowing what to do to remedy them.

He points out that a company’s HR department has a vital role to play in implementing an organisation’s cybersecurity strategy and digital transformation journey.

“They know who has joined or left the company. Employees should be on-boarded and off-boarded properly. This includes giving them access to resources that are appropriate to their job specifications and risk profiles. New staff induction programmes should also include IT security awareness education. Using cybersecurity training platforms, such as Kaspersky Lab’s Automated Security Awareness Platform (ASAP), it is possible to look at where the person lies on the cyber awareness continuum, establish their risk profile and then implement interval training appropriate to this. On the flip side, access privileges need to be removed when the person leaves the company.”

Ueckermann concludes saying that with the right tools, and with continuous learning and awareness among employees, companies can mitigate cyber risks dramatically.

“If everyone is prepared and alert, breaches can be caught early and recovering from an incident will cost half of the average costs of an incident than in an organisation that is not prepared. Education is indeed one of the most powerful weapons against cyber attacks.”

Let's do Biz