Related
Cybersecurity is for all businesses, even SMEs
Ignus de Villiers 23 Aug 2023
How the Russia-Ukraine conflict affects the local cyber threat landscape
Nithen Naidoo 14 Mar 2022
Top 3 risks to businesses in 2021
Thusang Mahlangu 25 Jun 2021
This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says it is easier to hack a human than a network.
“Make your people hack-proof by training them to be cybersecurity risk aware. Sound employee knowledge can be your network’s best proactive defence mechanism,” he says.
He points out that training can’t be purely theoretical. It should be accessible and practical so that it translates into behavioural change.“When we talk about behaviour change, it boils down to creating awareness of cyber threats, encouraging the continued, prudent use of applications and internet resources, and empowering employees with the tools to know what to do if they notice something is wrong.”
Continuous learning is required
Organisations can best achieve behavioural change that sees every employee participating in the cybersecurity strategy through continuous micro-learning that ensures retention of knowledge. Ueckermann explains that training programmes should offer companies a mechanism for providing bite-sized cybersecurity awareness tools to employees in an accessible way.
This encourages their receptiveness to the information, an understanding of the information and prompts a “want” as well as an ability to put that knowledge to use. These bite-sized chunks of information should be adapted to the employee’s risk profile. A personal assistant to an executive, for instance, would be deemed to have a high-risk profile because they have access to a lot of confidential and personal information.
The speed of the curriculum can also be customised so that people can train at a comfortable pace and don’t become overwhelmed by too much information, too soon and too fast.
IT security awareness initiatives should make a splash and then follow with engaging pieces of information in intervals to keep people interested and keen to adopt what they’ve learned. What you want is a team that not only supports your IT security strategy but is also empowered to identify faults or potential threats and know what to do to fix them. That is when employees become part of the solution instead of being one of the biggest risks to IT security”Ueckermann describes an IT security awareness programme as having four steps
He points out that a company’s HR department has a vital role to play in implementing an organisation’s cybersecurity strategy and digital transformation journey.
“They know who has joined or left the company. Employees should be on-boarded and off-boarded properly. This includes giving them access to resources that are appropriate to their job specifications and risk profiles. New staff induction programmes should also include IT security awareness education. Using cybersecurity training platforms, such as Kaspersky Lab’s Automated Security Awareness Platform (ASAP), it is possible to look at where the person lies on the cyber awareness continuum, establish their risk profile and then implement interval training appropriate to this. On the flip side, access privileges need to be removed when the person leaves the company.”
Ueckermann concludes saying that with the right tools, and with continuous learning and awareness among employees, companies can mitigate cyber risks dramatically.
“If everyone is prepared and alert, breaches can be caught early and recovering from an incident will cost half of the average costs of an incident than in an organisation that is not prepared. Education is indeed one of the most powerful weapons against cyber attacks.”