When it comes to cyberthreats, your employees are on the front line, but many of them are unprepared. They may not be aware of the risks and red flags, and they may not know how to respond when cybercriminals strike. With the average total cost of a data breach at $4.35 million, and nonprofits far from immune, it’s time to provide your staff with the training they need.
According to a recent study from the Ponemon Institute, a technology consulting company, employee negligence is the leading cause of data loss incidents. In fact, almost 60% of organizations experienced data loss due to an employee mistake involving email in the previous 12 months.
The shift to remote work, increasingly common for nonprofits, is notable, too. The Ponemon study found a strong correlation between the number of remote workers an organization has and a data breach’s cost. But the study also found that certain factors — including employee training — are associated with a lower-than-average breach cost.
Critical components of training
Risks vary by organization, but cybersecurity training should, at a minimum, cover:
Passwords. It may be hard to believe, but many people still have poor password habits, even though it seems the importance of hard-to-crack passwords has been drilled into us for decades. Year after year, the lists of the most common passwords continue to include 123456, 123456789, PASSWORD and 12345.
If your employees are using such simple passwords, they’re leaving your systems vulnerable to attack. Teach your employees how to devise strong passwords (for example, 12 characters with a mixture of numbers, symbols and upper- and lower-case letters). They also need to change passwords at least every 90 days and avoid re-using passwords for different apps, devices or software.
Social engineering. In social engineering attacks, including phishing schemes, cybercriminals use social skills to obtain or compromise an organization’s information or computer systems. Phishing is responsible for 16% of data breaches, according to the Ponemon report. But phishing is just one example of the social engineering threats your employees might encounter.
“Vishing,” for example, uses voice communication. It can be combined with other types of social engineering to lure a victim to call a certain number and reveal sensitive information. “Smishing” leverages SMS messages with dangerous links. Your training should teach employees how to recognize and resist the various sorts of schemes so they don’t fall prey and jeopardize your data.
Business vs. pleasure. When employees mingle their business and personal accounts, information, and devices, disaster can result. Explain why they shouldn’t conduct business activities (such as accessing your organization’s banking account or sending confidential information) on their personal devices, or play games and watch videos on your nonprofit’s devices.
Similarly, they shouldn’t share USBs, hard drives or other external hardware between business and personal devices. And they shouldn’t download software or apps from unknown sources on either. Downloading malware on a personal phone used for work communications, for example, could make those communications available to hackers.
“Safe browsing.” Creating a culture of safe browsing is especially imperative now that so much work is done remotely. In addition to warning employees to be cautious about suspicious attachments and links, you might want to require them to use a virtual private network (VPN) when accessing your system. A VPN establishes a secure, encrypted connection, hides the user’s IP address and acts as a filter to protect data from cybercriminals. Remote employees can get into your network and transmit data back and forth safely.
Keep it going
Effective cybersecurity training isn’t a one-off or annual event. With threats constantly evolving, make training a regular part of your staff’s work life. It doesn’t take weekly, hours-long sessions to make a difference. Micro-training with short videos or email reminders can go a long way when you’re trying to keep cybersecurity front of mind for employees.
Training beyond lectures
While the substantive content of your employee cybersecurity training is critical, don’t overlook the importance of the format. One-sided lectures and slide shows are unlikely to engage or stick with the audience.
If you want your staff to walk away ready to put your lessons into action, make the training interactive. It’s one thing to administer a quiz at the end of training. It’s another — and a more effective approach — to create simulations during or after training that allow trainees to put what they’ve learned to the test.
Some organizations deploy simulations in the midst of a workday to check how employees respond. These real-time assessments can provide much better insight into whether employees retain actionable knowledge than a paper quiz can. However, quizzes can have their place. They may help you immediately determine who needs additional training.