In our latest newsletter, Continuous CEO Jason Silverglate and CTO Ross Brouse wrote a little about the importance of training employees on information security best practices. (You’re already subscribed, right?) In addition to outlining some of the risks that come with inattentive or outright malicious employees, they also offered a few tips for onboarding new staff and retraining current team members.
Since then, we’ve had a few people request more a detailed guide to teaching cyber-security, so we’re going to do our best to hold your hand through the process.
Pencils out, class.
Employee orientation may be a more or less rigidly-structured process depending on how you like to run things at your office, but it generally involves a fair amount of HR paperwork, a tour of the facilities, introductions to colleagues and whatever degree of training or mentorship is required to get them ready to work at their position independently.
But virtual orientation is just as important as physical orientation. You should be making sure new employees are given walkthroughs of:
- The company server – Where are key documents and resources housed? Who has access? If there is a filing system in place, how is it organized and what can safely be altered?
- Security policies – It’s nearly the third decade of the 21st Century. You should have a robust and modern IT security policy. It must be simple enough that even less technologically-adept team members can keep its basics in mind, yet comprehensive enough to cover eventualities. It’s also useless if your employees never really learn it in the first place. If you’re just handing new hires a sheaf of worksheets and expecting them to absorb it, you may be in for a rude awakening.
- Passwords – Asking clients about password security is the “Are you sure it’s plugged in?” for IT support specialists. We have to do it any time a problem arises, and it turns out to have been the root of the problem more often than you’d think. Passwords must be changed on a regular basis (quarterly, monthly or even weekly, depending on the sensitivity of the data you’re protecting). They must be difficult to crack, with a combination of numbers, letters and other characters. And they must be unique—if your employee’s “home123”-style email password is compromised, there’s a fair possibility a hacker will also try it out on their work account.
- Phishing – Phishing is when a malicious actor (or their software created for the purpose) impersonates someone you trust in order to compromise your personal information. We talked about some of the specific ways phishing can threaten your business in this post, but even over the past year, the number of threat vectors has continued to diversify. Train employees how to recognize phony emails, IMs, texts and phone calls. This includes keeping an eye on the behavior of colleagues! When an employee’s account is compromised by ransomware, it will behave erratically. As new hires become more familiar with their fellows, remind them to use what they know to be smart to threats. A lot of successful phishing schemes aren’t even particularly sophisticated once your employees are accustomed to thinking more critically.
There are plenty of other basics to make sure your employees know, like avoiding sending confidential information via unsecured connections, and keeping tight-lipped on social media—a good cyber-security training curriculum will go into far more detail than we can here, but you probably have an idea at this point of where you need to go with your onboarding.
The other important factor is to make sure employees are aware that there are consequences for failing to follow company security policy and to enforce those consequences.
Obviously, you’re not going to be putting employees in a stockade for leaving their workstation logged in at night. But you should at least be treating breaches with the same amount of concern you would if, say, one of your keyholders consistently left the office front door propped open when they went home.
An unlocked account in the wrong hands can be more dangerous than any unlocked door.
Training & Re-Training
For all of the grouchiness a lot of business owners espouse about millennials, they’re actually a breath of fresh air from an IT security perspective.
Those who have grown up with the internet have a degree of online literacy their older colleagues often never attain, and they’ve been fending off scams and phishing schemes since primary school. But what about Greg in marketing, who’s never heard of Instagram?
All of what we said about onboarding applies equally, if not more so to your existing staff. (This goes double if they didn’t receive good cyber-security training in the first place.)
For one thing, the online best practices they were taught may no longer apply to modern conditions, and memory has a habit of fading if it’s not frequently refreshed.
Staff need to be updated on the latest threats and new challenges on a regular basis and empowered to understand that they have a personal stake in protecting the company’s information security.
- Schedule annual refresher courses
- Make existing staff part of the cyber-security orientation for new employees
- Run information breach “drills” to help senior employees understand their responsibilities in the event of a disaster
And how about considering a "live fire exercise"? An article in Tech Republic caught our attention because it appeared to be a great way to keep employees on their toes after a training has occurred.
Here's a clip from the article:
The best training today is "live fire" training, in which the users undergo a simulated attack specific to their job, Schwartz said.
"Maybe they become a victim to an attack that's actually orchestrated by a security department or an outside vendor, and then they're asked to understand the lessons they've learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it," Schwartz said. "And then they're asked to share that experience with their peer group."
ISC(2) performs regular phishing tests, in which the IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it, Simpson said. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.
At Continuous Networks, we offer a full suite of cyber-security consulting and support services for companies with small or non-dedicated IT departments. This includes taking on one of the most important HR responsibilities of any office tech guru: teaching.
We can help you develop a bespoke training and education program for your staff, setting easy-to-follow guidelines your staff can use for onboarding, or even having one of our experts drop by the office to conduct training sessions and follow-ups as required.
It’s our job to be at the leading edge of new developments online, and we’re happy to share that knowledge with our clients to make sure your “human firewall” is strong enough to keep the bad guys on the outside looking in.