By Bill Duenges, Chief Information Officer/Chief Information Security Officer, Aircastle
As parents and homeowners/renters, we teach our kids and learn a few things ourselves while growing up. Lock the door, put the alarm on, don’t answer the door without asking who it is first, never opens the door unless you know exactly who it is, and call 911 if something doesn’t look right. Isn’t it funny that those same lessons easily transfer to our companies regarding cybersecurity? Our locks have become firewalls, cloud security brokers, managed detection and response partners, and AI more recently. The door has become phishing emails and malicious links in documents, all with the same goal: to access our treasures, whether our personal belongings or our company’s secrets. Whether at home or in the office, it comes down to training. Training ourselves to lock the door and know the right questions to ask when someone is at the door and training our employees to not click on that link, not open that email, and not believe that person on the phone.
According to Cybersecurity Ventures, employee security awareness training is predicted to reach $10 billion by 2027. Why is that? Companies realize that no matter how much you spend on security products and external companies to protect your assets, all it takes is one employee to click on the wrong link, believe the person on the other side of the phone, or access a malicious website and all that money spent may mean nothing.
As important as security awareness training is for large companies, small to medium-sized companies should spend a little more and focus more on training. According to Cisco, ninety-three percent of Fortune 500 companies spend over $250,000 on security; for many SMBs, that is more than their entire IT budget. SMBs cannot spend that much money on the latest security products, but they can spend money on training to enhance their products. Security Awareness training is not the golden goose and not the only answer to all the security issues in companies. Still, when it works as part of a larger security plan, then a company has a fighting chance to defend itself.
So how do you get employees to invest the time in training and take it seriously enough to learn and protect the company? Over the years of security training, I have found that teaching employees how to protect themselves and their families at home is very important and easily transferable to office. A phishing email received at home is no different from an email received in the office. The endgame with both emails is possible malicious content loaded on your machine and/or financial loss. When employees learn to protect themselves, they are more empowered to protect the organization.
Employees need to know how important they are in the security chain. This is true not just for Fortune 500 companies but small and medium-sized businesses also. Many organizations do not have the resources to have a full-time cybersecurity staff, so they outsource to Managed Detection and Response companies. This is very smart, but an MDR is most effective when it has learned about the organization and users’ habits. This takes time. Yet, a trained workforce knowing what to look for when a phishing email comes in or when something does not seem right is very valuable. Training those employees to speak up when they see something only enhances whatever security protocols and services an organization has. An employee that notifies the proper person in IT when they are unable to access a file that they accessed the day before could save a possible ransomware event. Employees that know what to look for and know the proper protocol on reporting and what to do with their computer if there is an issue only expand your protection.
“Breach” is not a four-letter word, and though senior management and the board of directors of any organization never want to hear that word, it is essential the employees not be afraid to report. People in our industry read horror stories every day about ransomware and data breaches, and most employees do. There is a negative connotation around the word. Employees who may have clicked on a link or downloaded something they should not have may have second thoughts about reporting it because they do not want to get in trouble. It is human nature to avoid looking guilty or admitting they did something wrong. Yet speaking to the organization about breaches and not making it a four-letter word is key to having employees willing to report what they see or did.
A good security awareness program is not just based on what you should not do but also on what you should do. Incident Response plans should be explained to everyone, not just those on the IT team. A communication plan should be developed with clear, definable notification trees that employees should use for any cybersecurity event. Like most organizations, we run phishing tests throughout the year and penetration tests. I get very excited when someone tells me they noticed something or they did not click on the link but wanted to warn me so that I could warn the organization about the email. These employees get it and help make my security program stronger.
No security program is perfect, but it can be substantially better with the proper security protocols, hardware, software, and security awareness program. Instead of having a five-person security team or an offsite security team, you can have “insert the number of employees you have” help to watch the front door. We learned about the dangers around the house and who to call; it’s the same at work. There is nothing better than a well-educated employee; sometimes, it can help you sleep better at night. Nah, that can never happen. Well, maybe one day.