At Lepide, we are always pushing the idea that employee training is the best way to raise awareness about cyber-security issues and mitigate the risks of your organization being affected by a cyber-security attack. But, as many department-heads and managers know, this is far easier said than done – especially when it comes to IT security.
Simply telling your employee that they need to change their password regularly, not share passwords and not click on phishing links (as obvious as that might be to us), is not going to get the job done. Employees need to understand the “why” behind the security policies in place and the potential implications of ignoring them.
How Do You Know if Your Employees Need Training?
You can only really find out if your employees need IT security awareness training by conducting staged tests and measuring the response. One test you could take, for example, would be to send out a fake phishing email with a tracking URL and see how many of your employees click on the link. If even one person clicks on that link, then you should hold training on the importance of email screening to help prevent potential ransomware attacks.
You could also conduct a more advanced test, if you have the software in place to measure it. Such a test could look as easy as leaving a physical copy of your password lying around on your desk and measuring login activity to see if your computer was logged into by another user. A test like this could help you establish whether your employees are capable of malicious IT security breaches.
Another example of an IT security awareness test is to place unmarked USB sticks around the office to see if anyone attempts to plug them in to their devices. It may be simply that they are doing this to establish ownership of the USB in good faith, however it is still bad IT security practice.
Be a Leader in IT Security
Quite a lot of the time, bad IT security practices spread throughout organizations from the top down. If the CEO leaves his passwords lying about, leaves their computer unlocked when they leave the room, or leaves his personal devices lying about the office overnight – this kind of bad security behaviour is going to trickle down through the ranks. Lead by example when it comes to IT security and be a model employee.
The Other Benefit of IT Security Awareness Tests
Staging IT security awareness tests serves another purpose besides making you aware of where your areas of vulnerability are. It also serves as a reminder to employees that their actions have consequences. If an employee fails a test in a real-world scenario, they are far more likely to remember the consequences of that failure and take more precautions the next time. Simply explaining data breach scenarios to employees is nowhere near as effective as demonstrating them.
Make Sure Employees Have the Security Tools in Place
Your employees won’t use security tools unless they are readily available. I’m not just talking here about VPNs, virus scanners and the like (although they are invaluable). Security tools extends to physical representations of data security, such as lockable filing cabinets, drawers and paper shredders. Of course, organizations may already have all these kinds of things in place, but the easier you make them to use/get access to, the more likely that better security behaviour will catch on.
If All Else Fails
If you feel like you’ve done everything you can to educate your employees on cyber-security threats, and you still feel uneasy, then it’s best you take further steps to monitor what your employees are doing in relation to your sensitive data and critical systems. You can do this by using the native auditing tools that already exist within your IT infrastructure, but this requires a lot of manual work and can be too time consuming to derive real value from.
Your best bet is to deploy a third-party user behaviour analysis and change auditing solution, such as LepideAuditor, which will give you the ability to detect, alert and respond to suspicious, unauthorized or unwanted user activity. For more information on how LepideAuditor can help you get better visibility into user behaviour, click here.