John Bruggeman, CISSP, consulting (CISO) for CBTS and OnX, both are MSPs and MSSPs.
getty
October is Cybersecurity Awareness Month, and two areas that I feel don’t get enough attention are awareness and training. In my experience over the past 25 years, I have found that employees want to do the right thing. They typically want to keep their job, they want to do well at their job and they want to get a raise or a bonus whenever possible.
Employees don’t want to cause a cybersecurity incident.
They know, or at least suspect, that the IT gurus in the office can figure out who clicked on a link that infected their computer, the network or the server. Employees want to know what to do to prevent that from happening. They also want to know what not to do, though I tend to favor positive messages rather than negative ones.
A recent article from cybersecurity training company USecure, citing information from the Ponemon Institute, reports that cybersecurity risk can be reduced from 60% to as low as 10% with a good training program.
I think most people understand that cybersecurity threats are prevalent and evolving. We have email-based phishing attacks, smishing attacks (SMS-based) and vishing attacks (voice-based). With a glut of LLM-powered chatbots, the emails and texts are now very well written, and, with additional AI-powered deep fake tools, the voice attacks can sound like the person being impersonated. The question then is, what do you do as the CIO or CEO?
First, you need to have buy-in at the top. You should tell your board quarterly how your employees are learning to spot and report cybersecurity threats. Everyone at the C-level should understand and agree that cybersecurity risk is not just an IT problem. As Kevin Lynch said in his article in June, "Cyber risk is business risk."
Second, you need to understand the threat landscape for your company. Namely, what is your risk? In a previous article, I explained why you need to know where your crown jewels are so that you can answer legal questions correctly after a cybersecurity event.
Third, you need to get a sense of your employees’ risk. Do they click on phishing emails now? If so, what percentage of your employees click on a malicious link? Is it 5%, 10%, 30%? Have you had a business email compromise attack and wired money to the wrong bank? Do you have an insider threat problem?
Fourth, you need to view your employees as your first line of defense. I know you are likely already thinking about defense in depth; you have layers of defense in place now to protect your critical data. With this step, you are flipping the script and changing the culture of your environment so that employees are seen as part of the solution and not part of the problem. The attacker is the problem, the criminal gangs are the problem and APT groups are the problem. You need to engage your employees as part of your defense.
As the fifth and final step, invest in a good cybersecurity training program. Find out how much you are investing now in cybersecurity training and see if you need to increase that budget line. You should promote a positive cybersecurity culture that rewards your team members who spot and report phishing emails. Call out and thank the staff who see the BEC email and report it to the CISO or CFO.
All of your employees should know how to handle documents with sensitive information, like PII, HIPAA or CUI data. You want them to be confident and comfortable reporting processes or procedures that don’t protect that information.
Your cybersecurity training program should adapt to the evolving threats to your environment. It should have continuous learning built in and adapt to your staff as they learn more and progress. Your staff should be able to see the progress they have made, so they know they are improving.
As Cybersecurity Awareness Month winds down, take the time to evaluate how much you have invested in your employee’s cybersecurity training. Are you investing enough?
Make sure the board and C-suite are engaged and have prioritized ongoing training and awareness. The board might even want to take the training with your employees. Let them see how good your training program is. Keep the board informed and let them know how you are reducing risk and engaging front-line staff as another layer of defense in your cybersecurity program.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
