Employees can be a solid first line of defence against cyber incidents. Rob Rashotte, Vice President, Global Training & Technical Field Enablement at Fortinet, shares tips for creating or enhancing company-wide cybersecurity awareness programmes.
As we look at cybersecurity today, it’s not surprising that 87% of enterprises experienced at least one breach last year attributed to the cyber skills gap. Today’s cybersecurity professionals face a variety of ongoing challenges, from a sophisticated threat landscape to ever-changing compliance regulations to the ongoing skills shortage.
Meanwhile, cybercriminals are simultaneously advancing their efforts. Business leaders worry that these emerging attack tactics – particularly those involving AI – will be harder to spot and block than ‘traditional’ cyberattacks.
When it comes to cyber incidents, the stakes are increasingly high. Breaches consume time and money, and corporate leaders are increasingly held accountable when incidents occur. According to the Fortinet 2024 Cybersecurity Skills Gap Report, 51% of respondents said that directors or executives at their organisation faced fines, jail time, loss of position, or loss of employment after a successful attack.
Cybersecurity is also coming under greater scrutiny at the board level, with 72% of respondents indicating their board members were more focused on cybersecurity than they were the prior year. With security teams navigating more internal and external pressures, it’s clear that organisations need an ‘all hands on deck’ approach to risk management.
As we kick off Cybersecurity Awareness Month, this month especially serves as a reminder to organisations that cybersecurity is everyone’s job – not just the security team’s – and your employees play a part in safeguarding your organisation.
Everyone has a role to play in protecting the organisation
A skilled team of professionals and the right security technologies are vital aspects of protecting any enterprise. Yet one of the best defences against malicious actors is your employees. When equipped with the proper knowledge, employees can serve as a solid first line of defence against cybercrime. Considering that 81% of organisations faced attacks last year such as malware, phishing and password attacks that directly targeted users, helping employees become more cyber-aware is crucial.
Cybersecurity awareness training should be part of every enterprise’s risk management strategy. The good news is that organisational leadership is increasingly prioritising cybersecurity education. According to the Fortinet 2024 Security Awareness and Training Global Report, 96% of executives believe that more training and awareness would help reduce cyberattacks. Of those executives whose organisations already have a security training and awareness programme, 89% reported improvements to their organisation’s security posture after implementing these initiatives.
What should cybersecurity training include?
Whether you’re developing a cybersecurity awareness training program for the first time or reimagining an existing initiative, defining the effort’s goals is a great place to begin.
Next, decide on the training format and delivery schedule. Socialise these ideas with colleagues on other teams and ask for their feedback. This is a great way to refine your plan and identify individuals from different departments who can champion the effort throughout the organisation.
Every cybersecurity awareness training programme should be unique and include content tailored to the business needs. Yet there are core pieces of cybersecurity knowledge that every individual should possess regardless of their industry or organisation. Essential topics to cover in training include:
- Passwords: Using strong passwords is vital for protecting personal and financial information from cybercriminals. Training should cover tips on how to create passwords that are difficult to crack, as well as how and why to use a password manager
- Multi-Factor Authentication (MFA): MFA offers individuals another layer of protection against cybercrime. If your security team has already deployed MFA, employees should understand why it’s effective and how to use it
- Social engineering attacks, including phishing: Phishing is the top tactic bad actors use to infiltrate corporate networks and launch attacks involving ransomware and malware. All employees should understand how to recognise social engineering attempts and the steps to take if they think they’re a target
- Software updates: One of the easiest ways to reduce the risk of falling victim to cybercrime is to keep software and applications updated. Employees should know why it’s important to patch quickly and the organisation’s policy on software updates
Cyber training and awareness initiatives benefit everyone
Security training and awareness initiatives play a critical role in combatting cybercrime. Related efforts help IT, security, and compliance leaders create a more cyberaware culture in which employees are more likely to recognise and avoid falling for attacks.
Some organisations opt to develop security awareness training in-house. But for those who don’t have the resources to do so, high-quality SaaS-based offerings are available that deliver a comprehensive and timely curriculum, such as Fortinet’s Security Awareness and Training service. Fortinet’s offering includes a dashboard featuring campaign and user activity with out-of-the-box reporting, an intuitive administrative interface and the ability to customise or co-brand the service.
As the threat landscape intensifies, there’s no better time to create or reevaluate your cybersecurity awareness and training programme. Involving the entire organisation in cybersecurity efforts benefits everyone.