When it comes to issues of cybersecurity, data privacy, and compliance, change is one of the few constants.
Ready or not, today’s organizations are up against evolving regulatory mandates, malware and phishing attacks, and the increasingly complex demands of maintaining security in the face of a remote workforce and the adoption of new technologies. Training employees to serve as a front line of defense has never been more important, and like their metaphorical counterparts, these human firewalls can’t stop at protecting the inbox.
While much of the emphasis on corporate cybersecurity awareness training falls on phishing, there are seven other spheres of risk that should factor into your security strategy:
- incident reporting
- physical security
- malware identification
- cloud computing
- remote working
- identifying personal information
- acceptable use of social media
Each of these risk areas represents a doorway to your business that cybercriminals can walk through. Take a peek at Verizon Enterprise’s 2018 Data Breach Investigations Report, and you’ll notice that many breaches were traced to everything from malware attacks to employee mistakes, such as failing to shred confidential information.
Time for A Risk-Based Approach
The first step toward strong security is understanding risk. But risk looks different to employees in different roles. A database administrator for example deals with entirely separate types of security risks than a hospital nurse entering patient information into a computer. With a risk-based approach, you can focus on what behaviors you are trying to alter, avoid, and achieve for particular roles within your organization.
Just as the threats to your organization span more than one risk area, your security awareness training should too. While traditionally security, privacy, and compliance training were all considered separate domains, there is a growing awareness that they are each connected to one another. Employees don’t just need to be able to identify phishing emails, they need a holistic understanding of the privacy standards governing the data they access. Their mindset about how they secure their corporate device must stretch from locking their computer screen when they get up from their desk to making sure they are not connecting to an unsecured Wi-Fi network at a coffee shop without a VPN.
Today’s businesses need a true culture of security; a way of thinking about security and privacy that follows employees from their corporate inbox to their social media accounts. Instilling that culture effectively and efficiently requires a unified approach to training that cuts across all eight risk areas mentioned above. That means finding an employee training vendor with a wide range of content that covers not only phishing, but also privacy, compliance, and both physical and cybersecurity. Such a vendor must also be able to explain how their content aligns with standards such as ISO 27001, GDPR, and HIPAA.
One Vendor, Multiple Needs
Right now, fragmented approaches to training are the order of the day, with many organizations engaging with multiple vendors to meet their needs. As organizations mature, new initiatives get started, while others evolve. Are you going to outsource each thing needed to combat new cyberthreats? Will an outside counsel be contracted for each new data privacy regulation from the EU to California to those of your own city? Continually adding new vendors to the picture will eventually cause more problems than are being solved (and cost you more time and budget).
There’s simply too many moving parts and too many new needs in the ever-evolving cybersecurity and data privacy landscapes to keep up through outsourcing. By the time you finish onboarding one new vendor, you’ll be starting with another. Frankly, your expertise is needed elsewhere in your organization.
Instead of a handful of smaller, individual task-oriented vendors, your employee training program will benefit from finding experts in the field who can address multiple issues without the continual headache of onboarding a new vendor each time a new need appears. It’s all about growth: a dedicated partner can help you grow rather than merely support you during growing pains. To put it simply, it’s about sharing the load rather than just spreading it around.
Make 2019 A Year of Progress
In 2019, it is time for a security approach that focuses on understanding risk and using it to guide decisions about the type of training your employees need.
Fragmented approaches to security awareness lead to mixed results. Use the new year as an opportunity to consolidate vendors and stop dealing with issues ranging from invoices submitted on different cadences to unanticipated hiccups. Make the transition to a vendor-partner who can stimulate and support your organization’s growth throughout the year.
Through this dedicated relationship with a vendor who truly gets to know you, you’ll see progress like you haven’t experienced before.