Research suggests as much as 91% of cyber-attacks are via email directed at employees. This statistic would suggest that employee training is one of the most effective ways to combat security threats. Unfortunately, many organizations do not have in-house IT staff or other resources to provide that training.
In some cases, employee training may be available through cyber- security insurance that an organization has already purchased. For those organizations that find the premiums for cybersecurity insurance are too high, they may find that mandatory security awareness training can reduce premiums along with the use of best practices like multi-factor authentication and data and device encryption. It might be worthwhile to contact your insurance agent to find out what discounts might be available and to inquire about training. This is an area that changes quickly so reviewing cybersecurity polices will need to be completed more frequently than traditional types of policies.
Other training options include purchasing solutions from companies such as KnowBe4, NINJIO and Barracuda. KnowBe4 provides cybersecurity awareness training and simulated phishing attacks. There are also some free tools and resources available on the KnowBe4 website at www.knowbe4.com. NINJIO provides cybersecurity training and encourages employee competition through quizzes and points awarded. Barracuda provides an array of services including threat prevention as well as incident response solutions and security awareness training.
The Cybersecurity and Infrastructure Security Agency provides free resources including a ransomware guide with instructions on how to prevent a cyberattack at CISA MS-ISAC Ransomware Guide. The guide links to a one page document entitled, “ Avoiding Social Engineering and Phishing Attacks” that is written in plain English and could be provided to employees. Other resources at this site include a guide on “Using Caution with Email Attachments”, and a Guide on “Good Security Habits”.
The Cyber Readiness Institute offers a free program and starter guide to help small and medium-size organizations prepare for attacks. The site offers a series of flyers on topics such as “Managing the Relationship with Your Outside Cybersecurity Provider”, and videos on security education and Awareness at Security Education & Awareness: Preventing Ransomware – Cyber Readiness Institute.
The United States Secret Service publishes several items including a one-page guide to business compromised e-mail accounts and guides on preparing for a cyber incident. Materials include brochures on email compromise that could be provided to employees at the United States Secret Service.
Given the current risk, cyber security training is extremely important at this time. Any progress you make in this area will benefit your organization.