October is Cybersecurity Awareness Month! All month long, we’ll be exploring cybersecurity-related topics to help you (and your data) stay safe online.

Click to learn more about author Danny Lopez.

In many organizations, training is viewed as one of the most efficient, cost-effective ways to educate employees on cybersecurity. While it’s more affordable than technology procurement, it cannot be the sole method of cyber defense, no matter how small the company is. 

The goal of cybersecurity awareness training is to avoid a wide array of potential downfalls such as guarding against email scams, malware, poor Data Management practices, and bad password practices. Unfortunately, according to a recent Stanford University and Tessian study, human error is still one of the leading causes of data breaches, with 88% occurring as a result of employee mistakes. 

It is true that training helps arm users against cybercriminals’ tactics by keeping them aware of possible risks and best practices. However, the problem is that many of these training efforts are little more than an exercise in box-ticking or going through the motions. Employers will often provide training that focuses on covering the basics with employees and assume their staff will remember what they need to do when troubleshooting in real time. 

Employees Should Not Be at the Front Lines Against Adversaries 

Cyberattacks are continually growing in sophistication, and social engineering tactics are more advanced than ever before. It begs the question as to why companies willingly choose to put their employees in the front line of their data security strategy. For busy people under pressure to perform, momentary lapses in concentration are inevitable, and no amount of training will close off every avenue of attack. 

In fact, there’s been one glaring gap in light of the rapid increase in remote and hybrid work environments. According to a 2020 study, 44% of organizations did not provide cybersecurity training based on potential threats for remote workers. 

In addition, there are some circumstances where an “enforcement” style of cybersecurity training could do more harm than good. While discussing the importance of staying alert, organizations can sometimes establish a culture of fear around being responsible for cybersecurity errors. Although leaders may want to set clear expectations with their teams, they must also acknowledge that everyone can make mistakes. After all, according to the Stanford and Tessian study mentioned above, 43% of employees are “very” or “pretty” certain they have made a mistake at work with security repercussions. Disseminating the message with the wrong tone can shift employees’ focus away from their primary responsibilities and foster a feeling that it’s perhaps safer to say nothing than to share details of a potential breach. 

In contrast, employers should be welcoming toward employees who are aware of and raise the alarm if a breach may have occurred without fear of punishment. Organizations must understand employees should always feel encouraged to share concerns when something doesn’t feel right. In addition to cybersecurity training, there are technologies that are beneficial for organizations to take the pressure off employees such as content disarm and reconstruction (CDR), which can help prevent file-based threats. It works to return files to a “known good” standard to ensure the documents are safe. 

In addition, it is vital for organizations to control privileged access and monitor passwords closely. There should be robust processes in place for onboarding and offboarding those who have access to sensitive information. Two-step authentication on all passwords is one step that can easily be taken to improve safety measures. 

Even if all policies are safely executed, it is critical for organizations to invest in their cyber protection services to stay vigilant. There should be a zero-trust network approach by default because there is always the risk of a data breach. Insider threats make up 60% of cyber attacks in today’s world. 

In order to achieve an effective, cybersecurity-first strategy, businesses need to incorporate the necessary training and technologies to create an effective defense. In the face of growing risks and stronger attacks, a change of approach is essential to drive transformational results.