Security During Employment
During their time working for the company, each employee will need ongoing training and education on security issues. HR usually arranges these sessions, so when the cybersecurity manager needs to deliver a security awareness programme, they should go right to HR for help.
They will probably help the cybersecurity manager set up a short training course, delivered either as a lecture or as an e-learning experience. The format is not that important, but tracking attendance is. Many cybersecurity managers get into hard spot when auditors ask them to provide attendance logs from the training as proof that awareness training has been provided. These logs can’t be fabricated in the aftermath. Is every person in the company actually participating? How often does the training happen? An annual programme is good practice, but does it need to happen more frequently?
Another important question: Who gets this training? Typically, companies think that everyone should know basic things related to security, especially anyone who has access to confidential company information, but different specialists have different needs. Maybe IT employees should know a bit more than the average employee about cybersecurity. What about supervisors? Do their additional responsibilities—hiring and firing—mean they need additional security training?
Cultivating Security Awareness
All of these things have to be part of a cybersecurity awareness programme or plan, but the overall goal is to improve security awareness within the company. There is no fix for human stupidity or carelessness, but security awareness training can help avert the worst problems.
We’ve spoken with cybersecurity managers in high positions and asked them how much emphasis they put on technology and how much on awareness and human behaviour. One said he’s putting half the budget on awareness. It sounds like a lot, but think about what happens if you don’t. A simple email can be used to steal millions of dollars from a company. If employees aren’t aware of such a risk, no amount of technological protection can save them.
We worked with one person who received such an email. It appeared to be from the CEO and said, “I’m travelling and this is a busy case. Here’s the bill that should be paid to a service provider in the far east. It’s nighttime out there. Please just put the payment in and then we can handle the proper paperwork later.” The bill looked legit. The email looked legit. The only thing that was not correct was the account number and bank. That company lost $17 million because of that email. Security awareness and training is the only thing that helps in those cases.
Even drastic technological measures to prevent cyberattacks can fail. Recently, in Singapore, the government enacted a new regulation that requires all public entities—governments, schools, hospitals—to disconnect from the internet; they had to use different computers for internet and physically separate networks for internal needs. It sounds like this change should help, but people can be fooled into overcoming that “air gap.” If that happens, this technical measure isn’t helpful. The money stolen in the example above would still be gone. Just recently, the health information of 1.5 million people was stolen from SingHealth, a major healthcare provider in Singapore. A simple click on a wrong email could still cost your organisation millions.
Attackers pay attention to human behaviour; they will try to fool somebody within the company into unknowingly assisting them with the fraud or hack they are performing. If all staff remain alert to these attempts, many of them can be avoided. Not long ago, someone tried to get billions of dollars from the Bank of Bangladesh in one of the largest attempted cyberattacks in history. In the end, they were only able to steal tens of millions, not billions, all because someone in the company noticed a typo in one message and put a halt to the scheme.
These examples illustrate the need for security awareness training. Human carelessness is hard to regulate. But training employees at least every year can prevent needless disasters like those described above.