Why Cybersecurity Education for Employees is so important

by Lawrence H King, Application Analyst, Northwestern Medical Center

An organization is only as strong as the weakest link in its cybersecurity chain. Many businesses spend a large amount of money on software, hardware, and services to help prevent cyber-attacks but forget about end-user training. As attackers look for new ways to get around the technology they find that engaging the end-user is easier than trying to find holes in the technology. It is important that an organization take measures to get all staff members up to speed on the basics of cybersecurity.

The end-user is usually the weakest link when it comes to cybersecurity and that is what attackers are counting on. This is why phishing is such a popular technique for spreading ransomware. The attackers are trying to get past the hardware, software, and trained technical staff to your untrained non-technical staff hoping that they will be gullible enough to take the bait. If your staff is not properly trained to recognize the risks your organizational data may be in jeopardy.

A good end-user security training program is an inexpensive way to enhance your security in your organization, but it must be done properly. The information has to be given in a language and at a technical level that everyone can understand. The courses must give the information to the end-users at a pace and in a time frame that is digestible. If the course is too long and the information is too technical and too dry the staff members will lose interest. It is also important to try to make the presentation a little bit fun to keep people engaged.

Some organizations forgo the end-user security training because they feel that it takes too long, that the end-users will not care about or understand the content or that their end-users are just not smart enough to digest the information. Each one of these assumptions is false. There are several ways to give the presentations to the end-user. End users can be encouraged to become part of the cybersecurity strategy if you explain to them why it is important to them and the organization. If the information is given at the right level and avoids the use of technical jargon, the end-users will understand the information. If you are unsure about how to go about putting an end-user security program together SANS has a web site with information, a PowerPoint slide show, and webcast to help teach you. You can find this information on their web site.

https://securingthehuman.sans.org/resources/planning
The information can be presented in several ways. It could be a printed or electronic document, a video, or a live slide show presentation with a presenter. At my organization, we chose the third option because we feel that this engages the audience a bit more. With the document or video, the audience does not get to ask questions or participate. It is also easy for them to skip over parts or the whole thing altogether and just say that they read or viewed the information. Some organizations provide a small quiz to combat this, but in the end, they still do not get a chance to ask questions or discuss the issues. Each time I have presented this topic we have a great discussion at the end and this adds to the learning experience for everyone. It also shows me that people are interested and engaged.

We keep our presentation to about 15 to 20 minutes and try to use everyday language that everyone can understand. It is important to keep the presentation fun and entertaining but most of all explain why this information is important to each individual and the entire organization. The point is to give some ownership to the end-user. Companies need to empower employees, get them to take some pride in the organization and give them some responsibility to keep it safe.

In this short presentation, I am able to cover a brief overview of the history of cybersecurity threats to show how they have evolved over time. We cover social engineering tricks such as phishing, spear phishing, whaling, baiting and pretexting. We also cover non-technical social engineering and security issues such as shoulder surfing, tailgating, and phone scams. These are all explained in non-technical terms to allow the end-users to understand these concepts. We explain why password complexity is important and the recently recommended changes in password policies provided by NIST. The staff is also provided with some examples of each to help recognize the threat. They are also given instructions on what to do if they suspect they are being tricked or if they think they have fallen for a social engineering scam. We show examples of threats that target certain departments. Some of the threats target HR, Accounting, Billing and other departments with email and web sites designed specifically to fool them. Some of these scams are very well done and may go unnoticed without proper training.

How do we know that this is working? We have been getting great feedback and we also have seen an increase in reported incidents. People are now reporting what they find and this helps us in Information Technology know what is out there. Instead of just having our IT staff looking for and categorizing threats and blocking them, we are getting the assistance of others outside IT. Having our end users trained to spot these threats helps us keep our information safe and out of the wrong hands.

About the Author
Lawrence King is an IT professional with 22 years of experience in healthcare environments and as a general IT consultant. He currently works as an Applications Analyst for Northwestern Medical Center in St Albans Vermont. He has a BS in Information Technology, an MS in Executive Leadership, an undergrad certificate in Human Resource Management and a professional certificate in Cybersecurity: Technology, Application, and Policy.
Lawrence can be reached by email at lhking@nmcinc.org or online at https://www.linkedin.com/in/lawrence-h-larry-king-172b19a/