The better an employee's understanding of cyber security risks is, the greater their potential to participate in reducing these risks, as well as the associated costs of a breach.
The average cost of a cyber security breach can range between N$1-million for small businesses to around N$40-million for large enterprises. This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says it is easier to hack a human than a network.
"Make your people hack-proof by training them to be cyber security risk aware. Sound employee knowledge can be your network's best proactive defence mechanism," he said.
He pointed out that training can't be purely theoretical. It should be accessible and practical so that it translates into behavioural change.
"When we talk about behaviour change, it boils down to creating awareness of cyber threats, encouraging the continued, prudent use of applications and internet resources, and empowering employees with the tools to know what to do if they notice something is wrong," he said.
Organisations can best achieve behavioural change that sees every employee participating in the cyber security strategy through continuous micro-learning that ensures retention of knowledge.
Ueckermann explained that training programmes should offer companies a mechanism for providing bite-sized cyber security awareness tools to employees in an accessible way. This encourages their receptiveness to the information, an understanding of the information and prompts a "want" as well as an ability to put that knowledge to use.
These bite-sized chunks of information should be adapted to the employee's risk profile. A Personal Assistant to an Executive, for instance, would be deemed to have a high-risk profile because they have access to a lot of confidential and personal information. The speed of the curriculum can also be customised so that people can train at a comfortable pace and don't become overwhelmed by TMI (too much information), too soon and too fast.
"IT security awareness initiatives should make a splash and then follow with engaging pieces of information in intervals to keep people interested and keen to adopt what they've learned. What you want is a team that not only supports your IT security strategy but is also empowered to identify faults or potential threats and know what to do to fix them. That is when employees become part of the solution instead of being one of the biggest risks to IT security," said Ueckermann.
He describes an IT security awareness programme as having four steps;
1. The launch: when cyber risks are explained in the context of an increasingly connected, digital world. Cyber threats affect everyone, from large corporations to individuals. Employees should move away from just understanding the role they play and move towards understanding they are part of the solution.
2. Train: Implement training, for instance, using training platforms, and sign off and communicate security policies around the use of email and internet resources.
3. Motivate: Keep people interested and motivated to support the IT security strategy. Use email banners and the company newsletter to keep them updated. This can be combined with incentives or built into KPIs.
4. Empower: where employees are in a state of control when it comes to identifying potential problems as well as knowing what to do to remedy them.
He pointed out that a company's Human Resources (HR) department has a vital role to play in implementing an organisation's cyber security strategy and digital transformation journey.
"They know who has joined or left the company. Employees should be on-boarded and off-boarded properly. This includes giving them access to resources that are appropriate to their job specifications and risk profiles. New staff induction programmes should also include IT security awareness education. Using cyber security training platforms, such as Kaspersky Lab's Automated Security Awareness Platform (ASAP), it is possible to look at where the person lies on the cyber awareness continuum, establish their risk profile and then implement interval training appropriate to this. On the flip side, access privileges need to be removed when the person leaves the company."
Ueckermann said that with the right tools, and with continuous learning and awareness among employees, companies can mitigate cyber risks dramatically.
"If everyone is prepared and alert, breaches can be caught early and recovering from an incident will cost half of the average costs of an incident than in an organisation that is not prepared. Education is indeed one of the most powerful weapons against cyber attacks," he added.