Bringing new employees up to speed on company policies and procedures, or employee onboarding, is standard practice. The process covers topics like what’s expected in daily work, proper communication channels and vacation and sick leave policies. In well-prepared companies, it also includes extensive cybersecurity training. Quality employee cybersecurity training, along with ongoing training for existing employees, plays a big role in keeping your company’s data, software and other digital assets safe.
Cybersecurity best practices training for employees is a lot like teaching children about personal hygiene. Knowing you’re expected to brush your teeth, for example, tends to be easier when you understand why it’s so important. For your teeth, it’s about preventing cavities and keeping a healthy mouth. For cybersecurity, it’s about maintaining the health and security of your company data and protecting customer and employee privacy.
While the onboarding process for new employees is part of the HR department’s jobs, it isn’t the only team that should be involved. Your IT team can help guide cybersecurity training, and the HR team can help instill a sense of duty for those best practices in new hires as they move through the onboarding phase.
Getting Employees on Board With Cybersecurity Training
It’s much easier to get cybersecurity best practices and awareness buy-in when training is part of the onboarding process. Knowing that everyone has a hand in company data security, not just the IT team, is key, too.
Teaching new hires why policies exist is important, as is showing them how to correctly complete procedures. Making sure both ‘why’ and ‘how’ are understood helps increase the likelihood your company policies will be followed.
Develop clearly defined policies and procedures so employees aren’t confused about what’s expected of them. Involve employees in creating rules and processes. Well-trained and aware employees are more likely to notice suspicious emails and other warning signs before your IT team. After all, they’re getting messages and working with company data every day. These are the people who can see when something seems ‘weird’ or ‘wrong’. Their knowledge can be valuable in developing and refining your cybersecurity policies.
When employees are part of the process, they’re more likely to have a sense of ownership and responsibility for your cybersecurity plan.
Approach cybersecurity training in a structured way. Think of it as a cybersecurity checklist for new employees.
Set Employee Cybersecurity Expectations
Empower your employees by clearly stating what their jobs include. Explain who covers software updates, for example. If the IT team manages all updates, employees need to know. They should also know when and how those updates are installed. The penalties for failing to follow the company’s cybersecurity policies need to be clearly detailed, too.
Cybersecurity Awareness Training for New Employees
We teach children to pay attention to what they’re eating because too much candy can lead to cavities. Showing employees how to identify digital threats is another aspect of security hygiene. In both cases, you’re teaching awareness.
Phishing, or tricking employees into sharing login user names and passwords, is a common way for attackers to gain access to company networks and data. Employees need to know what to look for in phishing emails, text messages and phone calls. Knowing the IT team will never call and ask for your password is a great example of security awareness.
Cybersecurity awareness training for new employees goes beyond the computer screen, too. Employees need to know the USB thumb drive they just found in the office parking lot isn’t free storage. Instead, it contains malware posing a threat to the company network. Also, propping open doors to secure areas could give someone unwanted access to company devices and data.
Easy Security Threat Reporting
Establish a procedure for reporting suspicious activity and make it easy for employees to use. Knowing what to do when a suspected phishing email appears, for example, makes it much more likely someone will report it. Once your IT and cybersecurity team are aware of the email, they can look for other signs of a potential attack and could stop a threat before it becomes a critical problem.
Cybersecurity Training Advocates
Staying on top of everything that goes along with starting a new job is hard enough. Handling the always-changing cybersecurity landscape can make that experience intimidating. That’s where security advocates come in. These are people on each team who help answer questions, point out new threats and act as mentors. Along with new hires, they can help the rest of the team keep tabs on the latest threats, too.
Manage User Privilege Access
Least-privileged access is about limiting users to just the resources they need for their job. Think of it like a safety mechanism attached to your cybersecurity training. It keeps employees from opening files or apps they shouldn’t, or entering spaces they don’t need to access. The marketing team doesn’t need access to HR’s records. You don’t need access to the server rooms unless you’re on the IT team.
Protecting Passwords and Other Login Credentials
“Passwords don’t belong on sticky notes” may seem like common sense, but it still happens far too often. In fact, the majority of corporate data breaches involve stolen login credentials. IBM’s Cost of Data Breach Report for 2021 found that compromised credentials accounted for 20% of data breaches, costing companies $4.37 million per incident.
Establish company-wide cybersecurity training guidelines for creating and managing login credentials to minimize the risk of easily stolen passwords. These rules need to apply to apps and services along with company-controlled devices, such as computers, smartphones and tablets.
Password and login policies are easy to enforce until they’re no longer convenient for employees. Using a company-wide password management tool reduces the risk of finding logins jotted on a piece of paper, or shared between employees.
Requiring two-factor authentication strengthens login security. It also reduces the risk of unwanted access if an employee’s user name and password have been compromised.
Require Lock Screen Passcodes for Unattended Devices
Unattended and unlocked devices with access to the company network and data pose a real threat. Anyone with access to an unlocked device might be able to see and copy private and proprietary company data, as well as install malware. You need both policies and cybersecurity training here. Setting a policy that requires some sort of lock screen authorization — like a passcode or authentication device — for all computers, smartphones and tablets helps keep attackers and data thieves at bay.
Cybersecurity best practices concerning protecting company assets apply to removable storage devices, too. Thumb drives, memory sticks, hard drives and other storage mediums can be attached and removed. These need to be securely stored when they’re left alone. Data storage devices with sensitive company data can be copied or stolen. Malware can be loaded on any removable storage device when it isn’t in your hand.
Require a VPN for Remote Work
Remote employee onboarding comes with its own challenges. First, require all employees to use a company-approved VPN, or virtual private network service, when remotely connecting to company servers, data and apps. A VPN encrypts the connection between your computer or mobile device and the company network. That way, attackers can’t intercept sensitive data. This also stops attackers from harvesting user names and passwords from networks they’re monitoring. Attackers often trawl public Wi-Fi networks, like at coffee shops and airports, to steal data and logins.
Cybersecurity Training Should Include Managing Allowed Apps
Part of cybersecurity training should include providing a list of which apps employees can use to access company data and other resources, and explicitly restrict all other apps. Limiting which apps have access to corporate assets makes tracking and preventing threats much easier. Apps that haven’t been approved could house security risks, expose data by accident or even harvest data and install malware on purpose.
Using sketchy apps and services to access company resources falls under the term ‘shadow IT’. Your IT department isn’t aware of those devices’ uses. It hasn’t tested them for compatibility and security issues. Employees who have a special use case for an app or service that hasn’t already been approved need permission from the IT team before they try installing or using it.
Set BYOD Guidelines
The practice of BYOD, or bring your own device, is more common than it once was. Nearly everyone already has a smartphone. Personal laptops are probably coming into the office with employees. Allowing these devices to join the company network without strict guidelines in place can lead to terrible results. What if an employee’s personal laptop, for example, has malware or ransomware lurking on its drive? That could be transferred to company servers and other computers.
If your company chooses to allow personal devices on the network, clearly define which devices are acceptable. List all the requirements for those devices, such as up-to-date on-device malware protection and all current operating system and app security patches must be installed. You can also set things up such that the IT department can remotely erase the device if it’s lost or stolen.
Part of your employee onboarding needs to include showing how shadow devices can include more than their laptop, smartphone or tablet. Smartwatches, network-connected fitness trackers, Wi-Fi-capable projectors and speakers, extra network switches and Wi-Fi access points can all fall under the umbrella of shadow IT.
Include Company Device Use Policies in Employee Onboarding
Set a clear policy for how employees can use company devices. It seems like common sense that our kids shouldn’t play games on the company smartphone. However, that needs to be clearly spelled out in employee cybersecurity training.
The number of people working from home instead of the office increased in a big way in 2020. So, there’s a greater chance of someone using a work-provided computer at home for personal use and storing personal data. If that falls outside of acceptable practice for your organization, make it clear in the device use policy.
Device Monitoring
Your company should have a list of all devices assigned to each employee as part of your cybersecurity best practices. That makes asset management much easier and can help streamline security and inventory audits. Also, let employees know if monitoring tools are used on company-owned devices. Transparency goes a long way towards maintaining employee trust.
Ongoing Cybersecurity Training
Teaching new employees cybersecurity best practices during their onboarding is important, but the process shouldn’t end there. The world of security threats is always changing. Without ongoing training, employees could fall victim to a new attack they otherwise might have noticed. It’s also easy to become complacent without refreshers and on-the-job cybersecurity training.
How often should you hold cybersecurity training? According to a study conducted in 2020 by The Advanced Computing Systems Association, about every six months. The study looked at the effectiveness of training geared towards identifying phishing emails. It found participants “still have an enhanced skill to distinguish between phishing and legitimate emails six months,” and showed the six-month training cycle proved effective.
Set a schedule for cybersecurity training. Planning in advance what future training events will focus on helps make each exercise more focused. Long-term planning lets your security team develop cybersecurity training events that build on each other and reinforce security best practices employees are already using.
Cybersecurity training can’t be a one-off event if it’s going to be effective. Starting with a well-organized cybersecurity training program during new employee onboarding builds a great foundation. Ongoing, regularly scheduled training and refreshers for all employees helps keep everyone alert and prepared for potential threats — and could save your company from disaster.
Technology Blogger, Podcaster, Author