Employee education critical against cyber threats

Make your people hack-proof by training them to be cyber security risk aware, says Charl Ueckermann, CEO at AVeS Cyber Security.

Johannesburg, 03 Jun 2019

The better an employee’s understanding of cyber security risks is, the greater his/her potential to participate in reducing these risks, as well as the associated costs of a breach. The average cost of a cyber security breach can range between R1 million for small businesses to around R40 million for large enterprises.

This is according to Charl Ueckermann, CEO at AVeS Cyber Security, who says it is easier to hack a human than a network.

“Make your people hack-proof by training them to be cyber security risk aware. Sound employee knowledge can be your network’s best proactive defence mechanism,” he says.

He points out that training can’t be purely theoretical. It should be accessible and practical so that it translates into behavioural change.

“When we talk about behaviour change, it boils down to creating awareness of cyber threats, encouraging the continued, prudent use of applications and Internet resources, and empowering employees with the tools to know what to do if they notice something is wrong.”

Organisations can best achieve behavioural change that sees every employee participating in the cyber security strategy through continuous micro-learning that ensures retention of knowledge.

Ueckermann explains that training programmes should offer companies a mechanism for providing bite-sized cyber security awareness tools to employees in an accessible way. This encourages their receptiveness to the information, an understanding of the information and prompts a “want” as well as an ability to put that knowledge to use. These bite-sized chunks of information should be adapted to the employee’s risk profile. A personal assistant to an executive, for instance, would be deemed to have a high risk profile because s/he has access to a lot of confidential and personal information. The speed of the curriculum can also be customised so people can train at a comfortable pace and don’t become overwhelmed by TMI (too much information), too soon and too fast.

“IT security awareness initiatives should make a splash and then follow with engaging pieces of information in intervals to keep people interested and keen to adopt what they’ve learned. What you want is a team that not only supports your IT security strategy, but is also empowered to identify faults or potential threats and know what to do to fix them. That is when employees become part of the solution instead of being one of the biggest risks to IT security,” says Ueckermann.

He describes an IT security awareness programme as having four steps:

1. The launch: When cyber risks are explained in the context of an increasingly connected, digital world. Cyber threats affect everyone, from large corporations to individuals. Employees should move away from just understanding the role they play and move towards understanding they are part of the solution.

2. Train: Implement training, for instance, using training platforms, and sign off and communicate security policies around the use of e-mail and Internet resources.

3. Motivate: Keep people interested and motivated to support the IT security strategy. Use e-mail banners and the company newsletter to keep them updated. This can be combined with incentives or built into KPIs.

4. Empower: Where employees are in a state of control when it comes to identifying potential problems as well as knowing what to do to remedy them.

He points out a company’s human resources (HR) department has a vital role to play in implementing an organisation’s cyber security strategy and digital transformation journey.

“They know who has joined or left the company. Employees should be on-boarded and off-boarded properly. This includes giving them access to resources that are appropriate to their job specifications and risk profiles. New staff induction programmes should also include IT security awareness education. Using cyber security training platforms, such as Kaspersky Lab’s Automated Security Awareness Platform (ASAP), it is possible to look at where the person lies on the cyber awareness continuum, establish their risk profile and then implement interval training appropriate to this. On the flip side, access privileges need to be removed when the person leaves the company.”

Ueckermann concludes, saying with the right tools and with continuous learning and awareness among employees, companies can mitigate cyber risks dramatically.

“If everyone is prepared and alert, breaches can be caught early and recovering from an incident will cost half of the average cost of an incident than in an organisation that is not prepared. Education is indeed one of the most powerful weapons against cyber attacks.”

Share

AVeS Cyber Security

AVeS Cyber Security is a specialist IT Governance & Architectural services consultancy that combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions. Over the past 21-years, AVeS Cyber Security has strategically honed its solutions and services to help Southern African businesses future-proof their IT environments against the continually evolving threat landscape while achieving their digital transformation aspirations. The company offers a leading portfolio of professional services, products, and training in security, infrastructure, and governance solutions. This year (2019), the company won three awards from some of the world’s top technology vendors, indicating competency, strength, innovation and robustness in an industry that is fast growing in complexity due to evolving challenges, such as ransomware, advanced targeted attacks and the Internet of Things. The awards include Kaspersky Lab’s Africa Partner of the Year 2019, ESET Regional SMB Sales Champion 2019 and ESET Product Champion 2019. AVeS Cyber Security also received three new partner statuses, namely, Microsoft Gold Datacenter Partner, DellEMC Gold Partner, and Barracuda Preferred Partner.

Editorial contacts

Vickie Slabbert
Echo Square PR
(082) 411 7602
vickie@echosquare.co.za
Chani Slabbert
AVeS Cyber Security
(+27) 11 475 2407
chani@aves.co.za