If you have a successful business, chances are that you’d want to protect it the best you can. Yet, there’s one area that businesses around the world fail to recognize in their day-to-day, and that is – risk management. Even though we’re a company that builds cybersecurity solutions, our risk management doesn’t solely focus on measures against just cyberattacks. There are a number of threats that businesses should be aware of. So in this blog post, our Risk team will share their experience – why risk management is vital to every businesses’ success, and how to teach your employees to be more vigilant where security is concerned.
Why Risk Training is not the same as Work Safety
At first glance, risk training and risk management may seem like a waste of everyone’s time, especially when we know that humans forget 40% of what they’ve learned after 20 minutes. However, other statistics are just as staggering, e.g., 90% of cyberattacks start with a basic human error like clicking the wrong link. It’s important not to mix risk management with work safety. Work safety focuses on safety protocols concerning natural disasters, accidents, and other occurrences inside the work environment. Risk is about managing all the outside variables, like intruders, data theft, data leaks, device theft by outsiders, cyberattacks, etc. All these make up a substantial part of things that can threaten the operations of any business.
Things to know when planning your risk training
1. Awareness is key because everybody has their primary responsibilities and can’t think about risk management every minute. Remember to deliver this message with an impact during your training – we’ll cover how you can do this later on.
2. Training events are mandatory – people are busy and have short attention spans, so organize a dedicated training event, where their attention will be only on the issue at hand. Just giving some forms to sign is not an option if you want effective results.
3. Make risk awareness a routine – have dedicated communication channels where people can report suspicious incidents. Encourage them to double-check things before acting on them.
4. Test your effectiveness periodically – simulated cyberattacks or incidents that test the employees’ knowledge serve as a good risk reminder for the whole staff. So remember to keep them on their toes, just in a friendly manner.
5. Collaborate. Risk management and training should be communicated in every department, e.g., HR should inform new employees how important it is not to skip it. Marketing and communications teams should always know to run sensitive information through risk.
How to deliver your training effectively
Start with awareness. Tell them how important it is to stay in the moment and assess all that’s happening. The same as walking in the city, the primary goal is to walk from point A to point B, and you usually don’t plan how you’re going to cross the street until you do it. But while you’re crossing it, you’re naturally checking the environment – traffic lights, cars, bikes, and so on. So at that moment, you’re already actively managing risks. The same approach works at any business – it’s vital to be attentive in every step of your work.
Explain reasoning. You can deliver cybercrime and threat statistics, or you can show how they themselves have been affected by the dangers you’re talking about. Guess which one will be more effective 🙂 They’ll definitely won’t forget how many times they’ve been hacked personally, and that’s bound to build cybersecurity awareness. Our classic is using Have I Been Pwned, but there are also other methods. After all, if you’ll be delivering your training to the newbies, they’re not that invested in the company’s welfare at first, and you’ll reach better results approaching their own potential interests in risk management.
Risk starts at the door. Before the lockdown, every employee had their identification cards entering the office. However, if the whole bunch of people was coming in, only one person would use it to unlock the door. What if there was a stranger with ill intentions among them? This is how data theft or other similar incidents happens in huge companies. It’s practically impossible to remember everyone’s face, but you can always wait and see if the person next to you takes out an identity card from the pocket.
Golden rule: secure device + network. Deliver all the information on how to use them securely and what things should be switched on during employee work time. For example, if you have a secure network at the office, the employee may not have to use anything else, but they may have to turn on a VPN if they work from home. Every organization uses different security measures concerning devices and networks, but the staff needs to know what is used for what purpose and how it should work.
Don’t forget tools. The weakest link in using tools are passwords and logging in. The drill here is simple – password managers and MFA (Multi-factor authentication). For people who previously worked at small businesses, these may seem excessive at first, but after a while of using them, it becomes standard practice.
Sharing etiquette. Extremely important, yet usually forgotten. What to do when you want to share a password with colleagues or files outside of the company. As a company. Here at Tesonet we have dedicated security tools in place, which allow us to share credentials safely. As far as information goes – there’s usually a security routine in place, like a person who reviews the information for potential risk and either approves it or suggests improvements. Your staff should be informed of these procedures and how they should act in certain situations.
Phishing. It’s not the only cyberthreat out there, yet it’s one of the most popular ones where businesses are concerned. In fact, around 156 million phishing emails are sent out every day, and the losses are counted as more than 3 million per breach on average. This is why email and phishing attempt management gets special attention. The staff should be taught how to recognize such emails and how to check link safety before clicking on them.
As a risk department, we constantly work on monitoring, testing, and improving. The periodical evaluation of our protocols and procedures is a must if we want to keep the threats at bay. Every position at every company comes with a list of risks. Secure coding, traffic fraud, chargebacks, and stuff like that can be discussed in separate topics, yet it is our job to help people mitigate those risks. Some processes are automated. Some are still manual and take much more time. It’s a never-ending journey of assessments and improvements. Yet, risk training plays a huge role in the security of every organization. After all, it only takes one click to shut down even the biggest companies, so a little bit of healthy paranoia at times can bring extra value to you personally and for the company as well. The role of risk training is to instill that into every member of the staff and do it on repeat 🙂 Stay safe and aware!