In the first two posts of this interview series with Chad Quarles, Senior CISO Advisor from Hartman Executive Advisors, we have discussed the importance of implementing Multi-Factor Authentication and data backup to help your business qualify for Cyber insurance. Today, we will explore cybersecurity awareness training.
While insurance carriers have not yet been asking for cybersecurity awareness training as a prerequisite for writing a cyber policy, having a training in place does put your organization in a more favorable light when trying to secure an affordable and comprehensive cyber coverage. It is also one of the most cost-effective ways for small to mid-size businesses with limited resources to lower their risk profile while protecting their operations. I must also add that I can already see indications that the market will likely start requiring this protection measure as well in the near future.
Cyber Insurance Landscape
Before we dive into our interview with Chad, I would like to provide you with a deeper insight on the insurance market forces at play that impact your ability to obtain adequate Cyber coverage, which in turn determines your ability to conduct business.
The Cyber insurance market has increasingly been facing a supply-demand issue. You may have noticed that your clients are now asking you to have Cyber coverage to conduct business, which has increased demand for Cyber insurance. However, at the same time, insurance carriers have become more conservative and risk-averse when writing new and renewing existing policies – therefore, decreasing the supply of sufficient and affordable Cyber policies.
This means your business must be competitive to receive coverage, but fewer Cyber policies are being offered. By conducting cybersecurity awareness training, it is not only perhaps one of the most affordable cyber security measures you can do to protect your business, but it can make you a more attractive applicant during the underwriting process to obtain sufficient and affordable coverage.
PSA: What is cybersecurity awareness training, and why is it important for small to mid-size businesses?
Hartman: Cyber security awareness training is the process of formally educating your workforce about the different types of cyber threats, how to recognize them, and what steps they can take to keep themselves and your company safe and secure. The most resilient organizations have established a culture of cybersecurity awareness. In these organizations, employees are no longer viewed as the “weakest link”. Instead, they are considered the last line of defense against cyber-attacks and an effective layer of defense.
Even the most advanced cybersecurity technologies cannot prevent all cyber-attacks. Inevitably, your employees will be confronted with a malicious email, website, text message, or even phone call. A cyber-aware employee can be a very effective layer of defense by identifying and reporting the suspicious activity so that the IT team can respond and make sure similar attacks are detected and blocked in the future.
With so many employees working remotely, small businesses are becoming more vulnerable to cyber-attacks than ever before. A cybersecurity awareness program can be a cost-effective way to improve your organization’s resiliency to cyber incidents.
[psa_cta id=”19102″]PSA: What can small businesses do to implement an awareness training program?
Hartman:
- Subscribe to intelligence feeds from government organizations, such as the Cybersecurity & Infrastructure Security Agency (CISA) and the FBI’s Internet Crime Complaint Center (IC3), to stay in the loop on the latest cybercriminal patterns of behavior that can help keep your employees vigilant. Also, be sure that your employees know how to report suspicious or concerning activity!
- The first step is to conduct regular training assignments. The most effective programs leverage frequent, short, and engaging training modules. This approach is more effective at keeping security top of mind as compared to a longer training assignment done just once a year or during new employee on-boarding. Personally, I have achieved the best results with monthly 5–10-minute interactive training modules that cover topics most applicable to the employee’s role within the organization that can also benefit them in their personal and their work life.
- Another important element of user awareness training is situational awareness – keeping employees aware of emerging cyber threats and trends affecting organizations and individuals. For example, if you become aware of an email phishing message targeting multiple employees, send out an advisory email to all staff or post an awareness bulletin on the company intranet to help raise awareness of real-world schemes being used to target your business.
PSA: What else can business do to enhance the effectiveness of their training?
Hartman:
- Test regularly. Training alone is not enough. You should also conduct regular social engineering testing to measure the effectiveness of your user awareness program. Sending email phishing tests to your employees is a great way to prepare them for real-world threats and test their ability to identify and report potentially malicious emails without clicking on malicious web links or opening dangerous attachments.
- If you don’t think you have the time or expertise to develop and deliver user awareness material, consider using a security vendor such as KnowBe4, Mimecast, or Proofpoint. Each of these companies offer great user awareness training and testing platforms that you can use to improve your employee’s cybersecurity savviness.
- Finally, monitor the results of your user awareness program and report out regularly. I have found that sending leadership a detailed report after each social engineering test helps management understand which of their employees present cybersecurity risk to the organization and they can follow up as necessary with individuals on their team(s). You may also want to publish a generalized summary of the results to the whole company that shows high-level results by department and highlights elements of the test messages that were suspicious and could have been used to identify the email as a phish. If you have the budget, consider awarding the top performers with a small gift card or some other reward to help incentivize employees to do better on these cybersecurity tests, and make a competition out of it.
PSA: These best practices should help your small or mid-size business get started to protect your business. If you need any assistance implementing cybersecurity technology measures, consider Hartman Executive Advisors as a resource. If you have any questions regarding your existing policy or purchasing new Cyber coverage, do not hesitate to contact me at cmorsberger@psafinancial.com.