5 Tips for Training Non-IT Employees on Cybersecurity
In June, one research study found that the pandemic caused just over 40% of the entire US workforce to work from home full-time. Many businesses made the quick decision to allow employees to work remotely, scrambling to provide IT resources and remote-work tools on the fly. Now, many enterprises are doubling down and allowing employees to work from home for the foreseeable future. More than half of employers expect that their workers will continue to work remotely long after COVID-19 is no longer a concern.
This commitment to long-term remote work means that IT teams need to shift their long-term cybersecurity strategy. Most experts have recognized the need to prioritize cloud security and reallocate budget from network security to data protection. The immediate response, rightfully so, has been to secure devices, data storage, and vulnerable third-party platforms from ransomware and malware attacks.
However, one of the biggest threats to your enterprise’s cybersecurity is your employees. CNBC reported that “47% of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.”
As more employees work remotely, the opportunity for hackers to exploit human error has grown exponentially. This increased level of risk coincides with many enterprises scaling back their workforce. Many IT teams are stretched thin with members working remotely or in limited shifts. The bottom line? Now, more than ever, cybersecurity is every employee’s responsibility. For non-IT employees, cybersecurity can feel too technical or challenging. Here are some ways to make cybersecurity awareness training both accessible and effective – especially when delivering it remotely.
Focus on the most common threats
The goal of cybersecurity awareness training for non-IT employees is to keep it straightforward and easy-to-understand. Give employees the most important information and try not to overwhelm your coworkers with aspects of data and information security that they can’t influence.
A good place to start is by identifying the four most common types of security threats, particularly those that have evolved during the pandemic. Advanced phishing attacks and ransomware are two such threats that employees can actively prevent. Teach your team how to identify a phishing email – and tell them what they need to do if they aren’t sure if an email is suspicious.
Use different communication tools
Cybersecurity should be a top priority for every employee, but unfortunately, it competes with every other business priority a team member has to juggle. If you want non-IT professionals to read and register your information security training, you need to get creative in your communication tactics. “Sending out an email with a link to your cybersecurity policies probably isn’t the best way to make sure your message gets through crowded inboxes,” wrote the experts at CSO Online.
Of course, email is one of the more convenient and effective ways to communicate cybersecurity awareness training – but make sure you send regular, frequent emails to keep cybersecurity top-of-mind. Vary the content within your emails too. Work with your internal communications team to create videos, infographics, and checklists that help employees understand what security measures they need to be practicing regularly. Some companies also send mock “phishing” emails to see if employees are paying attention. Test individuals with a fake spam message to see if they take the proper steps to contain and report the threat to your IT team.
Provide a cybersecurity checklist
Most employees aren’t aware of where their data is vulnerable to hackers. Make it easy for your non-IT team members to provide regular cybersecurity audits. Send each team member a checklist, along with step-by-step directions and regular intervals at which they should repeat these steps. A cybersecurity checklist might include things like:
- Check the security of your WiFi connection (every month)
- Install anti-virus software and check for updates (every two weeks)
- Check for updates to security software (include a list of the software tools your team uses, such as privacy tools, browser add-ons, and third-party platforms; every two weeks)
- Back-up files to the cloud (every week)
- Lock your screens when working in a coworking space or cafe (every day)
- Use a VPN (every day)
- Encrypt sensitive data (every day)
These steps should have detailed instructions under each one for non-IT people to follow. Keep your instructions as basic as possible, and provide an email or contact number for employees who get confused.
Offer platform-specific training
Many companies are using platforms like Slack and Google Drive for the first time. As a result, users may be unfamiliar with the security protocols required to keep data safe on new remote-work tools.
Empower some employees to augment your IT team by providing specialized security training. On Slack, for instance, you can assign a team member to a higher administrative role: Primary Owner, Owner, or Admin. These admin roles are in charge of managing members, channels, and other administrative tasks – and can take a proactive role in managing user permissions to maintain Slack privacy. By providing advanced, platform-specific training, you can empower team members to help police internal cybersecurity risks on new remote-work platforms.
Have a backup solution
As much as you can train your employees on cybersecurity, mistakes still happen. Most businesses anticipate adding more sophisticated cybersecurity software in addition to improving cybersecurity awareness training.
A DLP solution can help mitigate some of the risk coming from your non-IT employees. Nightfall’s data loss prevention platform monitors your cloud to search for data leaks before they happen. Set custom actions to prevent employees from the unauthorized sharing of data. Delete messages that contain API keys and other credentials, personally identifiable information (PII) like credit card numbers, or protected health information (PHI) like medical record numbers.
Nightfall can also help with user education. Set up automatic notifications to let team members know when they share data in unsafe ways across your cloud applications. With over 100+ detectors, Nightfall can be fully customized to scan your SaaS and IaaS environments to search for business-critical data that is at risk. Learn more about how Nightfall can protect your data security by setting up a demo below.