4 barriers to teaching employees good cybersecurity habits — and how to overcome them
By Chris Willis
Proper training is undoubtedly a top defense against cybersecurity breaches. IT policy, physical security, firewalls and other technical precautions are obviously necessary, but teaching workers what to do—and what not to do—lays the groundwork for a strong, secure front line defense to support all other security measures.
The importance of cybersecurity training is clear, but that doesn’t mean that it’s always easy. Too often, real barriers stand in the way of properly teaching the security measures that can save a business millions in cleanup costs and lost productivity—not to mention the hit to brand reputation and future sales if sensitive data is compromised. Obstacles including budget concerns, time constraints, stubborn company culture, or a lack of cybersecurity best practices can seem overwhelming, especially to a smaller organization with limited resources. Fortunately, there are reasonable solutions to each of these roadblocks that can help all organizations be more secure.
1. I don’t know enough about cybersecurity myself.
It’s common for training to fall completely under the umbrella of the HR department. Of course, while some HR professionals are highly tech-savvy, they are also faced with many competing demands, and few have the bandwidth available to stay current on technology and cybersecurity best practices. While there are mountains of information available online, all of this data can feel overwhelming—and often offers conflicting advice. The good news is these days you don’t need to be an expert in cybersecurity to help your workforce understand the basics of protecting themselves and the company’s information and assets.
There are a variety of great online learning resources created specifically with cybersecurity training in mind. Several platforms offer the ability to purchase a pre-designed course to adequately cover the most critical cybersecurity practices. Look for courses that address these important points:
- Recognizing phishing campaigns
- Password management
- Two-factor authentication
- Reporting suspicious activity
- Solutions to both major and minor security issues
Larger organizations may consider working with a third party to craft a customized eLearning course that delves into specific IT policies, processes, and solutions regarding cybersecurity.
2. It costs too much.
It can be difficult to get budget dollars allocated to training. It’s easy for leadership to brush off educational needs for an organization, hoping that HR will somehow find a way to fill in all the gaps. The solution? Learn to speak the language of business. When it comes to cybersecurity training, the path to C-suite support is through ROI (Return on Investment) and Risk Management. How will money spent on cybersecurity training work for the bottom line of the company? Some of the benefits of investing in professional cybersecurity courses:
- The average cost of a cyberattack is almost 4 million dollars, and this number increases every year. Quality training can help avoid these costs.
- According to a major study conducted by the American Society for Training & Development (ASTD) in the 1990s, businesses that spend at least $1,500 per employee annually on training activities reportedly earn 24 percent more profit than those with lower training budgets.
- Cybersecurity training and certification can protect an organization from lawsuits in the event of a data breach. The stronger and more consistent the training program, the better defense it is in a legal proceeding.
- In a single year, 62 percent of businesses experienced some form of phishing or social engineering attack.
- Cyberattacks cost $45 billion in 2018 alone.
Showing the numbers and real-life repercussions of cyber threats can help make a case for investing in training. For truly small businesses or startups that don’t have the cash to spare on training, educating yourself and anyone on your team is still critical. Fortunately, free online tools make training more accessible than ever before. From webinars and downloadable content to articles just like this one, low-cost resources are abundant. Use caution in selecting sources you can trust, and look for information dated within the last couple of years. Cybersecurity technology moves at a breakneck pace to keep up with hackers, so advice and best practices change over time as well.
3. I don’t have time.
It’s easy to feel like there are never enough hours in the day. Business owners or department heads are expected to wear many hats and account for almost every minute of their working time. Just as budgets need to include investment to prevent significant profit loss, an organization must invest in time for cybersecurity training. Consider this: the average amount of downtime caused by ransomware attacks in the second quarter of 2019 was almost 10 days. That’s 80 hours that each worker is stopped from doing their job altogether. Even once systems are back online, getting to the source of the attack and ensuring it doesn’t happen again consumes the IT department, diverting valuable resources from maintenance or new initiatives.
The staggering amount of time a cyber attack can cost a business helps justify making a quiet moment during the week to help teams confidently recognize the signs of a phishing scam and audit their personal and professional passwords. In as little as an hour of time, you can train workers to avoid mistakes that will cost the organization many, many more hours in lost productivity if cybersecurity is ignored. A microlearning approach can offer even greater flexibility for fitting in training between other activities, making the time investment even easier to manage.
4. Company culture.
If cybersecurity isn’t already on the minds of the people in an organization, it can be hard to push through the idea of setting aside dedicated time and budget for training. Statistics and logic are convincing to some, but without clear organizational buy-in and behavior change by workers, even a good training program cannot yield optimal results. Developing a cybersecurity culture requires a message of accountability from the top in order to drive organizational behavior change. The best way to get everyone on board is to show them how a data breach impacts them personally. Many workers fail to understand the far-reaching reverberations of a cyberattack. Attackers go after things of value—usually money or data. When that data includes the personal, private information of customers, the loss of trust can be long-lasting and costly. This downturn in an organization’s reputation hurts everyone tied to the brand.
Less trust in the company means the sales team will struggle. Loss of revenue can mean lower or no bonuses at all. Further, the costs of the breach must come from somewhere. If there’s no increase in revenue, this means that budgets will be cut from other projects, and everyone has to pick up the slack. Team members are also customers in many cases—they get discounts and perks for buying from the company. That means their data is also tied to the security of the organization and is vulnerable if all workers aren’t properly trained and follow protocols. When coworkers fail to practice good cyber health, they put everyone around them at risk. Understanding how everything is tied together in this way can help evolve the company culture and make cybersecurity training something everyone values enough to follow through on.
These barriers to teaching proper cybersecurity habits are a real struggle for many businesses. That said, the reality of cybersecurity risk is too great to brush off training in the face of obstacles. No organization is immune. Even Justin Bieber had his data stolen in the MGM breach. If it can happen to a large corporation with a lot of resources, a cyberattack can happen to anyone. When the budget and time can be found for training, company culture can be shifted through education, and the right security habits can be learned through online resources or by purchasing a professional course. Working towards tighter cybersecurity is one of the best things a business can do to protect their workers, customers and their bottom line.