Regular training can help your employees be your first line of defense against cyberattacks.

As cyberattacks grow in sophistication, most folks in government know they need to be prepared with strong software and hardware security protocols. And while these technologies will provide protection against a variety of threats, they offer little protection from a major risk factor: your own employees’ actions.

The Verizon Data Breach Investigations Report shows that 74 percent of breaches involved a human element. These data breaches can be caused by employees’ unintentional actions and errors, such as clicking on links in fraudulent emails or using weak passwords. It’s that human element on which cyber criminals prey, tricking employees into revealing sensitive information or performing actions that compromise security.

While you may have put technical solutions in place to reduce the likelihood that malicious activities will succeed, your government’s overall security requires an embedded culture of cybersecurity awareness to be truly effective. With regular training, your employees can become your government’s first line of defense.

In celebration of Cybersecurity Awareness Month, we’re going to take a deeper look at the components of cybersecurity awareness training programs and offer tips for building your own.

Critical components of a cybersecurity awareness training program

Cybersecurity awareness training educates employees about cyber threats, including how to recognize potential risks and prevent them in their daily tasks. This can encompass everything from a formal security awareness training program to informal monthly emails with cybersecurity tips, each designed to influence employees’ behavior. The goal is to help employees understand that cybersecurity is part of their job responsibilities.

Here are some elements to include in your cybersecurity awareness training:

• Avoiding common cyber threats: Train employees to recognize and avoid common tactics used by hackers, such as phishing, ransomware and social engineering. Include quizzes and phishing simulations to help employees identify these types of attacks.
• Creating strong passwords: Teach employees how to create unique, unguessable passwords. Remind them not to use personal information or words related to their job, hobbies or interests.
• Strengthening email and browser security: Hackers target email and web browsers with several types of attacks. Train employees on how to recognize fraudulent emails and how to open attachments safely.
• Protecting sensitive information: Remind employees about the types of sensitive information your government collects, as well as steps for keeping it safe.
• Reviewing policies and procedures: Educate employees on your government’s specific cybersecurity policies.
• Incident reporting: Review procedures for when and how employees should report suspected cybersecurity incidents.
• Training on issues important to your government: Tailor your training to cover topics that are relevant for your organization, such as remote work policies, physical security, social media, and use of personal email or mobile devices.
• Testing: Periodically send fake phishing emails to employees to monitor who clicks on the links. These campaigns enable you to track the results of your awareness training, and they remind employees to be vigilant about phishing emails.

Tips for building a successful program

A successful cybersecurity program needs to be designed with longevity in mind. After establishing the program, you should review it occasionally to see if changes are required to meet new risks. The training program can’t be a “one and done” – it needs to continue throughout an employee’s career.

• Ensure management buy-in: For a cybersecurity program to be successful, it needs management support. Management should lead by example and participate in the training sessions to demonstrate the importance of cybersecurity to the organization.
• Conduct regular training: Employees should receive training when they are first hired and then receive regular training. It should be at least annually, if not more often.
• Update training regularly: Cyber threats evolve, so it’s important that you update your training to ensure its effectiveness and alignment with current threats and best practices.

By following these recommendations, you can help ensure your employees understand the importance of cybersecurity and are equipped with the knowledge and skills to protect your government’s assets and sensitive information.

Resources to get you started

Building a cybersecurity awareness training program may seem daunting, but there are many low-cost and free resources to get you started. Below, you’ll find tools for delivering training modules, assessments, and newsletters to keep employees engaged.

• SAO’s “People matter in cybersecurity” offers advice for starting an awareness program.
• The National Institute of Standards and Technology provides a list of free and low-cost trainings you can use today to start your program.
• The National Cybersecurity Alliance and the Cyber Readiness Institute also offer employee awareness training

How to reach us for more assistance

Do you have questions about cybersecurity? SAO’s Center for Government Innovation has a cybersecurity specialist available to talk with you about best practices and resources. For assistance, reach out to us at Center@sao.wa.gov.