Cyber security training for employees

What is cyber security training?

Cyber security training is the formal instruction of your employees to recognize the growing danger of common and emerging cyber threats. Such training can be a key first line of defense in network security. Raising security awareness instructs your people to understand vulnerabilities to your network, data, operations and reputation. Employees need to understand the risks they may face when accessing your business network through a computer at work or online at home.

Why is cyber security training important for your employees?

Cyber security training for employees is increasingly vital at a time when cybercriminals are getting more skilled at attacking corporate networks, stealing and corrupting data and installing ransomware and other types of damaging malware. A 2021 study of 500 corporations by IBM Security found that data breaches affecting the organizations polled now cost an average of $4.24 million per incident — the highest cost in the 17-year history of the survey.¹

While cyber experts and software developers are constantly working to provide active defenses in the form of critical security updates and apps, the “human factor” remains the weakest link in any cyber security framework. By embedding information security best practices and enhanced awareness in the minds and everyday work habits of your team, you can build a first line of defense against many of the attack scenarios employed by cybercriminals.

What should cyber security training cover?

• Recognizing e-mail phishing attacks – Employees need to understand that clicking on the wrong link or opening the wrong email or PDF attachment can unleash damaging malware. What clues can tip off a vigilant employee that email senders are not who they seem?
• Resisting social engineering scams – Not all cyber attacks start with malicious emails. They can begin with an official-sounding or friendly phone call from someone posing as a coworker, colleague, vendor or some other individual seeking information that can be leveraged for a cyber attack.
• Why mobile device (BYOD) security is important – It’s likely that an employee’s smartphone, tablet or other device with permissions to access your network has nowhere near the degree of internet security that is running on your system. That opens a door for malware invade your network through an employee’s device.
• Why password hygiene is vital – Strong passwords, combining capital and lower-case letters, numbers and special symbols, are critical to network security, as is updating passwords every 60 or 90 days. And passwords should never be shared, given out over the phone or in emails, written on sticky notes and stuck to desks or monitors, or made available through any other unsecure practice.
• Why accessing social networks can be risky – Accessing social media on company computer resources is not only inappropriate, it’s extremely dangerous to the organization’s network and data. Social media are among cybercriminals’ favorite distribution channels for malware and other threats. For example, a humorous meme or image a user downloads could be hiding a damaging code.
• Why remote work can challenge network security – The pandemic demonstrated network connections through the internet allowing employees to work remotely are both vital to business continuity and a great flexible work alternative. Once again, however, any connection via the web is potentially vulnerable, making VPNs and other tools critical to network security.

How to train employees to build a culture of information security

Develop a holistic understanding of your level of risk:

• Knowledge assessment – Employee training must begin with an assessment of current knowledge about the growing range and severity of cyber threats.
• Culture assessment – How do current levels of employee knowledge and resultant behaviors set the tone for the organization’s information-security culture?
• Behavioral risk assessment – Based on assessments of employee knowledge and corporate culture, what are the key behavioral risks within the organization?

Implement end-user training to address acute human cyber risks

Training should be culturally relevant and easy to implement, incorporating both onsite and modular, online training and support tools available to learners at any level.

Above all, an effective cyber security training program should clearly identify all acute human factor cyber risks, helping users to better understand their own behaviors and the impacts those behaviors may have (positively or negatively) on the performance, reputation and resilience of the organization.

Zurich can help build a culture of cyber security

Zurich can help businesses manage user risks and change behaviors through measurement, training and threat simulation.
For more information about cyber risks and ways that Zurich Cyber Risk Resilience professionals can help your organization respond, visit our Cyber Risk Engineering webpage.

1. “IBM Report: Cost of a Data Breach Hits Record High During Pandemic.” IBM. 28 July 2021.

This is intended as a general description of certain types of insurance and services available to qualified customers through the companies of Zurich in North America, provided solely for informational purposes.  Nothing herein should be construed as a solicitation, offer, advice, recommendation, or any other service with regard to any type of insurance product underwritten by individual member companies of Zurich in North America, including Zurich American Insurance Company, 1299 Zurich Way, Schaumburg, IL 60196. Your policy is the contract that specifically and fully describes your coverage, terms and conditions.  The description of the policy provisions gives a broad overview of coverages and does not revise or amend the policy.  Coverages and rates are subject to individual insured meeting our underwriting qualifications and product availability in applicable states.  Some coverages may be written on a nonadmitted basis through licensed surplus lines brokers.