Top Ways Organizations Can Train Employees to Defend Against Cyber Attacks


Traditional security solutions may not always keep devices and data secure from external attacks in a hybrid work environment. Here, cybersecurity experts provide insights on building a people-centric security strategy and making cyber awareness a critical piece of IT strategy to prevent malicious attacks.  

The recent surge in cyberattacks has put a huge strain on organizations looking to secure devices and networks from various cyber threats. Employees are usually the last line of defense when protecting the organization’s assets. One wrong click on a phishing link or downloading a malicious file can let hackers hijack an entire IT network. As cybercriminals get more sophisticated in their attack tactics, it’s becoming more challenging to keep employees informed on what to look for in potentially harmful attacks. 

On Safer Internet Day, cybersecurity experts provide valuable tips and insights on how IT leaders can develop a people-centric security strategy and help employees practice cyber hygiene to mitigate the risk of data theft and malicious attacks.  

Top Tips on Training Employees Against Cyber Attacks

Start somewhere, start today

Aleksandr ValentijOpens a new window , the chief information security officer at Surfshark, unpacks how IT executives can go beyond simply meeting checkboxes by understanding the unique threats to their organization and implementing a basic cybersecurity plan that can make a real impact. 

“Every big journey begins with the first step, which also applies to cybersecurity training. My advice for businesses would be to start doing it in small steps. It doesn’t have to be fancy and professional right off the bat, even the most basic cybersecurity training is good enough if it raises awareness at all. You may improve it in the future, but the main idea here – just start somewhere, and start today.”

  • Constantly remind employees about the obvious things — phishing, strong passwords, multi-factor authentication, VPNs for remote working, and similar cybersecurity basics.
  • Companies must start with a simple way of information delivery — a training course, where the lecturer is delivering the material. This can be purchased from subcontractors with minimal organizational efforts. 
  • The next step is to automate this process. Create in-house interactive training material to allow employees to learn this information at their pace and convenience. It could contain tests/examinations at the end to raise the involvement and may be integrated into HR management platforms to track the progress of all participants.

“I hate to admit it, but shock therapy has good motivational potential too. Therefore, companies may consider making simulated cybersecurity attacks like phishing email campaigns, live social engineering attacks, and simulated breaches of sensitive premises,” Valentij suggests.

Another overlooked issue that has been especially apparent during the pandemic is the protection of remote workspaces. It’s pretty standard practice to rely on “regular networking and not establish a secure VPN infrastructure,” making employees especially vulnerable to cyber attacks, he says.

See more: Safer Internet Day: 5 Best Privacy and Security Apps for 2022

Building a robust security awareness program

Tyler MoffittOpens a new window , a senior security analyst at Webroot, lists five steps for building a successful security awareness training programs to prepare employees for cyber attacks:

  1. Get buy-in from stakeholders.
    Make sure your stakeholders understand threats. Send an email introducing the program to manage and clearly explain the importance of educating users and measuring and mitigating your risk of exposure to phishing and other social engineering attacks.
  2. Start with a baseline phishing campaign.
    While running the first phishing campaign, establish the starting point for measuring and demonstrating improvement over time. Ideally, this initial campaign should be sent to all users without any forewarning or formal announcement, including members of leadership teams. Make sure to use an option that shows a broken link to users who click through instead of alerting them to the campaign. This way IT teams can prevent word-of-mouth between employees from skewing the results.
  3. Set up essential security and compliance training.
    Create training campaigns to cover essential cybersecurity topics, including phishing, social engineering, passwords and more. Establish which compliance courses are appropriate (or required) for your organization and which employees need to complete them.
  4. Establish a monthly phishing simulation and training cadence.
    Repetition and relevance are essential for a successful security awareness training program. By setting up a regular simulation and training schedule, IT teams can easily measure progress and keep an eye on any high-risk users who might need extra attention.
  5. Communicate results
    A great way to raise awareness and increase the impact of your phishing campaigns is to share the results across the organization. Keep in mind, the goal is to capitalize on collective engagement and share aggregate results, not to call out individuals.

See more: Zero Trust Security Is the New Norm, But Making It Work Remains a Challenge

Implementing zero-trust architecture

Aron BrandOpens a new window , the CTO of Ctera, believes that with cyber attackers getting more innovative, it’s harder and harder to keep the workforce trained on what to look for in malicious attacks. That is why zero-trust architectures have become the new must-have for the workplace. The key principle of zero trust is that every access attempt is considered suspicious until proven otherwise. 

As we start 2022, the attacks continue to evolve. For instance, the Log4 Shell flaw stayed undetected for many years until it was too late. “How many similar time bombs exist that are still undetected? What are the lessons to be learned about the open-source software on which our world runs? Brand questions.

“Zero trust architectures can reduce the blast radius of such incidents. Log4shell has left the cybersecurity world with more questions than answers,” he adds.

End-point security, network basics, and more

Jay PazOpens a new window , senior director of delivery at Cobalt, believes a company’s security posture is only as strong as its weakest link. Each employee represents a potential entry point for cybercriminals.

“So one of the best tips I like to give companies is to nail down the basics.”

  • If something smells fishy to your employees, make sure to communicate how employees should engage IT on an alternate platform about the situation. 
  • It’s also important to have clear protocols around document sharing, who has access to what information, and how/when information can be shared externally. 
  • With the transition to remote work, firms must implement tighter security around endpoints and company devices. I recommend companies invest in VPNs, single-sign-on services like Okta and consider proactively testing all their assets via a Pentest as a Service (PtaaS) offering. 
  • Companies can offer a “networking basics” class while onboarding that helps employees set up their home networks and segment their home networks. 

These tips, if implemented, will not only make your company securer but also streamline the workflow of all your employees.

Making communications the key

Defending against cyberattacks has become more challenging due to the large-scale switch to remote work, believes Erich KronOpens a new window , a security awareness advocate at KnowBe4. That is why communication between organizations and employees is of utmost importance. “Clear communication should lay out the expectations from employees who opted for a remote working structure and how it will work logistically.” 

Whatever an organization’s policy may be, it needs to be communicated clearly to employees and repeated and reinforced in easy-to-understand ways. Merely providing a one-time training on any aspect, whether security, how to transition to remote working or any new processes, is insufficient. Instead, organizations should view it less as training and more as a marketing exercise where small, easily digestible messages are provided over a sustained period across different communication channels. 

Maintaining a good cyber hygiene

There was a 68% increase in cyberattacks in 2021 compared to 2020, as per a reportOpens a new window from ITRC (the Identity Theft Resource Center). James E. LeeOpens a new window , the chief operating officer at ITRC, emphasizes more on the following:

  • The key to effective training, even for technical and SME staff members, is to stay current on the latest trends in attack vectors and exploits and train all staff to spot them regularly. 
  • Good password hygiene and MFA should be a must for all employees. 
  • Companies should also minimize the amount of personal information they collect, process, and store. If you don’t need to manage or keep it, get rid of it as soon as a transaction is complete. You can’t lose control of data you don’t have.

Poor cyber hygiene isn’t limited to individual employees. The ITRC recently reported that more than 160 million individuals’ personal information was exposed to IT teams forgetting to configure the security protocols, including passwords, on cloud databases.

Final Thoughts 

Employees who understand the need to secure enterprise devices and data and have the tools and the required training to conduct their work safely develop a strong security culture. Security should be hard-coded into employees’ daily habits and reinforced with messaging from senior-level executives within the organization. 

Are your employees trained against potential cyber-attacks? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!