An Effective Cybersecurity Tool: Empowered Employees (Chris Wright Commentary)

The word “cybercrime” often elicits stereotypical images of a faceless foreign actor hacking into a corporation’s network. Or even scarier, it recalls the hyped-up Terminator-style breach, with individuals deploying artificial intelligence to bypass software’s security controls.

To be clear, these attacks can — and do — happen. But in general, today’s cybercrimes are more straightforward and less sophisticated than that. Criminals don’t have to employ advanced tactics like AI-generated deepfakes to access companies’ systems because employees have unintentionally left the doors open.

The latest Avast Threat Report states that, unlike years past, “online fraudsters aren’t focusing as much on breaking through software-based security.” Instead, the data shows they are “hacking through human defenses” by exploiting existing digital vulnerabilities. Today, individuals fall prey to “an all-time high” number of social engineering, malware and other web-based threats. Fortunately, there are steps businesses can take to help decrease the rate of these human errors within their organizations. Top of the list is security awareness training.

Why is security awareness training such a valuable and cost-effective tool? Perhaps, most importantly, this process helps companies create a “cybersecurity culture” where their people are educated, equipped and empowered to protect themselves against threats. Without preparation, employees often feel uncertain or anxious about warding off cyberattacks. Training gives them the tools and the confidence they need to understand the mechanisms and the psychology behind criminals’ various tactics. When users know what the enemy looks like, they can better sniff out and shut down their malicious attempts.

While all organizations benefit from security awareness training, the process is particularly critical for small and medium-sized businesses. Corporations generally benefit from bigger budgets and dedicated IT teams. These entities can employ various software and security controls to externally limit users’ abilities and, by extension, attackers’ footholds into their networks. Small businesses are more dependent on employees complying with their designated cybersecurity practices. Security awareness training can help companies ensure user buy-in and consistent follow-through of their protocols.

Companies pursuing security awareness training must remember that not all programs are created equally. Generic videos, designed to meet an employee requirement, often result in complacency or a “set it and forget it” mentality from participants. Fear-based programs tend to discourage interest or engagement. Training, whether led internally or with third-party support, should be tailored to the company and industry. It should be interactive, with opportunities for employees to weigh in, ask questions and more. To put it simply — the security awareness training must be worthwhile.

Employees often serve as the gatekeepers to companies’ data. By deploying security awareness training effectively and consistently, businesses can empower their teams to detect attacks and, in turn, build stronger, more resilient systems.

Chris Wright is co-founder and partner at Sullivan Wright Technologies, an Arkansas-based firm that provides tailored cybersecurity, IT and security compliance services.