Implementing Cybersecurity, Part 2: IT security is only as good as your training

Let’s say you invest millions of dollars on a top-notch cybersecurity software and hardware solution. You write the policies and procedures for your employees to ensure that your money doesn’t go to waste and you prevent security risks. You’re good, right?

Wrong.

Let’s go back to my previous example of Tirrihana. She reads the policies and starts doing her work. While attempting to adhere to the policies, she gets confused. She finds staying compliant with the policies is cumbersome and makes her life more difficult. So, she begins to find the loopholes and backdoors to avoid the protocols which inconvenience her in her day-to-day work. Because, no matter how good your cybersecurity setup is, there will always be backdoors and loopholes.

She doesn’t do this out of malice. She does not want to endanger the company or cause a security issue. She just wants to do her job in the most efficient way possible. And, she is not a manager, does not make big decisions, and doesn’t think she will be a target. She thinks this way because she hasn’t been trained and taught how an adversary would target her organization.

This goes on for six months, a year, two years. Nobody says anything because nobody notices. Suddenly, the company is hit with ransomware. Tirrihaha is not the only person doing this. However, it was her system that became compromised. Because one year, one time, she used her company account to catch a Black Friday sale she had to have. 

The attack is traced back to her account. And, in the investigation, it is found that she was never provided adequate training for cybersecurity. Nobody expressed to her, in a way she could understand, why she would be the target as a way into the company. 

Now you can see the importance of training your employees on cybersecurity. They can take no action against Tirrihaha because nobody trained her or made her aware of her role in keeping the organization safe. They are even debating whether they can keep her in the organization.

As you can see, training becomes a critical factor when it comes to putting cybersecurity practices into place. You can spend the money and establish the system, but if you don’t train the employees why it is so important, they will find ways around it and put your organization at risk.