How to use training to tackle company cybersecurity

The idea that the responsibility for computer security falls squarely on the shoulders of a company’s IT department, or on its top manager or CTO, is commonplace. On its face, it makes sense — these people are the ones with the technical know-how to counter attacks and maintain security.

However, in practice, while these roles may be able to contain attacks, they don’t have the necessary resources or reach to prevent them. This falls on everyone’s shoulders equally. Everyone needs to be on the same page and working together.

All businesses need to be ready to take on any cyberattack that may come their way. The threat is constant and all organizations need to know how to counter it. Attacks can affect companies of any size and happen anywhere in the world. For example, Telefonica was hit in 2017, and it affected the worldwide market; but it can also hit more local companies like PRISA or Everis in Spain, for example, which were attacked with ransomware and had all their files held hostage.

At Formadores IT, we understand how important it is to give Training and HR departments the tools and know-how to implement a comprehensive prevention plan. Ours, for example, works in four phases:

 1. Evaluation and measurement

In the initial phase, the focus should be on measuring the organization’s risk of attack. This means drawing up a plan that’s agreed upon by the IT and Training departments, as well as approved by Management, whose primary interest is regulatory compliance. This way, everyone working together can construct an in-depth assessment of the status of the organization’s computer security.

To do this, a few initial evaluations must be carried out taking the most common risks into account. Such evaluations include: 

• A simulation of phishing or ransomware attacks directed at a random group of employees, to see how they respond.
• A simulation of vishing attacks (phishing via phone) directed at least ten people.
• A simulation of attacks using randomly-distributed USB drives, to see if anyone plugs them in.

 2. Training and awareness 

The next step involves training employees to correct any vulnerabilities detected in the previous phase’s simulations. To do this, we can organize online training sessions of roughly 2 hours each for groups of 20 to 25 people, with the digital option being the least expensive and most efficient one. The goal of these conferences should be to share basic knowledge that will help them detect and prevent cyberattacks.

3. Active training

This phase consists of organizing regular training sessions for users to make sure they’re able to actively detect attacks. This phase will:

• Be activated and assigned at random.
• Be targeted for specific departments, roles, or users.
• Teach how to correct errors. In the case of mistakes or oversights, students will learn what they should have done and what clues should have tipped them off that a cyberattack was taking place.

Learning to stay safe on various devices and social networks is a huge step in the right direction, and it’s much easier with a dynamic serious game such as Crypto. This game helps students identify common mistakes and bad practices that unfortunately happen in many organizations.

The game uses compelling storytelling to get students up close and personal with various cybersecurity threats, which gives them the know-how to deal with them more naturally. This way, through an engaging and fun video game, you can have students delve into key security aspects such as password management, risks on social media, risks on smartphones, risks on public Wi-Fi networks, identifying viruses or malware, risks in the workplace, the safe use of email or social engineering, and more.

4. Analysis and correction of problems

To finish, it’s a good idea to prepare a final report covering the following goals:

1. Have a realistic and comprehensive perspective of the different areas of cybersecurity today.
2. Understand what goes into security, and have a thorough discussion about the realities of your vulnerabilities as well as which policies and procedures you should adopt.
3. Understand and incorporate the basic concepts and technologies that define IT and computer security.
4. Learn what’s new in the world of cybersecurity as well as what new technologies are on the cutting edge

Cyberattacks are a reality we all have to deal with, and unfortunately, they aren’t going away anytime soon. Learn how to use training to your advantage to ward off any lurking dangers.