Ask the Experts: Requiring Cybersecurity Training
Question: We are a small company—40 employees. Are there policies we should have in place for cybersecurity? Can we make employee training on cybersecurity mandatory?
Answer: Companies of all sizes are smart to be concerned about cybersecurity, especially in light of the recent WannaCry ransomware attack. There are steps you can take to reduce the risks as the first line of defense against data breaches, malware infiltration, and various other security risks. Employees are your first line of defense and ensuring that they are trained to identify and report suspicious emails and other security threats is important. The decision on whether cybersecurity training should be mandatory is yours. You can consider assigning employees a training course and allowing them ample time to complete it or adding it to new employee onboarding activities.
It’s a good idea to train employees to:
- Be skeptical—if they receive an email, view a webpage, or see a social media post with a too-good-to-be-true offer, they should think before clicking.
- Report suspicious emails—give employees concrete information on how to report emails that may be phishing (attempts to get employees to share confidential or sensitive information) or fraudulent.
- Ask questions like:
- Do I recognize the sender’s email address?
- Do I recognize anyone else copied on the email?
- Is the domain in the email address spelled correctly or is it simply close to the actual URL (like amazon.com versus anazon.com)?
- Would I normally receive an email from this individual?
Remind employees that they should never click on a link in an email or open an attachment until they are absolutely certain that the link or attachment is valid. You can consider a simple reminder like “Think! Don’t click!” that you include in informational emails about cybersecurity.
Finally, we do recommend having a published cybersecurity policy. Include it in your employee handbook and be sure to review it with current and new employees. Your policy should include guidelines for:
- IT assets and mobile devices.
- Access control.
- Maintenance of antivirus software.
- Contractors, vendors, and outsourcing.
In addition, the policy should include information about the repercussions of noncompliance.