Cybersecurity stock image
IT security training is crucial for business employees amidst ever-rising cyber-attacks Pixabay

Insight from John Trest, Chief Learning Officer of VIPRE Security, has addressed how businesses of all sizes should seek to prioritise cybersecurity training for their employees in order to fend off cyber-attacks.

Trest noted this comes at a pivotal time when many still work from home and new waves of cyber-attacks are constantly arriving.

A survey from Specops Software showed that 41 per cent of businesses are still not providing adequate cybersecurity training and new research from Hornetsecurity stated 33 per cent of businesses not are not offering cybersecurity awareness training to remote staff.

Trest insisted the lack of security hygiene measures is "one of the most common reasons why cybercriminals gain access to business-critical systems in the first place." He added that with humans fronting company defences, "the key to reducing cyber threats and mitigating human risk is by prioritising and investing in the right security awareness training."

In addition, the VIPRE Security Chief Learning Officer further stated the threat of cybersecurity is there to mostly all industries and it is becoming harder to combat with "ransomware, phishing to malware, and new innovative methods and technologies being utilised by attackers".

The COVID-19 pandemic and the introduction of hybrid work systems saw cyber-attacks become more common, as a report from Alliance Virtual Offices displayed that there was a 238 per cent increase in attacks. This was due to staff being away from expert IT staff and operating on open networks.

Trest stresses that due to the cybersecurity landscape always changing at fast rates, "it is crucial that businesses invest in its IT security hygiene by implementing the right measures to prevent such attacks."

However, he throws some caution, as according to a study by IBM, 95 per cent of cyber security breaches arise from human error despite the cybersecurity resources being available to businesses. This is why Trest believes "if employees are not educated in how to keep themselves and others safe from an attack – these technological investments are set to fail before they even begin."

Regarding the necessary training and education, Trest states, "Any effective digital security approach must start with security awareness, by teaching employees about the ever-evolving threat landscape."

He adds that this training should be a regular occurrence and not just a one-time examination, as information learned can easily be forgotten within weeks so businesses should "reinforce training on a regular basis to keep up the retention of information, and thus the knowledge of the learner to apply best practices in the event of a cybersecurity attack".

Personal training is useful when looking to teach staff about cybersecurity issues, as individual weaknesses can be identified, and therefore teaching can be tailored to individual employees. This teaching tool is known as adaptive learning which Trest says complements "human learning styles in order to increase security awareness engagement and strengthen the businesses' overall security posture".

According to the chief learning officer, "This especially helps in situations where a course must be deployed to learners at varying levels of understanding on a topic." This is because some staff may be new and still may not have the knowledge of certain aspects of cybersecurity risks and skills. Whereas some of the more experienced staff members might have this knowledge already. So the more experienced staff should be allowed to skip lower-level lessons they might have already taken.

With a 70 per cent reduction in security-related risks from organisations prioritising cybersecurity training, Trest says it plays a huge part in businesses surviving as they can "reach the goal of creating a security-conscious culture and protecting them from potential security threats".

As of recent times, there have not been any rules in place regarding employees receiving internal security training. Trest stresses that due to the alterations in the cybersecurity landscape, "it is vital that employees remain updated and aware of the potential threats they face."

Legal requirements are set to be put in place for employees in Europe in relation to security training. This is through the use of the NIS 2, the Network and Information Security Directive 2.0, which Trest believes "should be seen as a positive – strengthening cybersecurity resilience across Europe – with a specific focus on appropriate training procedures".

Ultimately, Trest believes any organisation coming up short with "adequate cyber hygiene best practices and measures put themselves at a higher risk of a cyber-attack". Due to cybersecurity defences relying on individual's technical actions, companies must "prioritise their security investment by making education and awareness a top priority" according to Trest.

Trest adds that specific security training is crucial, as "Companies cannot expect their employees to remain ahead of evolving risks". He believes specialised training "enables users to become more vigilant and security conscious, in turn, helping to reduce an organisation's cyber risk".

The risk of cyberattacks is currently high amongst various industries, including the healthcare system which is more vulnerable than ever to one. Additionally, the use of artificial intelligence could be a threat to businesses with ChatGPT possibly leaving those who operate with the tool, vulnerable to cybercriminals.