Top tips for educating employees about Cybersecurity

1. Educate your employees and regularly talk to them, explaining the potential impact a cyber-incident may have on your operations. Employees need to know their obligations, especially when it comes to mobile data. It's not enough to require an annual review and signing of an "I have read and understand company IT policies" statement.
    
2. Remember top management and IT staff. Top managers are often the target of cyber criminals because of their higher level of access to critical corporate and customer data. This increased access has a much bigger damage/financial payoff for the hackers. IT staff are also more vulnerable, given their administrative access over the network.
    
3. The weakest link - Any network is only as strong as its weakest link. Explain to employees that while your organization is making its best effort to secure the company's infrastructure, it's critical that employees fully engage and do their part in following company policies. Policies should be sophisticated enough to cover all possible attack vectors.
    
4. Social engineering - Warn employees to pay special attention to social engineering ploys they will find in social media, blogs and emails. It's also important to point out that many cyber incidents begin with a phone call from someone posing as a co-worker asking seemingly innocuous questions. Meanwhile, they are actually gathering information about the company and its operations.
    
5. Recognizing an attack - Train employees to recognize an attack. It's critical that organizations have policies in place that assume they'll be infiltrated. Don't wait to react. Have a documented remediation plan in place and update or review it frequently. Communicate step-by-step instructions about what employees should do if they believe they've witnessed a cyber-incident.
    
   Training should include specific rules for email, web browsing, mobile devices and social networks. Don't forget the basics, such as physically unplugging the machine from the network and notifying the admin of any suspicious emails, activity or lost devices. Kaspersky suggests that employees should be able to locate their emergency IT contact number in 20 seconds or less.
    
6. Notifications - If an incident happens, give employees a heads-up as soon as possible. A lack of transparency or improper handling of a cyber-incident may significantly increase the impact of the event. Issue instructions to employees about how to speak to the public and the press about the incident. Have an internal communications plan and PR strategy in place before anything happens. Consider insurance for cyber incidents.
    
7. Regularly test employees - Organizations should regularly test their employees' cybersecurity knowledge and tie the results back into the training curriculum. It's important to make it fun and/or rewarding, with incentives for prompt responses