The stakes are high for cybersecurity in higher education: college email addresses are at high risk for cybertheft, and data breaches cost more in education than in other fields.
According to the latest Verizon data breach report, phishing attacks cause 90% of cybersecurity breaches. As such, the success of your cybersecurity efforts depends on how well you've trained everyone in your organization to recognize phishing attacks, Maarten Van Horenbeeck writes in the Harvard Business Review. Van Horenbeeck is the vice president of security engineering at Fastly and formerly worked in cybersecurity at Amazon, Google, and Microsoft.
Employees are your "first line of defense," Van Horenbeeck argues. But although organization-wide training is critical to security, "most companies fail at this," he adds. He identifies three ways your training efforts could break down—and how to fix them.
1: Complicated policies
When organizational cybersecurity policies are too complex or burdensome, employees ignore them, Van Horenbeeck writes. For example, many password policies are based on outdated recommendations that advised people to change their passwords frequently and incorporate special characters, capital letters, and numbers. But researchers have found that most people dodge those rules by, for example, merely capitalizing the first letter of an old password.
Instead, Van Horenbeeck recommends simplifying policies where possible. In the example above, new guidelines from the National Institute of Standards and Technology recommend allowing employees to use password managers, copy and paste passwords into form fields, and keep their passwords longer than 90 days.
How secure is Th1s Pa$$w0rd? Not very, experts say.
2: Overwhelming training sessions
Typical cybersecurity trainings can last for hours, Van Horenbeeck writes. Many workers end up zoning out from the flood of information, much of which isn't relevant to their role.
Instead, Van Horenbeeck recommends looking for "teachable moments," providing information that's relevant to specific people at the specific time when they need it most.
3: Limited interaction
At many organizations, employees only interact with the cybersecurity team when they get in trouble for downloading a third-party program—which can make the cybersecurity team seem like bullies or "traffic cops," Van Horenbeeck writes.
To change this perception, he recommends creating new opportunities for cybersecurity staff to have more casual interactions with other teams. For example, he suggests hosting regular office hours and getting familiar with the individuals and roles across the organization (Van Horenbeeck, Harvard Business Review, 11/21).
Deal with ransomware attacks—before and after clicking
Next in Today's Briefing
The habit Bill Gates and 6 other leaders have in common