One-click catastrophe: Why a security awareness training program matters

One click. That’s all it takes.

One click on a link in a perfectly innocent-looking email can be catastrophic and take down your entire firm. But it’s not just that you have to consider. What are the ramifications your clients will experience because their personal information and data have been leaked? You may as well close things down because you’re not coming back from that.

The latest Cost of a Data Breach Report from IBM and the Ponemon Institute found that the average cost of a data security breach is $4.24 million per incident. Let that sink in—over $4 million per incident.

And when you factor in that nearly 90% of data breaches are caused by human error? That one click is catastrophic.

It’s also why your firm needs a security awareness training program—yesterday. So, let’s talk about how to get started.

Perform a cybersecurity risk assessment

Before diving right into a security awareness training program, you first need to perform a cybersecurity risk assessment of your firm. This is when you look for noncompliance and vulnerabilities within your firm. Identifying the risks will guide you in your cybersecurity choices. You must decide what needs to be protected and invest in an awareness training program.

Follow these five steps to perform a cybersecurity risk assessment of your firm:

1. Take an inventory of all systems and resources. Document all devices (e.g., computers, tablets, printers, servers, phones, routers) on your network. Think about who has access to these resources (e.g., employees, third-party vendors) and how data, such as personal information, travels between these resources. Don’t forget about any applications you use, such as customer relationship management tools, cloud storage or accounting platforms—any applications that integrate within your tech stack.
2. Identify potential weaknesses and threats. Determine the areas where your firm’s information is most vulnerable. Remember, this also applies to your clients’ sensitive information. Since the most impacted areas pertain to smartphones and email, you need to know where potential threats (e.g., unauthorized access, data misuse or leakage, service disruptions) can occur, so you’ll know how to prevent cyberbreaches.
3. Determine the risk impact. After you’ve documented all systems and resources your firm uses and identified potential weaknesses and threats, it’s important to determine the risk impact that occurs from a cyberattack. Two important questions to keep in mind are:
   • What information is most at risk?
   • How could a cyberattack harm your firm?

   Rate each potential risk on a scale of low, medium and high risk to ensure proper security controls are in place based on each risk level:

   • Low: Items may include servers that contain public information but no private data.
   • Medium: Items may include data storage in an off-site physical location.
   • High: Items may include highly sensitive information, such as payment or clients’ personal information stored in a cloud-based application.

   Based on the risk impact, decide the likelihood of each possible risk scenario and what financial impact it could have on your firm. This will help you prioritize what needs to be secured first.

4. Develop and set cybersecurity controls. To keep your firm (and your clients’ data!) safe from cyberattacks, it’s important to put strong security protocols in place. These protocols can help deter unauthorized access to sensitive information and prevent data leaks. Some prevention tools include:
   • Installing antivirus protection and strong firewalls.
   • Requiring strong passwords and multi-factor authentication.
   • Implementing a security awareness training program.
5. Analyze results and make improvements. As with any assessment, it’s extremely important to measure and analyze the results of the controls you’ve put in place. Technology is constantly changing and improving, and hackers are only getting smarter. Be sure to perform a cybersecurity risk assessment at least annually to ensure that your firm isn’t leaving high-risk resources vulnerable.

Security awareness training defined

Outside of installing antivirus protection and strong firewalls, the most important thing you can do to safeguard your firm is to implement a security awareness training program. And I’ll tell you how to do this in a bit, but first let’s talk about what an awareness training program is.

At its very core, a security awareness training program is an education program for your employees to prevent user risk. It helps employees understand their role in keeping your firm’s data and your clients’ data safe from cybercrimes. As employees are typically the first line of defense in protecting your resources and assets, they must be well trained to stay vigilant in protecting your firm.

A training program makes employees uber-aware of cyberthreats, especially phishing attempts. It helps minimize risk to your firm, addresses mistakes employees may make during simulated attacks and tests them on their awareness.

Now that we have the basics under our belts, let’s move on to implementation.

Implementing a security awareness training program

If you decide you want to tackle creating your own security awareness training program, that’s certainly an option. If you go this route, there are several key components to keep in mind when creating your program:

• Diverse educational content. Keep in mind that each department within your firm will require separate security content. While some employees may prefer literature, others may prefer video modules. Be sure to include topics on various threats, such as phishing, password security or insider threats, to name a few.
• Ongoing internal messaging. Security training can’t be considered as “one and done.” It requires buy-in from all staff, and the best way to do this is by marketing the benefits internally on an ongoing basis.
• Consistent testing. Although employees may review literature or video content, the best way to ensure adherence to security protocols is through consistent testing. Performing simulated cyberattacks like phishing gives employees the chance to report a possible attempt and increase resilience. For those who may fail the tests, an opportunity for continued education and additional training arises, turning the failure into a learning experience.
• Measuring and analyzing results. Set KPIs (key performance indicators) to track your team’s performance throughout their security training. Analyzing this data allows you to easily see any security gaps that may still exist and adjust the training modules to focus on areas that are lacking.

While you can certainly create your own program, I’d recommend investing in a training program like the Right Networks Security Awareness Training solution. It’s a comprehensive, fully managed awareness training program tailored to accounting firms—just like yours. It educates and tests your employees, all while giving you visibility into the number of courses your employees have completed and insight into how well they’ve blocked simulated phishing attacks.

Set up your line of defense

Whether you create your own internal security awareness program or choose to invest in a comprehensive solution, consistent training is key. Your employees are the first line of defense when it comes to information security, and they need to be well educated and prepared to go to battle against cyberattacks.

For more information on Right Networks’ cybersecurity solutions, check out their website here.