In 2017, a crippling global cyber attack hit hospitals all over the UK which has cost the NHS £92m. A cyber threat dubbed as WannaCry shut down a massive number of computers all over the globe carrying messages from hackers asking for ransom payments. Around one percent of all NHS care was unoperational over an entire week.
This cybercrime perfect storm caused over 19,000 appointment cancellations, which cost the NHS £20m within only seven days and £72m in the cleanup and upgrades to its IT systems that followed suit.
WannaCry caused 200,000 computers to lock out end users with a screen displaying error messages in red demanding that various amounts of cryptocurrency Bitcoin to be paid. The attack was traced to a sophisticated group of North Korean hackers a year after the investigation.
At the heat of the attacks, the NHS was bashed for using obsolete IT systems, including Windows XP, a 17 year-old OS that is vulnerable to even the simplest cyber threats, let alone one that is well- organized and complex. Some onlookers blamed the lack of awareness in safe IT practices as the culprit. eLearning is helping companies across all industries cultivate cybersecurity awareness in their organization and avoid massive cybersecurity issues like that of NHS.
Why is eLearning the Best Way to go for Cybersecurity Training?
Cyber attacks can cost millions of dollars in damages, but it only takes a small portion of this cost to train people on cybersecurity. eLearning makes the cost even smaller, by removing the costs related to face-to-face training such as travel, training rooms, salary of facilitators, and the time away from operations.
eLearning offers precision and consistency in the content delivered to participants across divisions and even across the globe. Facilitator-led training may have instances of omission or addition of content, which can be dangerous as certain parts of the process might be missed by learners. For example, if a facilitator went over time in a class and did not have time to discuss the phone number to call to report a social engineering attempt, everyone trained by this trainer will miss the opportunity to alert authorities in case they receive a suspicious call.
Since cybersecurity involves hard skills such as understanding tools and processes, eLearning provides a quick and easy way to test if these skills are gained at the end of the training. Such assessments do not have to be in the form of boring and detached identification or enumeration questions either. Scenario-based questions that test the learner’s decision making skills in certain cybersecurity- related situations is a better gauge of their learning, as their ability to apply those in real life will be tested.
Getting Everyone to Understand Cybersecurity
Social engineering is one of the most popular forms of cyber threat plaguing businesses. It has many faces, but this scheme normally exploits employees in the frontline. It normally involves an actor, who tries to trick or pressure a personnel into providing internal information such as email addresses and phone numbers, customer data and proprietary information.
Based on recent research by Verizon, about 93 percent of data breaches in 2018 happened as a product of social engineering. This number highlights the obvious: the company’s first line of defense against cybercrimes are those who are on their desks, speaking to customers or on the field. It’s imperative that employees across all divisions have a good understanding of cybersecurity including:
- The types of threats they may face
- Preventive measures such as securing passwords and handling data properly
- A clear understanding of protocols in case a data breach occurs
Types of Cyber Threats
Employees need to know what they are up against. It’s important to cover the most common and most damage-causing cyber threats in a cybersecurity elearning course. These days, this list include spam, phishing, malware and ransomware, and social engineering.
Spam is a nuisance to a personal user, but in a corporate setting, it can cause more costly down times and business interruption. Spam messages can clog an e-mail server and cause it to bog down. Lack of a means to communicate internally and with customers and business partners have serious repercussions to a business.
Despite measures put in place by IT, phishing emails still make it through employees’ inboxes. What’s worse is, they are still being clicked and shared within the organization. A cybersecurity eLearning course must include very detailed and updated examples of phishing emails, to keep employees from unknowingly sharing information that might jeopardize the company’s internal data or worse, customer information.
Bad IT practices often lead to employees downloading and spreading malware on the company’s internal network. These sophisticated cyber attacks often lead to devastating losses of both data, productivity, revenue and oftentimes, irreparable damage in reputation. A good eLearning course in cybersecurity describes each type of malware, how it behaves once it has infected a machine, and how it can be removed.
Keeping your password secure seems like a no-brainer, but things that should be “common sense” to all is often neglected and therefore exploited by cybercriminals. An eLearning course on cybersecurity should explain how the use of insecure passwords, sharing access codes with others and keeping them in places that can be accessible to cybercriminals can be detrimental to the overall IT security of an entire organization. After all, passwords are the first line of defense that companies have to keep internal data, tools and applications out of reach hackers and fraudsters.
Breach Reporting Protocols
Cybersecurity eLearning courses should not be complete without the company’s internal breach protocols. The protocols should cover the following types of breaches:
- Availability breach or the accidental loss or unlawful destruction of personal data;
- Integrity breach or unauthorized alteration of personal data; and
- Confidentiality breach or unauthorized disclosure of or access to personal data.
Most countries have regulations requiring that such types of data breach be reported to the government, or risk paying a hefty fine. It is important that organizations have the means to collect data breach information on an internal capacity with preciseness and in a timely manner.
It security is a vast topic, but an organization can start with these three topics and cover their bases just enough to start building good IT practices with their employees.