Corporate cyber training efforts remain a work in progressReprints
Companies are paying more attention to training their employees on how to prevent and respond to cyber incidents, but there is room for improvement.
“Companies can do a lot better,” said Eric Cernak, Hartford, Connecticut-based Munich Reinsurance America Inc. cyber risk practice leader.
“Many companies probably do a pretty good job of training during the onboard process, when they bring in new employees. The problem is, they don't keep things really up to date. They don't do training on an annual basis,” except at perhaps at some of the largest companies, Mr. Cernak said.
A total of 54% of firms say they have privacy and data protection awareness training for employees and other stakeholders who have access to sensitive personal information, according to a September report by Traverse City, Michigan-based Ponemon Institute L.L.C., compared with the 44% who reported this in its 2013 survey. The San Diego-based Identity Theft Resource Center estimates that between 2005 and March 20, 2015, there have been 5,203 breaches involving 778 million records.
“The standard protocol is to send an email with guidance on what to do and not to do, but for the most part the training is limited to just that internal communication,” said William P. Cosgrove, Stamford, Connecticut-based managing principal and practice leader for financial institutions at Edgewood Partners Insurance Center Inc., which does business as EPIC.
“Very few companies are pulling their employees aside for sessions where they go through what cyber security means, how the individual can affect cyber security at the firms and what they should be doing to prevent an occurrence,” Mr. Cosgrove said.
However, Robert Parisi, Marsh USA Inc.'s national cyber product leader in New York, sees improvement. Rather than having workers watch a PowerPoint presentation and sign a statement saying they sat through it, employers “are engaging in active training,” including sending out fake phishing emails to see who clicks on the link.
“The training has evolved with the evolution of the risk,” he said.
The training does not need to be overly complicated, Mr. Cosgrove said. “It just comes down to basic steps” of taking employees aside, getting them to understand what a cyber incident is, its effects, how their response can cause harm and what they should or should not do in the event of an incident.
Experts say training should include how to recognize and avoid phishing links; limiting access to sensitive information; explaining the corporate policy on the use of personal devices; and how to respond to a suspected data breach.
Training must be updated and repeated “because the techniques of attacks change,” said Lauri Floresca, cyber team leader and partner and senior vice president at Woodruff-Sawyer & Co. in San Francisco.
Just a year ago, for instance, poor grammar or misspellings were signs of a phishing attack. But many more of these attacks now “look pretty darn good,” she said.
Rick Shaw, president and CEO of Lincoln, Nebraska-based Awareity, which provides training, said the key in training is not only to provide the training itself, including best practices, “but to include ongoing reminders throughout the year” on issues such as the organization's policy on opening up emails.
Ongoing education is important, said Royce Jeffries, vice president of risk management and security at Cornhusker Bank in Lincoln, which works with Awareity. “The bad guys use all kinds of techniques, and by educating our employees and hopefully providing some information to our customers as well, we can try to help them prevent becoming victims.”
And don't forget an employee who is laid off or fired.
“You'd be surprised how many instances you hear of employees being let go, and up to a week or two later they still have access to systems,” Mr. Cernak said.
Larger companies are more likely to have the facilities or infrastructure to conduct training, said Mr. Parisi. However, “smaller companies are aware of the issue” and have the advantage of having fewer people to train, he said.
Corporate support of training is critical, experts say. There must be management level awareness “and a willingness to deploy the resources, because it takes time and money” to put an effective training program in place, said Sarah Stephens, head of cyber, technology and media errors and omissions at JLT Specialty Ltd.
“This needs to be a boardroom-level matter,” said Mr. Cosgrove. Board and senior managers cannot rely on the chief technology or information officer “to tell them what is, or is not, adequate.”
Costs “depend on the size of the company and the type of information the organization has access to,” said Matt Donovan, Atlanta-based national underwriting leader for technology and privacy at Hiscox USA. “There's no one-size-fits-all approach.”
Mr. Shaw said the cost of training can range from $7 to $24 a person. The Ponemon Institute estimated in 2014 that the average cost for each lost or stolen record is $201.
“Costs are relatively minor, considering what the cost of a loss can be,” said Nicholas Economidis, Houston-based underwriter of professional liability and specialty lines at Beazley P.L.C.
“It's the single best investment a company can make” in terms of improving its risk profile, Mr. Parisi said, and a factor underwriters take into account in their underwriting.
And the training pays off, say experts. “We certainly see a correlation between the quality of the training and the frequency of loss” associated with events or incidents, Mr. Economidis said.