Remember the Pink Panther movies? Peter Sellers’ character, Inspector Clouseau, hired “Cato” to randomly attack him. He thought unexpected ninja attacks would keep him every vigilant. While the over the top comedy is ridiculous, it does remind me of how to approach cybersecurity. You do not need to hire someone with a kendo stick to beat your staff into compliance, but frequent “reminders” do promote vigilance.
This comparison comes from Mike Sacopulos, founder and CEO of the Medical Risk Institute. He said most professional practices provide cybersecurity training when an employee is first hired, and annually after that. While certainly this method will check the box for “security training” it is highly ineffective for maintaining good cybersecurity habits.
Cybersecurity training is not a “once you learn it, you know how to do it” type of training. “It is not like riding a bicycle. In fact, it’s just the opposite. For staff to maintain the awareness required to spot phishing emails and other cybersecurity scams, they must be continually reminded that there’s a threat,” said Sacopulos.
Annual training is not enough. Effective cybersecurity training is delivered in shorter sessions, more frequently, with ongoing reminders. Sacopulos suggests six ways your practice can do this on the cheap:
- Send periodic emails with cybersecurity reminders and tips. Mark your calendar every six weeks with a reminder to send these out. In the morning is most effective. Pull tips directly from your security policies and procedures.
- Email a 3-question quiz just prior to a staff meeting. Present and discuss the answers in the staff meeting. Have everyone who got all three questions correct put their names in a hat and draw one for a gift certificate.
- Print posters and flyers. “One practice I worked with created colorful Watch Out for Phishing posters, and hung them on bathroom staff doors, break rooms, and bulletin boards.”
- Put reminders in company communications. If your practice sends a monthly newsletter to employees, include a story about security in several issues a year.
- Monitor employee password strength twice a year. Knowbe4 has a free tool for this: Weak Password Test (WPT). WPT checks your Active Directory for several different types of weak password related threats, providing insight to the effectiveness of your password policies and any fails, so that you can take action.
- Administer a verbal “cyber awareness quiz” at several staff meetings each year. This can be informal. Simply ask a few questions during the meeting (don’t put this on the agenda), and ask the team for verbal answers. For example:
- “Name two common human error reasons that cyberattacks or breaches.”
- “What are two clues that an email may be a phishing email?”
- “What is ransomware and how does it work?”
Choosing even two or three of the ideas presented here can improve retention of important security concepts. The key is keeping employees on alert for potential security threats all year long. Doing so can keep cybersecurity at the top of every lawyer and staff person’s mind—so they think twice about clicking.
If this fails, you can always bring in Cato for more “aggressive” cybersecurity compliance, added Sacopulos.