It seems like every day you hear about the latest data breach or security failure of another major organization. If the most powerful and advanced tech companies in the world can’t perfectly protect themselves, what does that say about everyone else?
Cybersecurity is important. No one can afford a ransomware attack or data breach, but it’s a nigh-impossible topic to cover — especially for non-tech-oriented organizations. What can you do to protect yourself and your business?
You can get help, and there’s a dedicated group of researchers who specialize in answering your questions. That’s the National Institute of Standards and Technology, and it build a guide that helps businesses with security known as the NIST Framework.
With the latest release of our framework, you can transform your approach to cybersecurity training, equipping every member of your organization with the skills needed to enhance security and prevent disasters.
Why Cybersecurity Employee Training Matters for Small Businesses
Cybersecurity structures and software and team members and systems all play essential roles in protecting your business, but even that combined effort cannot create perfect safety. The lifeblood of every organization is the people who run it. Every individual doing every task that adds up to make the organization run contributes to the whole, and each of those individuals makes countless decisions throughout the day.
What does that have to do with cybersecurity? Well, those individuals make decisions with technology, and those decisions can improve or destroy your security. Every single individual in the organization has the power to bring it all crashing down, and in too many cases, they do so accidentally.
The NIST has found that roughly 35 percent of data breaches stem from actions made by non-technical personnel. That cross-section of breaches constitutes more than $100 billions of losses for businesses across the country each year, and we haven’t even covered forms of security failures.Sometimes the actions that lead to breaches are accidents or errors. Sometimes they come out of negligence. Sometimes they are malicious.
Regardless, over a third of data breaches happen because of people rather than security systems, and it turns out that no security measure can solve this issue. As long as the people in the organization can act, they can compromise your security.
The universal solution boils down to education. Train your employees in security best practices, and you can avoid most of those problems. The new NIST framework lays out aspects of employee training to ensure everyone knows how to do their part to protect data and live up to legal obligations.
Understanding the NIST Cybersecurity Framework 2.0
With an understanding of the link between cybersecurity and employee training, let’s take a look at the new NIST cybersecurity framework (CSF).
The original CSF was last updated over a decade ago. Since then, the institute has worked on modernizing the approach to cybersecurity, and rather than continue with updates to an older philosophy, the entire framework was reimagined.
The latest version (2.0) was formally released in February of 2024, and it introduced major shifts in how organizations should look at security. The original framework showed IT personnel and security experts how to systematically build protections for organizations.
The new framework includes those ideas, but it expands it in a few important ways. First, the original version only looked at high-risk industries. These were industries heavily involved with technology and information processing.
Today, every type of business in every industry uses technology at critical points daily, and every organization handles at least some level of sensitive information (such as customer data).
The new framework reflects this by expanding its scope to include all organizations. Everyone can benefit from the NIST CSF 2.0, and that means employees need to know at least some of the information provided.
A second major change to the framework involves strategy. Before, cybersecurity was handed off to tech experts, and everyone more or less expected things to run smoothly from there. That might have worked in the past, but because everyone is so inundated with technology and connectivity, everyone can contribute to the security or vulnerability of an organization and its systems.
Ultimately, this means non-IT personnel still need to know the basics, and the best way to achieve that is with a top-down governance approach. The leaders of the organization need to direct and oversee IT and cybersecurity efforts in meaningful ways. In short, we all have a lot to learn, and we all have to work together.
Training Based on Each Function of the NIST Framework
If the NIST CSF 2.0 is going to draw more attention to security best practices, there’s a lot of ground to cover. Fortunately, the writers of the framework understood this, and they broke everything into more digestible categories: Govern, Identify, Protect, Detect, Respond, Recovery.
Let’s look at training ideas for non-tech employees in each of these areas.
Govern
The Govern recommendations in the new CSF primarily address leadership within an organization.
Cybersecurity is no longer something you can simply outsource and forget. Leadership — especially at the senior levels — needs buy-in and direct oversight of cybersecurity efforts. This means employee training starts at the top. Senior leadership has to learn enough to understand the primary risks and threats along with goals and strategies designed to protect the organization.
Leadership’s primary function (as outlined in the new framework) is to assess and oversee cybersecurity efforts to ensure they meet goals and address primary risks. That only becomes possible when leadership invests sufficient time and energy into their cybersecurity education.
Identify
Identification has been a primary component of the NIST CSF from the beginning. The point is to identify threats and vulnerabilities.
How does this translate into employee training? It’s simple. List and document the primary threats and risks for each position in the organization, and design the training around that. Remote workers might have different security priorities compared to overnight security guards. There are too many variations to cover it all here, but employee training can and should focus on specific elements of the person’s role in the organization.
Protect
While security systems and measures handle significant aspects of protection, individuals also play their parts. Company devices have to be physically protected to prevent unauthorized access.
Similarly, login credentials require some level of protection. If an employee uses the same password for every account, and an account unrelated to your business is compromised, that still puts your organization at risk. Protect best practices teach employees how to take personal responsibility for cybersecurity measures that directly intersect with their activities.
You can summarize that concept by saying that, at minimum, every person is responsible for protecting their access to the organization’s technology and information.
Detect
Detection is another realm where you expect dedicated resources to do the heavy lifting. Each individual can’t identify every digital threat that comes through a network, for instance. That said, individuals do need to detect threats that directly impact them.
The easiest example is phishing. How can every single person know what phishing attempts look like? You have to train them, of course. Fortunately, such training is well-developed and can be deployed efficiently. When you explain to employees why they never need to provide their credentials to other individuals and how to spot phishing attempts, scams, social engineering, and other attacks that might come their way, you boost organizational security substantially.
Respond
How should an employee respond to a threat or security breach when they see one? That depends on their role.
At a minimum, they should immediately report what they discovered to the appropriate bodies. In many cases, that means alerting the next person up the hierarchical chain. Response training can also teach employees immediate actions they can take to mitigate issues, once spotted.
This might mean turning off or disconnecting a compromised device. It could mean changing passwords immediately. It could be as simple as forwarding a suspicious email to a security expert.
Recover
In many cases, recovery responses will generate the most variety in training and planning. Individuals will often have to search for workarounds for work functions while a security breach is being addressed.
For instance, what does each individual do if the network goes down? What do they do when they can’t access essential files?
You can see why such training needs customization according to the role, but there is a general bit of guidance that can help along the way. You are trying to build up training that shows employees the best steps they can take to keep things from getting worse when a security breach happens.
That includes practices that prevent additional breaches from compounding the problem, and it addresses offline or reduced-technological measures they can take when the normal stuff isn’t working or reliable.
Customizing Cybersecurity Training for Your Business
Customized training helps. Employee roles are so diverse that a one-size-fits-all approach cannot possibly work well.
How, then, do you go about customizing training? You can find best practices for this too. To simplify your efforts, consider a systematic approach to training customization.
Start by picking goals. Think about how to deliver the training in a way that suits the audience. Then, build and deliver the content. Finally, evaluate your training success by finding measurable performance indicators.
Legal and Compliance Considerations
As you design training programs for your organization, it’s vital to remember legal and compliance regulations along the way. One of the best examples of this comes from HIPAA. For those unaware, this is a set of regulations that determines how healthcare providers are required to protect patient data. This isn’t just about general trust. Violating HIPAA comes with steep fines and potential jail time. These are clear legal obligations.
Such regulations exist in many industries, and here’s the bottom line. It doesn’t matter how great your security might be if you’re violating regulations. Each employee must understand how they interact with the rules and what is at stake if they fail.
Going back to HIPAA, even a desk clerk bears responsibility for protecting patient information. If they release records to an unauthorized party, the clerk could face fines and jail time, and that holds just as true for anyone else in health care. The clerk needs to know both the stakes and the rules.
Sometimes, you can fold regulatory training in with the rest of your security training. In other cases, you might need to build up individual programs just to cover compliance.
Creating a Culture of Cybersecurity
The last element of employee training and best practices has little to do with formal training. Instead, it’s about buy-in. You can teach everyone all of the things they need to know, but the final success or failure of your security efforts depends on your actions.
If the employees buy into your security strategy, it will probably work. If they blow it off, your organization is doomed to face security issues.
How do you create a culture of cybersecurity?
It starts at the top. This is another reason why top-level leadership needs more cybersecurity training and more buy-in. With that, they can filter the culture down through layers of management, and the company can orient around security best practices.
The NIST framework outlines everything you need to consider to build robust cybersecurity measures for any organization. It shows you where training is most critical, and it highlights the topics you need to cover with every member of the organization. Use it as a guide, and you’re already that much better for it. You can work with cybersecurity experts to learn more. You can also spend time with official resources that cover your bases:
Contact Graffen to get a cybersecurity plan that works for your organization.