RITC Cybersecurity Comments:
When we review stories like this, and they point to human failings involving social
engineering, ransomware, or stolen credentials, we know, based on our experience, that
this typically points to inadequate security training. This typically takes several forms:
• Lack of understanding of the importance of cybersecurity training: Unfortunately, we
still encounter companies that don’t believe they have anything to steal and invest the
minimum amount into cybersecurity practices for the enterprise.
• Inadequate security training: Some small to medium-sized companies do not have the
budget or staff to maintain up-to-date security training that includes phishing, social
engineering, and general awareness. They often rely on either outdated training
solutions or those created in-house. In the current cybersecurity climate, that is no
longer adequate to ensure users are properly equipped to deal with cybercriminals.
• Infrequent security training: This is still an issue we see repeatedly. Many companies
will require cybersecurity training at onboarding or annually, but it is generally forgotten
about throughout the year. RITC Cybersecurity recommends that cybersecurity training
should be conducted quarterly, especially phishing training. We know that sounds
burdensome, but there are strategies to make this less work than annual training.