Cross-Departmental Cybersecurity Training for Digital Marketers

Intro

Cybercriminals are advancing, both in numbers and creativity. Did you know that consumers and businesses alike lost $12.5 million to cybercrime in 2023, and that according to the FBI, this number is still probably on the low side?

Moreover, we can expect this number to continue rising, as data shows us that 2023 was an all-time high for cyberattacks, with the volume increasing by 72% from 2021 (the previous record holder for most attacks). Notably, the cause of such incursions is usually mundane, with email attacks being one of the most common. 94% of organizations reported breaches via email malware, and research shows that 35% of malware attacks are delivered via email.

Comparatively, the average loss as a result of data breaches is $4.4 billion. Put another way, your organization is one bad email away from losing a lot of money. And those are only emails; cybercriminals are, unfortunately, stepping up their game along with technology as it evolves.

Unsplash

While these numbers are frightening, what they emphasize is a need for units across the company to band together to protect company data. It’s not enough for your company to just have a team dedicated to maintaining your cybersecurity software; teams across your organization need to know and implement cybersecurity best practices throughout their day-to-day responsibilities.

This is especially true of your marketing department. The marketing department has access to a large volume of customer data, and actively utilizes that data in their day-to-day. This makes marketing an especially valuable target for cybercriminals; if a less-seasoned intern or even an overworked director opens the wrong email, clicks the wrong link, or otherwise opens the door, your company is looking at a multi-million dollar loss. Not to mention a hit to your reputation, as customers are less likely to entrust their data to an organization that misplaces it.

So how can you prepare your marketing department to avoid cybersecurity threats? What is involved in getting everyone up to snuff on cybersecurity protocol, and how can you measure your team’s progress as they proceed through your program? In this article, we’ll break down practical tips and tricks that will help you assemble teams into a unified front, protecting company data and avoiding cybersecurity threats even as they evolve.

Enhancing Awareness

Unsplash

Teams can’t begin to deal with a threat they aren’t aware of. You should never assume that people across your marketing team are aware (even on a basic level) of the tactics cybercriminals use to break through. Perform a basic audit of your team’s awareness, testing their knowledge of these common cyberattacks:

• Malware How do cybercriminals often get malware on employee computers? Are there ways to avoid this unwanted intrusion?
• Phishing What should you do if you get an email from outside the company with a clickable link at the bottom? If the email claims to be from inside the company, but has a similar clickable link and seems strange, such as your CEO asking all employees to fill out a form, what should you do?
• Social Engineering Should you ever pass out sensitive information, such as company records, passwords, or personal information, through the web? If someone who claims to be from inside the company (but whom you don’t recognize) asks you for these things over email, what protocol can you follow to verify the email’s accuracy?

Once you’ve attained a basic idea of your team’s overall awareness, it’s time to do your part and fill in the holes in their knowledge base. Raising awareness is paramount for mitigating risk, and there are ways to sustain that awareness beyond a training program that you should consider implementing across your company.

While training programs are also important (as we’ll discuss in a moment), you want cybersecurity to be on your employees’ minds every day; and you can accomplish that goal with these simple process changes.

• Device Hardening Protocols Instituting a protocol that requires employees and other company system users to frequently update their passwords. This is critical because even one system that still uses an old password is a vulnerability; one that cybercriminals can and will exploit. Yet, many organizations write this step off as a minor thing that they’ll get to later – if that describes your organization, this is one of the first things you can do to protect yourself.
• End-to-end Encryption Having a system in place that has the ability to encrypt data in motion is vital; but you also need to make sure you are able to encrypt data at rest. Employees should be aware of the presence of these systems and their role.
• Patch Management It’s inevitable that as operating systems age, vulnerabilities will become both more prominent and more pressing. Stay on top of the issue by frequently issuing patches, and encouraging employees to update their devices as often as possible. If, for some reason, an employee in your marketing department does not install said patches, they’re leaving their system open to possible attacks. Instituting a regular update process and holding employees accountable is of paramount importance.

Once you’ve assessed employees’ existing knowledge and implemented these company-wide practices, it’s time to turn to the next step: training.

Instituting a Thorough Training Program

Unsplash

The key to instituting a training program that sticks is to not treat it like a one-off seminar. Nobody, and I mean nobody, will retain anything from a 30-minute, collegiate lecture about the dangers of cyberattacks, with corporate-appropriate branding and shiny transitions. At best, team members will remember a fact or two if they know there’s a test afterward; at worst, they’ll just minimize their window and focus on their work, treating this vitally important course as a check on HR’s checklist.

The best way to institute a training program that will deliver value is to focus on practical insights. Instead of a short presentation, treat training like a multi-seminar course that requires employees to demonstrate their newfound knowledge at every go. You can use different stages of that course to teach them not only about baseline best practices but about cybersecurity trends like:

• Blockchain tech The blockchain is one of the newest innovations in data security, as its built-in security makes it ideal for data-sharing and conducting transactions. A short course on the benefits of using the blockchain, and the unique security issues associated with it, would be an excellent primer, especially if your organization is considering using it.
• Dark Fiber Networks A new way to structure networks that unlocks control over stability, security, and bandwidth, dark fiber networks are also quickly gaining traction. This is partially because they allow users to easily implement data security protocols, and partially because of their predictable costs and low overall latency. Training on this would teach employees how to interact with a dark fiber network, what controls are in place, and how these networks add an extra layer of security.
• VPNs VPNs similarly create an extra layer of privacy as users surf the web, funneling sensitive data through a private, encrypted channel. VPNs have gained a lot of popularity recently, as 77% of consumers use VPNs to protect their private data while online. The use cases for corporations are similarly promising, and understanding how to set one up properly will be key for employees handling sensitive data.
• DNS Protection DNS Tools restrict the types of websites employees can access while searching the web, preemptively screening out websites that have a high risk of malware infection. Knowing that these tools exist, and why, lets employees know that when they trip the system, the website they were trying to access is best steered clear from.
• Zero Trust Networks Zero Trust Networks combine rigorous identity verification with limited access to company data. Understanding why these controls are in place (and in some cases, how to set them) helps employees differentiate between sensitive data and publicly sharable information, keeping data privacy front of mind.

Of course, such courses must also include primers on the most common forms of cyberattack, such as phishing, social engineering, ransomware, and brute force attacks. Taking it a step further empowers employees with the knowledge of what solutions are out there, how they work, and why they’re necessary. This strategy prepares employees to use these solutions, avoid their vulnerabilities, and protect your data vigilantly from multiple angles.

Measuring Successes

Once you’ve raised awareness and created a technology training program, you then need to be able to attain a high-level view of team members’ progress. Setting KPIs before you embark on these initiatives is paramount, as you want to be able to tell if your initiatives are preparing your teams appropriately.

Unsplash

Testing is one element you can use; others include tracking patch adoption, monitoring access to sensitive data, and instituting regular check-ins with team members who aren’t doing as well adapting. Reporting on attempted cyberattacks (and how your team members dealt with them) can also be helpful, as it allows you to pinpoint vulnerabilities within your current processes and re-evaluate them accordingly.

Remember: you’re only as strong as your weakest link. Keep your eye on the ball, make sure training is ongoing, and research the latest cybersecurity threats periodically, and you’ll keep your sensitive data both secret and safe.