If the solution to the problem of how to get good cyber security was packaged in a box and sold at Wal-Mart, IT professionals would have nothing to worry about. They could arrange for employees to pick up their security package when activating their new smartphones.\nUnfortunately, getting good cyber security isn\u2019t that simple. Good cyber security practices aren\u2019t purchased in a store: they have to be taught. And the sad reality is, most employees aren\u2019t receiving a solid cyber security education. In fact, according to a survey commissioned by Sungard Availability Services*, IT professionals believe that employee behavior is one of the biggest threats to company cyber security efforts. The biggest security-related concerns are employees who are careless with their mobile devices and employees who have poor password hygiene.\n\u201cThe weakest link in security is between the keyboard and the seat,\u201d said Kevin Epstein, Vice President of Advanced Security and Governance with Proofpoint. \u201cThere are few security systems that can withstand the efforts of a user with a mouse who's determined to click. Many if not most of the major breaches in the last twelve months have been initiated by a user clicking a link in a phishing email. Education can reduce -- though not eliminate -- such behavior.\u201d\nThere are several reasons why it is important to educate employees on cyber security. The first is to protect organizational data (e.g., new and current designs) and information related to customers or suppliers, said Gary Griffith, Faculty Member with the School of Information Systems and Technology at Walden University. The second reason is to prevent downtime or loss of productivity due to attacks on the company\u2019s technical equipment. \u201cEmployees should understand or know about the harm these attacks can cause, including shutting down facilities for days while the IT staff tries to remove the malware and bring all the systems back online,\u201d Griffith explained.\nGriffith likes to mix real-life examples along with the different types of cyber-attacks in his cyber security education strategy. This allows users to see what those attacks are doing to gather information and how they can affect a business. \u201cI also like to include why it is important that employees understand the consequences of their actions,\u201d he added. \u201cFor example, if it was reported in the news that customer data had been stolen, what would happen to the company\u2019s ability to attract new customers or keep current customers? What would happen to employees\u2019 jobs and careers if leadership had to pay fines for the loss of customer data? It is important to let employees know that what they do daily matters, because they are ultimately the ones that can prevent most cyber-attacks.\u201d\nTeaching the basics about what a cyber security threat is and how it does damage shouldn\u2019t be done in a passive manner. Security education should be hands-on and targeted, Epstein said. \u201cToo many organizations apply a blanket policy or standard training -- which bores the sophisticated users and fails to assist the less-technical users. The best education often involves an IT organization understanding which users are most prone to clicking on what lures, then creating focused education around those areas -- for example, 'phishing' their own organization.\u201d\nOverall, the best security practices come down to common sense, not sophisticated technology, according to Ashley Schwartau, Creative Director with The Security Awareness Company. Schwartau uses the following best practices in her security education:\n\nIncident response - knowing how and whom to report potential security incidents to.\nPasswords - knowing how to make strong ones, and changing them regularly.\nMalware - understanding the main types of threats and how they can be avoided.\nSafe Surfing - remembering that you are what stands between the outside world and the inside of the company, and that you represent your organization when online.\n\u00a0Phishing and Social Engineering - recognizing phishing attempts and social engineering attacks.\nMobile and the Cloud - treating mobile devices as you would any computer and understanding that just because files are stored in the cloud doesn\u2019t make them immune to security threats.\nPreventative Care \u2013 backing up regularly, installing anti-virus software, and patching software and operating systems as soon as prompted.\nNon-Technical and Physical Security \u2013 shredding sensitive documents when no longer needed, requiring identification badges for employees and guests, and keeping track of all devices.\nPrivacy - understanding how identity theft happens and how you can protect against it.\nPolicy - knowing and understanding security policy as well as the consequences of not following policy, and how to quickly find policy when in doubt.\n\nIn the end, the best security education is something that employees will regularly practice. The more simple and straightforward it is, the more likely they\u2019ll remember to be safer on their computers.\n*The survey, commissioned by Sungard Availability Services, was conducted by SurveyMonkey Audience. The survey reached 276 IT professionals and was completed in December 2014.\nOther Posts in This Series:\n\nHow Employees Accidentally Compromise Their Company\u2019s Cyber Security\nThe #1 Cyber Security Threat To Information Systems Today\nThe #1 Information Security Policy That IT Managers Would Change\nPassword Security: Reality Or Joke?