24 5 key takeaways from Scality’s latest workforce-training campaign October is Cybersecurity Awareness Month, and the lessons for employers on keeping confidential data and IP safe from cybercriminals is something we all need to embrace. Training your employees on how to identify suspicious behavior and threats is similar in a way to family dynamics. When our kids are young, we hope to save them from learning life’s lessons the hard way, especially the dangerous lessons. As adults, we have the wherewithal to seek out wisdom from experts and peers to avoid making mistakes. But cybersecurity is clearly not your average topic to problem-solve. In 2024, the average cost of a data breach rose to $4.88 million, reflecting a sharp 10% increase driven by post-breach remediation and business disruption1. Ouch. The bad actors who continue to injure businesses are constantly finding new ways to up their game. As the saying goes, the best defense is a good offense A key part of bolstering an organization’s defenses is preparing for ISO 27001 certification, an internationally recognized standard for information security management systems (ISMS). At Scality, we are actively working toward ISO 27001 certification, focusing on both technical security controls and raising cybersecurity awareness among employees. Through recent employee awareness and training initiatives, the Scality team has learned valuable lessons about how to boost employees’ cybersecurity IQ and engagement, across the organization. In this article, we’ll share the insights we’ve learned, including employee training scores and proactive follow-up steps we’re taking. The role of ISO 27001 in strengthening security ISO 27001 provides a structured approach for companies to manage and protect sensitive information through a combination of policies, procedures, and security controls. Over 58,000 organizations around the world are certified, and many others, like Scality, are pursuing certification to demonstrate their commitment to security. By adhering to ISO 27001, businesses can: Manage risk: Systematically identify vulnerabilities and implement measures to protect data. Boost customer confidence: Certification reassures clients and partners that their information is safe. Reduce breach costs: ISO 27001 improves resilience and lowers the likelihood and impact of breaches. At Scality, preparing for ISO 27001 has been a company-wide effort that integrates employee training with broader security controls. The goal? Create a security-conscious culture where every employee plays an active role in protecting the company’s data. Results from our latest internal cybersecurity awareness training As part of our preparation for ISO 27001 certification, Scality recently conducted an employee awareness training campaign to train employees on a variety of critical cybersecurity topics, including: Password management Social engineering Ransomware and phishing GDPR Information classification and management Laptop security updates Backup management Common Vulnerabilities and Exposures (CVEs) The training included a series of short videos that covered these key topics, followed by quizzes to measure employee comprehension. So far at Scality, 90% of our employees have participated, and 86.5% passed the quizzes with a score of 75% or greater. These results reflect a marked improvement in employees’ ability to recognize phishing attempts, identify suspicious behaviors, and follow security best practices. And most importantly, this gives our security team insights into which areas employees need additional training and support on. Each time we conduct employee training, whether cybersecurity or otherwise, we not only review the scores, but also take note of feedback and indicators that show where we can improve the training process. Three most common challenges faced by IT when educating employees Lack of employee engagement: Employees may not be interested in learning about new technologies or security procedures. They may see it as an extra burden on top of their already busy workload. This can be especially challenging when the training is mandatory. Varying levels of technical expertise: Employees have different levels of knowledge and experience. Some employees may be very comfortable with new technologies, while others may need more support. This can make it difficult to develop training programs that are appropriate for everyone. Time constraints: Employees are often busy and may not have time to attend training sessions or complete online courses. This can be a major barrier to effective IT education. To address these challenges, our IT department has recently implemented two key changes to improve the effectiveness of our internal education programs: Make training short, relevant, and engaging: Training should be relevant to employees’ job roles and delivered in an engaging and participative way. Provide a variety of training formats: Offer training in various formats, such as online courses, in-person sessions, and hands-on labs. Five key takeaways to raise employees’ cybersecurity IQ Based on our internal efforts and insights from the ISO 27001 preparation, here are a few key takeaways we’ve identified which you may find useful within your own organization. Conduct regular phishing simulationsCybercriminals rely heavily on phishing emails to trick employees into revealing sensitive information. In fact, phishing is considered one of the most prevalent methods for cybercriminals to initiate data breaches. According to a Verizon 2022 report, 36% of all data breaches involved phishing. At Scality, we run monthly phishing simulations to test employee responses in real-time. Employees who click on suspicious links are redirected to additional cybersecurity awareness training, helping them learn from their mistakes without real-world consequences. Three examples of phishing emails where scammers pose as trusted entities, using familiar branding and language, to manipulate victims into clicking on malicious links. This can lead to the installation of malware or the revealing of sensitive information. Use AI tools for real-time protectionTo conduct regular phishing simulations, we have contracted with Mantra, a third-party company that generates phishing emails for employee cybersecurity awareness training. We’re also using the Mantra AI-based “Smart Banners” tool to provide real-time alerts to Scality employees when threats are detected within incoming emails (based on content analysis). Smart Banners help employees recognize potentially harmful emails before engaging with them. Focus on human error Phishing awareness: Since phishing remains one of the most common entry points for cyberattacks, use simulated phishing campaigns to teach employees how to recognize suspicious emails. Password hygiene: Reinforce the importance of MFA (multi-factor authentication) and the use of password managers. Highlight how weak credentials coupled with single-step login remain a top vulnerability. Break training into manageable segmentsOne of the keys to successful employee training is keeping the content concise and focused. Instead of overwhelming employees with lengthy sessions, we offer short video modules on individual topics like ransomware, phishing, and password management. After each module, employees complete a quiz to reinforce what they’ve learned. In addition to video content, we also leverage internal security documentation where employees can also find quiz answers. This encourages familiarity with a broader range of employee resources. Promote a culture of verificationScality’s IT and Security Team frequently reminds employees to verify any unusual or sensitive requests, whether via email or phone. Encouraging employees to double-check requests—especially those involving financial transfers or access to critical systems—helps prevent social engineering attacks. Preparing for ISO 27001: Next steps As Scality prepares for ISO 27001 certification by the end of 2024, we’ve learned that the journey is just as important as the destination. Here’s how we’re preparing: Incorporating ISO 27001 training into our ongoing cybersecurity awareness training program. Developing and maintaining a design manifesto as a software development company aligned with ISO 27001. Our manifesto also incorporates recent security recommendations, initiatives, and standards, such as the EU NIS 2 Directive and the US Executive Order on Improving the Nation’s Cybersecurity. Setting clear policies and procedures for handling security incidents and potential breaches. Regular employee training and quizzes to assess and improve their knowledge. Cyber threat simulation training with phishing and AI tools that train employees to identify risk associated with incoming emails. Continuously monitoring new cyber threats, security technologies, regulations and legal requirements to inform our employees of major events, changes and evolutions. Empowering employees: The key to stronger cybersecurity Cybersecurity is everyone’s responsibility, not just the IT Team. By investing in employee awareness training, running simulations, and fostering a culture of verification, you can significantly strengthen your organization’s defenses. The results of our recent training—90% participation and an 86.5% passing rate—demonstrate that with the right approach, employees can truly become the first line of defense against cyber threats. As we work toward ISO 27001 certification, this journey has reinforced the lesson that protecting our data starts with empowering employees. It has brought our departments closer, uniting us in the shared goal of safeguarding sensitive information and achieving global security standards. By adopting a similar strategy, your organization can build greater resilience against evolving cyber threats and be better prepared for whatever the future holds. 1 https://www.ibm.com/reports/data-breach
