If you are not training your employees on cyber security best practices, you are missing the biggest opportunity for improvement in your entire cyber security profile. Your employees have access to a lot of important data, and their ability to protect that data, or to let it walk out the door of your organization, is strong.
A lack of cyber security training education was at the heart of a number of major security breaches. You have probably heard about the new HR employee that got an email from the president of the organization asking for W2 information on every employee, so the HR person sent them exactly as instructed. The employee did not recognize that email address was from a hacker impersonating the CEO, or they did not recognize suspicious links in the email.
These are called “phishing” attacks, where a cybercriminals sends an email with a malicious attachment or a link to a malicious website, in the hopes that a victim will open the attachment or click the link. Sometimes the email is customized to be very attractive for a specific victim, such as the example about the cybercriminal impersonating the CEO to a new HR employee. Those are called “spear phishing” attacks.
Cybersecurity threats such as these need to be part of the training program for your organization so that your employees understand security risks. If they understand the risks, they are more likely to understand the actions they can take to prevent security incidents from taking place
These issues impact small businesses and large companies. They come over email, social media, phone calls and even text messages. Cyber criminals target PCs, macs and mobile devices.
Most cybercrime starts with a “social engineering” attack, where cyber criminals will try to take advantage of well-intentioned employees, either by social engineering, or by exploiting human error, such as using overly simple passwords. Cybersecurity training to educate your employees is your organization’s best defense against these types of cyber crime.
Entire business models are based on this kind of fraud. Let us pretend that I am going to build a site with the world’s best collection of adorable pet pictures. I’ll give you the first 10 for free (and those 10 are the most adorable pictures you have ever seen), but to see more, you need to set up a username and password. The access is still without any fees or other charges, though.
This honestly sounds completely harmless on its surface, right? Wrong. Let’s pretend that I own this website and I am a cyber criminal, and my business model is to try to use the username and password you just entered at my website at every major banking website, on all major email providers, on your organization’s VPN portal, and anywhere else that I think you might have used it.
I will then try to exploit you for financial gain. I will try to withdraw money from your bank account, extract any valuable information I can from your websites, and sell that information for a profit. I might even ransom your own data from you to make even more money (this is called a ransomware attack), and then move on to the next victim.
So where can your company start? Start with an employee cyber security training program. Your employees need to be educated on cyber security best practices. Here is a list of issues that any good employee cyber security awareness training program should address:
1) Implement real password policies.
There is no easy way to say this, so let’s come out with it: passwords stink. They are no fun to create, no fun to remember, and often no fun to type in. That being said, passwords are still the most common authentication method today.
It is imperative to implement a strong password policy requiring complex passwords that can’t easily be guessed, and end-user training to go along with it. Microsoft’s Active Directory “require complex passwords” setting is a start, but end-user training is also mandatory. Store passwords using a password manager, and always include special characters and different character types.
Many users use the same passwords for every online system they need a password for. This is a very serious problem, in that if one site gets hacked, cybercriminals will try your credentials at all common websites, and possibly at your business’s VPN or personal devices. It is imperative that your cyber security awareness training program encourage your team members to use different passwords for different sites, and especially for any system that your organization uses.
This is so common that there is a hacking term specifically for it: “credential stuffing.”
2) Be aware of phishing scams and other social engineering scams. Employees need training on how cybercriminals operate so that they can spot signs of foul play.
3) Incorporate employee cyber security training into your company culture. Most companies have some sort of safety guidelines that their employees must follow or be aware of and cyber security should be no different. There are a number of companies that specialize in this type of training, and they may or may not be a good fit for your company culture.
Picking the right type of training is critical; having a good cultural fit is more important than the actual content. Be sure to do proper due diligence to ensure that the training content offered by the company or companies you are considering is a good fit for the culture of your organization.
The important message here is that you already know you must train your employees on certain things in order to have them perform their job functions. Training them on cyber security best practices is a critical part of almost every employee to do their job properly. If you are uncertain as to how to structure a cyber security training program, find an advisor that can help you.
Questions to explore this topic further with your company’s leaders:
When was the last time you were trained on cyber security? What key learnings did you take away from it?
Do your team members who have access to sensitive data get additional training above and beyond those who do not?
Need guidance in how to implement a comprehensive and successful employee cyber security training program for your company? Contact Bryce today.
BRYCE AUSTIN, CEO, TCE STRATEGY
Cyber Security Expert, Best Selling Author
Bryce holds a CISM certification and is an internationally recognized professional speaker. With over 20 years as a technology leader, Bryce advises the boards of companies in a diverse array of industries. He is the named CISO for many companies, including one in the S&P 500.
Bryce’s best-selling book is titled
Secure Enough? 20 Questions on Cybersecurity
for Business Owners and Executives.