It’s typically believed that the most sophisticated and complex cyberattacks are the biggest threat to a business.
In reality, however, the biggest cybersecurity threat for many businesses is their own employees. In fact, four of the five top causes of data breaches are down to human or process error. This includes loss or theft of paperwork, data emailed to the wrong recipient and insecure web pages.
In an ever-changing digital-first landscape, where cyberattacks are becoming more and more sophisticated, keeping up with the methods used by cybercriminals and making sure employees are aware of the dangers have become significant challenges.
In this blog, we list three cybersecurity training tips for businesses looking to get employees up to speed and in turn keep business information protected.
Update cybersecurity policies and procedures and educate employees
Employees who aren’t aware of their cybersecurity obligations are more likely to ignore relevant policies and procedures, which could lead to unintentional disclosures of data or successful cyberattacks.
The fundamental issue here is that policies and procedures are never actively taught, shown or provided in context. Instead of showing how these policies and procedures protect the business in a real-life scenario, employees are instead handed the business’s cybersecurity handbook or tip sheet and told to remember it, often alongside the rest of the company’s policies (working hours, holiday protocol, dress-code, benefits, etc.) during induction. The policies and procedures can often be complex and confusing, may not have been updated properly, and could be difficult to apply.
Taking this into account, businesses need to carefully review their cybersecurity policies and procedures to make sure they are not only easy to understand and apply, but also up to date. For example, if a BYOD culture exists within the organisation and the cybersecurity policies have not been updated to take this into account, security holes are inevitable.
Similarly, if those policies have no information to govern how business devices are used – i.e. if the devices are specifically for business only – employees will naturally use them for personal activities and potentially expose crucial business information to cybercriminals.
The last thing businesses need to do to ensure employees are up to scratch is to run regular cybersecurity training courses. Show employees how these policies and procedures work to protect the business and get senior members of staff to champion and emphasise them to employees. This will ensure that a culture of cybersecurity is developed at every level within the business.
Underline the importance of password management
According to a study carried out by OneLogin in 2017, less than a third (31%) of IT decision makers require employees to rotate passwords monthly. Another report by OpenVPN revealed that 25% of employees admit that they use the same password for every enterprise system they access.
Evidently, password management is a major issue and challenge for businesses when it comes to cybersecurity. With employees disregarding basic password management and IT decision makers failing to remind those employees, there needs to be a drastic change in attitude if businesses are to improve cybersecurity practices.
Businesses need to take a more positive approach to the password management process. Not only should they implement more advanced password management tools – multifactor authentication or even PKI authentication – but they should also reward employees that follow the password procedures outlined in their cybersecurity policies.
At the same time, employees also need to realise their responsibility in the process – and this starts with senior business members and C-suite executives teaching the importance of this to the rest of the employees. At every stage they should sit down with employees and explain the business benefits of comprehensive password security in a way those employees can understand. Providing real-world examples such as identity theft and data theft, for instance, can help to get employees on board.
Help employees to understand phishing
Phishing is on the rise, and cybercriminals are getting better and better at it. More than 2,500 complaints were recently made about fake TV licence emails, while a US university was breached after two students fell for a phishing scam.
Cybercriminals have recognised the futility of targeting other attack vectors due to the sophistication of current solutions. Instead of attacking software, cybercriminals are going after the individuals and targeting endpoints – such as mobile phones and laptops – to get access to a business’ wider network.
The challenge is educating employees on phishing so that they can identify a phishing email – particularly if they are using an endpoint device such as a mobile phone or laptop – and follow through with reporting it.
On that basis, IT departments should run employees through the basics of spotting a phishing email; some of the things to look out for are:
- Email address
Cybercriminals have methods to disguise fake emails and know how to trick victims into thinking a sender is legitimate. Businesses should have a process or solution in place to highlight unknown senders and block known fraudulent email correspondence. If employees spot a rogue email address, they should flag it with their IT department before proceeding.
- Greetings in the email
Phishing emails are often automated and lack personal greetings. These emails have generic terms like “customer”, “employee” or “dear sir/madam” with no recognition of the recipient’s name. Employees should be cautious of these emails, especially if they are asking for personal information.
- Grammar and style
Many phishing attacks come from other countries, so these emails are often written by non-native English speakers. These emails typically include grammar and stylistic issues. If an email comes from a supposedly reputable brand or company but includes spelling and grammar mistakes, it’s probably a scam.
- Link destination
Before clicking on links in emails – employees should hover over them to check the link destination. If the website URL looks suspicious, is different to the sender’s supposed brand/company – employees should be cautious and check it online or flag it.
- Calls to action
Emails demanding immediate action or response (and have a number of the issues mentioned above) are most likely scams. These emails are designed in such a way to scare people into taking action and/or giving up confidential information.
- Images and logos
Don’t trust images and logos. They can easily be downloaded and replicated. Cybercriminals can insert any kind of visual content into emails to persuade victims that their emails are legitimate. Take them with a pinch of salt.
Getting employees to look at all of the above will help businesses to keep employees and data safe and secure. A good rule of thumb is if unsure of the legitimacy of an email – flag it.
Regular cybersecurity training and review of policies and procedures will help to build a culture of cybersecurity within a business. As employees come to appreciate the importance of it, they will follow process in everything they do – and teach the same to new employees.