Cybersecurity is a worldwide concern, no company is immune to a possible attack. It is important your business provides ongoing employee education on cybersecurity threats. In this article, you’ll learn why your employees need to stay well-informed, fully equipped, and proficient in security protocols.
This article will provide SMBs and organizations with resources for continuing education in the fight against cyberattacks. It covers:
- First Line of Defense: Simple but important – creating a password!
- Cybersecurity Education Topics: Why malware, social engineering, phishing, and password policies should be included in security training.
- Cybersecurity Training Methods: How hacking demos and simulated scenarios can teach your employees to “not take the bait.”
Content Summary
Introduction: Cybersecurity in the Digital Age
First Line of Defense
Cybersecurity Education Topics
Cybersecurity Training Methods
One wrong click from a well-meaning employee is all cybercriminals need to access your network and data breach protection requires all employees to be fully prepared.
IT Teams are looking for creative and intuitive ways to keep employees engaged and vigilant when it comes to cybersecurity. Especially now, training and communication about emerging threats, phishing attacks, and the true cost of a data breach are integral as employees continue to work from home.
This article continue, or kick start, your employee cybersecurity training program. We highlight how to spot phishing emails, train employees to follow best practices, and different ways to keep the conversation going all year.
Introduction: Cybersecurity in the Digital Age
Cyberspace is the digital frontier of humanity. Learning how to navigate it is equally as important as navigating your daily life. Technology and civilization are evolving together and the key to maintaining a successful relationship is to understand the role you play in protecting data. Cybersecurity is a world-wide concern. It is important, now more than ever, to ensure businesses take the time to provide ongoing employee education on cybersecurity threats.
Globally, the total number of internet users has increased exponentially – in 2019, 56% of the world population had internet access, and that number continues to grow with the 2020 global pandemic sending almost 100% of business employees to shelter in place and work from home. Employee error is the only vulnerability that remains constant across any network security solution. Network Administrators can account for endpoint security, data encryption, and virus blocking, but human error and psychology are still variables at the root of several cyberattacks each year. A recent AT&T Survey found that “one in three employees (35%) were using corporate devices for both work and personal use, one in four (24%) were sharing or storing sensitive information in unsanctioned cloud applications, and one in five (18%) are sharing their work device with another family member.” Along with these startling statistics, the Untangle 2020 SMB IT Security Report concluded that SMBs rank employees who do not follow IT security guidelines as their second greatest barrier to successful network security.
This has led to more opportunities for cybercriminals to take advantage of vulnerable network access points and deliver malware to hold business data for ransom. It is imperative to act strategically in the fight against cyberattacks. The most effective mechanism is to have a cohesive group of well-informed employees, fully equipped and proficient in security protocols.
Consider these two examples
- A payroll account employee at Scotty’s Brewhouse was the victim of an email phishing scam that resulted in 4,000 employee W-2’s being sent directly to a cybercriminal.
- Due to an employee mistake at Wyze Labs, camera information, WiFi network details, and email addresses of 2.4 million customers were exposed.
Similar stories echo across the digital landscape as hackers use employee error as points of entry.
As seen in the previous examples, even a marginal deviation from security protocols can have catastrophic repercussions. Every employee must methodically adhere to a step-by-step procedure and employ the same practices for it to become second nature. When security protocols are properly enforced and understood by every employee, it is by far one of the best ways to defend against malicious threats.
There are statistics after statistics about employee error, and through this article we want to provide SMBs and organizations resources for continuing education in the fight against cyberattacks.
First Line of Defense
All it takes is one wrong click from a well-meaning employee to compromise company data. In many cases, that one click is all a cybercriminal needs to gain access to an entire network. According to a 2019 report released by IBM Security, studies show that the root cause of 49% of data breaches are a result of inadvertent human error and system glitches.
Kaspersky and B2B International reported that 52% of businesses believe they are at risk from within their own business. Yet, shockingly, despite 32% of breaches actually being attributed to human error, less than half (39.6%) of organizations are educating staff on how to improve security when sharing data.
Start cybersecurity training should start on Day 1 as part of the onboarding process. A training program equips employees to feel more knowledgeable and secure with practical skills needed to identify possible attack scenarios and how to collect incident data to submit to Network Administrators. Additionally, it encourages employees to adopt the mindset of the company’s culture and put cybersecurity at the forefront.
Data breach protection requires all employees across all departments to be fully prepared. Having an unprepared employee will certainly be the weak link.
Small businesses should consider their first line of defense – which could be as simple as creating a password. Consider Onlinevitalus, a company based in Barcelona who exposed over 75,000 applications for birth certificate copies simply because the Amazon Web Services storage bucket wasn’t protected with a password. It was a devastating mistake, “allowing anyone who knew the easy-to-guess web address access to the data”- Techcrunch.
Types of Human Error include
- Email Error: Sending an email to the wrong recipient and accidentally disclosing confidential information. According to a survey, “both corporate and personal email are the leading applications for accidental data leaks.” – AP News. Sharing files with sensitive information should be done via secure links. These links should include an option of withdrawal in case data is sent to the wrong recipient.
- Phishing attack: There are many cases of employees thinking they are communicating with a colleague, boss, or authorized vendor when it is really an imposter gaining access to critical business information. This tactic involves a level of deception where the victim provides vital information to a fraudulent source that appears credible and highly-regarded.
- Lack of security awareness: Technological competence is a critical security barrier. One third of respondents said a tech skills gap hinders the adoption of cybersecurity solutions more so than budget constraints.
Considering this example: the UniCredit Data Breach of October 2019. Unicredit is an Italian financial institution that does business across Europe. A file was generated in 2015 that contained three million records of names, addresses, and contact information for their customers. This file was compromised, giving cybercriminals the personal information of all customers included in the document.
While it has not been officially disclosed how the breach occurred, the Office of the Future Survey released by Canon gives us some guesses. The Survey states that malicious insiders (30%) and employee error (25%) pose the greatest cybersecurity threats. While it is possible that the data was breached intentionally, there is an almost equal chance that it was shared accidentally by a well-meaning employee.
Cybersecurity Education Topics
Make employee awareness a priority to keep them motivated. Workshops, phishing tests, and security breach simulations are all excellent ways to train employees and keep them mindful of threats. Reward those employees who show great understanding of proper security practices.
Training should include the following Cybersecurity Education topics.
Threats Overview
- Cybersecurity threats: A malicious act to damage, steal, or disrupt digital life in the form of Malware, Phishing, Ransomware, etc.
- Malware: Software specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
- Social engineering: the use of deception to manipulate individuals into sending or giving confidential information to a cybercriminal who may use the data for fraudulent purposes.
- Phishing: A common form of social engineering. This is the act of sending emails appearing to be from reputable companies or persons in order to trick individuals into revealing personal information, such as passwords and credit card numbers.
- Emerging threats: Artificial intelligence is a quickly rising threat to cybersecurity. With deepfakes and synthetic identities, AI is allowing cybercriminals to impersonate reputable persons better than ever.
Password Policies
- Cybersecurity threats: A malicious act to damage, steal, or disrupt digital life in the form of Malware, Phishing, Ransomware, etc.
- Strong passwords: Create a strong password at least 16 characters long with lowercase and uppercase letters, symbols, and numbers. Change it every 60 days. Use a different password for every account. Never share your passwords.
- 2FA: Two factor authentication combats human error by adding an extra layer of security. In addition to a username and password, a temporary code is sent to a trusted device as a third confirmation of identity. 2FA combats human error by preventing cybercriminals from logging into accounts with stolen usernames and passwords.
Web Protection
- What to look for: Criminals will clone well-known websites to make themselves look legitimate. If you receive a link, don’t click on it or copy/paste it. Instead, type the website address directly into the browser to log into your account.
- What to avoid: Do not pass on confidential data to external websites or accounts that are unfamiliar or unencrypted. Remember the rule of thumb: if in doubt, don’t give it out.
Email Protection
- What to look for: Check for misspelled email addresses, misspelled words in the body of the email, a sense of urgency, email subjects that do not make sense or are out of character for the sender, or emails that do not relate to employee positions within the company. Be suspicious of emails that say, “here are the files you requested” when you have not requested anything.
- What to avoid: Do not respond to an unfamiliar or unrecognizable email. Be sure to follow standard protocol or checks and balances prior to sending any critical data such as payment or account information.
Social Engineering Protection
- What to do: Set spam filters to “high”. Read the email slowly and thoroughly before responding. Be sure to research the contents of the email.
In addition to email, phishing, and social engineering there are other important topics to include such as: Wi-Fi security, VPNs, USB drives, and external websites. Do a deep-dive into the cost of data theft and explore how hackers uncover passwords. Direct employees to IT for any concerns about suspicious emails or links. The lessons employees learn about privacy and security are lessons that can be applied in their personal lives outside of work.
Cybersecurity Training Methods
Don’t take the Bait
The phrase, “Don’t take the bait” is easier said than done. Without a trained eye, the bait may not be so easily recognizable. Cybercriminals have evolved and their techniques have become more sophisticated. If employees can only remember one thing, it should be not to click on a link or open an attachment if they’re not 100% positive that it’s safe.
Wesley Simpson is the COO of the International Information System Security Certification Consortium, or (ISC)², a non-profit organization that specializes in cybersecurity training. Simpson shared golden advice on how to keep your employees trained:
“The IT team sends out a fake phishing email to all employees across the organization, and gauges how many people click on it. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.”
Cyber Awareness
Having a security process in place is the backbone of a strong business infrastructure. A security process is only fortified over time with continuous training. Therefore, training shouldn’t begin and end on Day 1 of onboarding. Throughout the year employees should be refreshed to stay updated. A fun way to infuse the importance of cybersecurity into the veins of your company is to celebrate National Cybersecurity Awareness Month in October.
The larger goal is to create a company culture committed to “Cyber Awareness”. This awareness directly correlates to risk reduction. What this does is build an army of employees who essentially act as a “human firewall”.
Engage Your Employees
Provide interesting content, hacking demos, simulated scenarios, and exercises that include helpful hints and tips. Keep these readily available, and if possible, make them interactive to encourage employee engagement.
At the end, provide an evaluation, feedback, or results to give employees something to work towards and to motivate them to beat their last score. Develop roles and responsibilities and appoint internal department champions.
