All it takes is one unsuspecting employee to click on a URL in an email from what appears to be a trustworthy source and your business could be facing the next WannaCry.
Cybercrime and data breaches are expected to cost U.S. companies $8 trillion in lost business and remediation over the next five years. And the news isn’t much better across the world, as the WannaCry ransomware virus demonstrated.
No business is safe from cyber criminals’ constantly evolving tricks of the trade. There has never been a more pressing need for organizations to foster an employee-by-employee effort to ensure network security.
Yet, it’s understandably difficult for every employee to remain constantly vigilant. That’s why I’d like to offer five cyber security training tips that should stimulate a strong collective approach to minimizing careless security mistakes and encouraging employee vigilance.
Tip #1: Talk Regularly with Employees about cyber security
With productivity always a focal point, it’s easy for company policies to fall out of sight and out of mind. But consistent cyber security training and conversation will prevent network security from becoming an afterthought.
Keep security on the top of employees’ minds with monthly, maybe even bi-monthly, in-person and web meetings. Demonstrate how cybercriminals try to penetrate a company’s first line of defense and steal employees’ information. Of the more than 3,000 data breaches in 2016 that were confirmed by Verizon, 89% of them had a financial or espionage motive.
Detail the impact a breach could have on your company’s operations and bottom line, and clarify employee obligations, especially when it comes to their use of mobile phones. Employees can no longer be held accountable only through an annual cybersecurity training review. They will forget everything in a matter of days.
Tip #2: Go on “Phishing” Trips and Regularly Test Employees
Train employees on how to recognize and handle email and social media communications that could be phishing attempts or might contain malware. Show them what phishing attempts and malware-loaded communications might look like. According to the Verizon 2016 Data Breach Investigations Report, 30% of breaches are due to human error, such as opening phishing emails.
Regularly test your employees’ knowledge and vigilance. These tests can include creating fake phishing “lures” that are designed to look as legitimate communications from your IT or HR departments. See how many employees will click on the fake links and unwittingly provide information. You can incorporate the results into your training, without specifically identifying employees who fell for the false phishing emails. Also, remind employees that a legitimate service or website will never ask users to transmit sensitive account-related data over email or social media messages.
Tip #3: Provide All-Encompassing Security Training
There’s a lot of ground to cover in cyber security, but don’t hesitate to inform employees about every type of security threat. It might seem like an overload of information, but it’s critical that your workforce knows what it’s up against.
Make sure your cyber security training includes elements such as the enforcement of strong passwords. “1234” doesn’t cut it as a password anymore. Remind employees that 63% of the breaches reviewed by Verizon involved weak, default or stolen passwords. Require complicated but easy-to-remember (for them) passwords. This is obviously an additional path to actually implementing controls that will manage your organization’s password strengths and aging.
Teach employees how to resist social engineering attacks. They should be aware of suspicious links from unknown sources while at work or when using corporate devices outside of work. Remind them of the dangers of phone calls and emails from someone posing as a co-worker and asking harmless questions that are, in fact, attempts to gather information about your company and operations.
Also, implement safe and specific rules for email, web browsing, social networks and mobile phone use. Don’t be so draconian to slow productivity, but make it clear that breaking your guidelines poses a security threat. It doesn’t hurt to share examples of security breaches and “near misses” that targeted your organization; seeing threats that came close to home will increase vigilance.
Give us a shout if you need some examples or any help with training your employees.
Tip #4: Train Everyone, Including IT and Executives
No one is above cyber security training. Not the CEO. Not the CFISO. Not even the IT pros. All humans are prone to make mistakes, even the ones who are well-versed on cyber security. Even savvy cyber security vendors, as we saw this week.
Include all personnel in training. Executives and managers are especially key because they are often targeted because of their high access to sensitive data. IT staff are also vulnerable because they have administrative access. Cybercriminals and hackers know who the executives and IT personnel are, so those people need to be reminded they are even more at risk than the rank and file.
Tip #5: Security Training Never Ends
Develop a training program for your employees that includes written policies that aren’t ambiguous and clearly stress what they should and shouldn’t be doing. Provide employees with easy-to-remember cyber security contacts and tell them not to be ashamed or fearful of reporting the slightest hint of a breach or threat. It’s better to be safe than sorry.
Hold large annual training sessions that cover lots of ground, but also consider having short but informative breakout sessions on a more frequent basis with smaller groups of employees. Cyber threats evolve almost overnight and waiting for a year to update employees on the latest tactics isn’t wise.
Also, discuss and email regular security reminders and tips that are supplemented with technical solutions, like how to monitor risks, how to use spam filtering, and what to do in the event of a possible breach or attack.
Cyber security isn’t a static measure. It’s a mindset. Employees need to recognize that carelessness and ignorance don’t stand a chance against deliberate and educated cyber criminals. Consistent, engaging and thorough training will make your employees remember the dangers of today’s digital world and will strengthen your company’s cyber security posture.