We all make mistakes. Sometimes they are costly. And sometimes, we didn’t even mean to do any harm. Unfortunately, 60% of cyber-attacks come from “insiders,” with 15.5% coming from “inadvertent actors” – aka, your well-intentioned employees (Source: IBM X-Force 2016 Cyber Security Intelligence Index). Training your employees can go a long way to help prevent breaches in your organization.
Talk Now and Talk Often
So you have an “IT Security Policy” in place and your employees even sign it annually-you are covered for cybersecurity training, right? Not quite. Employees need to be trained often. Find ways to mix it up-send blast emails, hold Lunch n’ Learns, discuss recent cyber-attacks in the media and news so they can understand and relate. Even better, consider quizzing your employees every so often, and make it fun with incentives or prizes. Most importantly, keep them continuously engaged in the fight against cyber-attacks.
Don’t Forget the Bosses
Don’t limit your cyber training to staff-level employees. Managers and executives are often the targets of cybercriminals. If you’re wondering why, it’s because these are the people who generally have the highest levels of access-especially to the more valuable information such as financials, private information, trade secrets, personnel files, etc. What’s even riskier, is that many times, IT allows these managers and executives greater network liberties and access rights. So be sure to keep the folks at the top, in the loop too.
Include Cyber-training in On-boarding
Companies bring in new employees year-round. It’s risky to allow your new hires to begin using your technology and network prior to introducing them to some user guidelines. As part of your on-boarding process, new hires should receive basic cybersecurity training. This ensures that they’ll start off on the right foot and they’ll understand that your organization takes cybersecurity seriously.
Speak about Social Engineering
Social engineering attacks may be some of the simplest for a hacker to pull off-and the occurrence of them is growing. In these attacks, users are “tricked” or manipulated into performing an action or releasing confidential information inadvertently. Phone calls or emails from hackers impersonating someone else (Vishing/Phishing), malicious texts (Smishing), and fake surveys and malicious links on social media sites are just some of the common examples of social engineering. A 2016 Heimdal Security article sites social media as a hacker’s favorite target, with over 600,000 Facebook accounts compromised every single day. These attacks go after the technology and websites that your employees likely interact with daily, so don’t forget to teach them the risks here-not every link is legitimate and not every sender is trustworthy.
Ensure Employees Know “The Plan”
You’ve read everywhere, “it’s not if you’ll get attacked, but when you get attacked.” You need to have an incident response plan in place for handling breaches and your employees must be trained for how to recognize an attack and what to do next. Tasks like unplugging the machine, notifying an administrator of unusual, suspicious activity and reporting lost or stolen mobile devices are just some of the steps you should include in your cybersecurity training.
Don’t underestimate the power of knowledge. The more your employees know about cybersecurity, the less likely your organization is to fall victim to cyber-attack. Keep the conversation going, solicit feedback from your staff and keep the training continuous. It may be just enough to keep your well-intentioned staff from making a critical, and costly mistake.