It’s a common misconception that threat actors, individuals behind online attacks, live outside an organization but it’s often internal employees that are your biggest cyberthreat. Whether it’s phishing attacks, poor password policies, or lax access privileges, employees are directly or indirectly responsible for more incidents than they should be.
As the weakest link and main vulnerability to an organization’s cybersecurity, constantly educating employees about cyberthreats and their consequences is critical to the success of your business.
Why Is Awareness Training for Employees Important?
According to IBM’s Cost of a Data Breach Report 2021, data breach costs rose from $3.86 million to $4.24 million. When employees understand the technique by external threat agents like malicious hackers, it reduces the possible costs of a breach. In addition, it equips employees with current skills on how to detect and prevent cyberthreats. But more importantly, it builds a solid foundation for a strong cybersecurity culture that will scale with your organization.
Employee awareness training comes with several challenges. One-time group training doesn’t scale well with new employees continuously onboarding. InfoSec policies are regularly updated and everyone needs to be made aware. Security teams are stretched thin due to the shortage of skilled security talent and a growing list of responsibilities to secure the organization. And all personnel have an inbox overflowing with meeting requests.
But an organization’s values, attitudes and beliefs drive cybersecurity behaviors. It starts with the leadership team and trickles down through education. Training provides employees with the skills to prioritize, interpret, learn about and practice cybersecurity. So build a method that works for your size, invest in software that automates the process, and incorporate education into your business as usual activities.
Common Cyberthreats to Educate Employees About
Social Engineering
A technique that manipulates people into performing actions or divulging confidential information. The term applies to the use of deception to gain information, commit fraud, or access computer systems.
Phishing
The use of emails that appear to originate from a trusted source to trick a user into entering valid credentials into a fake website. Typically, the email and the website look like they are part of an organization where the user is doing business. A simple trick to spot a phishing email is to STOP and THINK BEFORE you CLICK.
- Stop. Do not click. Do not assume that links in your email are automatically safe.
- Think. If you cannot identify the source and attachments as legitimate or be sure the links are safe by looking at the actual web address, you can logically conclude that you should beware.
- Click. Only after you are completely confident that the action is safe.
How to Spot a Phishing Email
- Hover your cursor over the sender’s name to reveal their actual address
- Check website links. At first glance, they may appear to be a proper organization’s website, but there are often slight differences. For example, www.tugboatIogic.com—the L is replaced with capital letter i.
- Look at it logically. Is there a request for personal information and an unnecessary sense of urgency? If it seems strange, don’t hesitate to dig a little deeper. You can’t be too careful when it comes to cyberthreats.
Ransomware
This type of malicious software infects your system and shows messages requesting a fee to make your system work again. It holds your system hostage. Previous crypto-ransomware file types targeted include .doc, .xls, .jpeg, .zip, .pdf, and commonly used files. Cybercriminals have also introduced many other business-critical files such as database files, website files, SQL files, tax-related files and more. Ransomware is a hot topic in the news these days too.
Preventing a Ransomware Attack
- Don’t click on links in suspicious emails.
- Regularly backup important files.
- Updating software and applications regularly protect against emerging vulnerabilities.
- Implement logical access controls.
- User awareness and continuous employee cyberthreat training.
Other Cyberthreats to Consider in Employee Awareness Training
- Adware
- Botnets
- Brute Force
- Caffe Latte (WEP)
- Carding
- Careless employees
- Collusion
- Cracking
- Creeping Privilege
- DOS Attacks
- Data diddling
- Dumpster Diving
- Eavesdropping
- Espionage
- Hacking
- IP Spoofing
- Identity theft
- Inference
- Keyloggers
- Leapfrog Attack
- Logic Bomb
- MITM attacks
- Malware
- Masquerading
- Overt Doc. stealing
- Password cracking
- Phishing
- Phreaking
- Piggybacking
- Pilfering
- Ping of death
- Reconnaissance
- Sabotage
- Salami Attack
- Scrumping
- Session hijacking
- Shoulder Surfing
- Side-Channel
- Smurf Attack
- Sniffing
- Social Engineering
- Social Spying
- Tailgating
- Trojans
- Twinge (ICMP)
- Virus
- War dialing
- Wardriving
Security Controls
Laptops and Mobile Devices Best Practices
- Keep phones and laptops locked.
- Set strong passwords.
- Keep operating systems up to date.
- Connect to secure WiFi.
- Avoid phone jailbreaking (iPhones) or rooting (Androids). Don’t change settings in your phone so you can run software that would not typically work on that phone.
- Encrypt your data.
- Install and maintain antivirus software.
Passwords
A safe password is
- Private. It’s used and known by one person only.
- Secret. It doesn’t appear in clear text in any file, program or piece of paper pinned to the system.
- Easily remembered. This way, there’s no need to write it down.
- Minimum eight characters. A mixture of upper case, lower case, digits and punctuation is recommended, so it’s not guessable by any program in a reasonable time—for instance, less than one week.
- Switch it up. Changed occasionally, like once a quarter, keeps information safe.
Use Multi-Factor Authentication When Available
Multi-factor Authentication (MFA) or two-factor authentication (2FA) is an authentication process that relies on “something you know” (your password), “something you have” (mobile phone, authentication key, etc.) and “something you are” (biometrics like fingerprint, facial recognition, etc.)
Most commonly, when signing into a service with MFA, you enter your username and password and then have to provide a 6-digit code. The code is sent to you via SMS or generated by an authenticator application, like Google Authenticator. Be aware, however. While considered more secure than not using MFA, SMS codes can be hacked. This typically happens when a hacker calls your phone company and utilizes social engineering to get an employee to switch your phone number to the hacker’s phone.
Virtual Private Network
Also known as a VPN, they protect your online activities and privacy. A VPN is a technology that creates a private, encrypted tunnel for your online activity, making it much more difficult for anyone to watch or monitor your activities. In addition, a VPN helps hide your location, making it more difficult for websites to determine your whereabouts. It’s like a shield employees can use against cyberthreats.
While a VPN is a fantastic way to help protect online privacy, it does not secure your computer, devices, or online accounts. So even using a VPN, always follow basic security steps, including ensuring your devices are updated, using a screen lock, and using strong, unique passwords for all your accounts.
Keep Operating Systems up to Date
Keep your operating system and applications up to date with the latest security patches. Yes, it’s a pain sometimes when your Windows or Mac notification pops up asking for an update. It’s never at a convenient time. But make the time! Because from a security perspective, keeping your applications and operating system up to date is vital to help prevent new vulnerabilities from being exposed. White hat hackers, whose job it is to find flaws, let companies know to create patches before the black hat hackers (the bad guys) can use them for nefarious purposes. The patches are there for a reason, so make sure you install them.
Secure WiFi Keeps Employee Mobile Devices Safe
Mobile devices hold a wealth of information. It’s easy to forget that your photos, emails, bank numbers, social accounts, health information and dozens of contacts are desirable tidbits to threat actors. Make sure to secure devices with a strong password or touch ID. Do a little due diligence before downloading unknown apps and only use secured WiFi. Public WiFi is not secured. In fact, outside of your home and office, it’s safe to assume it’s unsecured. Make sure to use a VPN.
How to Report and Respond to Cyberattacks and Cyberthreats
This is a crucial topic to cover during your employee awareness training. To err is human and even with a strong security culture, mistakes happen. An easy and fast way for people to report their errors acts as an early warning system, lessening the impact of a breach and sometimes even stopping them altogether.
If an employee suspects they’re compromised, the sooner they act, the better. After reporting the incident to the proper person, give specific instructions on how to proceed.
Remote Work Security
Very few businesses avoided telecommuting during the COVID 19 pandemic. However, with the fast and furious scramble to keep organizations afloat, there were numerous vulnerabilities and increased cybercrime.
IBM’s Cost of a Data Breach Report 2021 states that the average cost was $1.07 million higher in breaches where remote work was a factor in causing the breach, compared to those where remote work was not a factor. The percentage of companies where remote work was a factor in the breach was 17.5%. Additionally, organizations that had more than 50% of their workforce working remotely took 58 days longer to identify and contain breaches than those with 50% or less working remotely. IT changes such as cloud migration and remote work increased costs. Yet, organizations that did not implement any digital transformation changes due to COVID-19 experienced $750,000 higher costs than the global average, a difference of 16.6%.
Clear policies and company regulations should be reviewed company-wide regularly to keep your remote workforce on the same page.
Cybersecurity Responsibility
Everyone is responsible for cybersecurity because, at work and home, we’re all potential targets. It only takes one person to compromise a system. That’s why security policies apply to all employees.
Every device we use or emails we receive may contain clues about a lurking malware, virus, password hack or phishing scam, so educating employees matters. There’s a significant value in security and it’s more than just the bottom line—a culture rooted in cybersecurity and awareness benefits everyone.