Imagine you’re sitting at your desk—minding your own business—when you hear muffled swearing over the cubicle wall from Jim next door. You peer over the wall to see what’s going on and see a computer screen, frozen and filled with antivirus alerts. Jim, looking flustered, keeps hacking away at the keyboard as if that’s going to accomplish anything. Jim got phished. He opened that phishing email you flagged as spam and deleted, and now, it’s not just him paying the consequences—his lack of cybersecurity awareness puts the whole office at risk.
No one likes to think they can get phished, because phishing is what happens to people who don’t know better. However, phishing attacks are not always obvious and easy to spot—even for people who know their way around a computer. Hackers have an increasingly sophisticated arsenal of tools and tricks that can fool anyone not careful enough.
This is worrying. All the best laid cybersecurity plans of a business’s IT team can crumble in an instant, with just one click. Sometimes—even when the majority of employees are well-educated and aware of security complications—there’s still a weak link, and that weak link is exploitable. It’s not enough for IT teams to invest in cutting-edge technology if employees don’t have the cybersecurity awareness to match. Which raises the question: What can IT do to prevent these security gaps? Is holding more employee awareness trainings necessary for a few bad apples?
Admit it: Human error plagues us all
According to a 2016 Ponemon Institute study, 55 percent of small businesses said they’ve experienced a cyber attack, and 50 percent said they’ve fallen victim to a data breach recently. In many cases, these breaches are the result of human error. A PwC report from 2015 revealed that people are the main vulnerabilities to a secure enterprise, with staff-related breaches affecting three-quarters of large firms and half of the worst incidents caused by inadvertent human error.
The fact is strong firewalls and the latest antivirus software, among other defenses, are not enough to prevent cyber attacks if Jim clicks on a phishing email. To protect themselves, businesses must make cybersecurity awareness training a priority, but it’s not enough to plunk employees in a room and go through a slide presentation.
Make it personal
The most effective programs are not one-size-fits-all—they’re tailored to the needs of different roles and departments. The threats faced by someone in accounting may not look the same as those faced by a sales rep. For example, a sales rep may be particularly vulnerable to mobile attacks, since they spend a lot of time out in the field, working remotely from mobile devices. That means training for the sales team could focus more on the dangers of unsecured Wi-Fi and how to avoid them.
Payroll may prove more vulnerable to phishing attacks, since they handle sensitive information, like tax forms. In March 2017, the Minnesota Department of Revenue issued a warning about a W-2 email phishing scam, where hackers sent emails to employees that appeared to come from a company executive asking for W-2 information. The messages looked official enough that unsuspecting employees sent their information along. It makes sense, then, for their training to dive into how to identify phishing emails.
Bringing in examples from the real world can also be an effective learning tool. It can be easier to dismiss information in the abstract, so training shouldn’t just say “do this” and “don’t do that.” The more effective strategy is to show, rather than tell, and give employees practice, like an activity where they try to separate fraudulent emails from real ones. Some organizations even have cyber security professionals “hack” their systems through phishing to prove just how easy it really is. That’s a lesson that’ll stick.
Put words into action
There are certain cyber security principles all employees need to know, like the importance of creating strong passwords. Most people these days understand why, but for employees navigating multiple software services throughout the day, those security layers can get frustrating. How can a worker get anything done if they’re constantly logging in with complex 12-letter passwords?
To ensure security doesn’t come at the expense of productivity and vice versa, companies need to give their employees tools to help. Part of the cybersecurity awareness training could be setting every employee up with a password manager. That way, they come away with helpful information and an actual resource under their belt. In addition, organizations should put policies in place to ensure consistency and accountability—and review those policies during training.
Putting words into action is also about investing in technology with security features baked in. The Insecurity of Connected Printers, a study conducted by the Ponemon Institute and sponsored by HP, found that printer security is an area often overlooked, yet highly vulnerable. HP printers come with unique security features that can detect, protect, and even self-heal from attacks—automatically. In any discussions about printer security, make sure your employees understand how the devices and their security features work.
Cybersecurity training is not a one-and-done proposition. The landscape evolves fast, and people learn best when presented with information in small, digestible chunks. Instead of forcing employees to bear a marathon session once a year, the more effective approach is shorter monthly trainings. The spacing will keep cybersecurity top of mind for all employees, and Jim may think twice about clicking that phishing email if he sharpens his skills every month.