Unfortunately, no amount of training for your employees will prevent cyberthreats. If that were the case, those of us in the cybersecurity industry would be without employment. However, training to reduce the risk of cybercriminal activity is essential to a company’s bottom line. Without training and security measures we may as well leave the front door open at night with a sign stating, “Welcome all criminals.”
The total global impact of cybercriminal activity is expected to cost businesses over $2 trillion by 2019. This is larger than the cocaine, heroin, and marijuana trade combined.
We can place prevention products like a firewall and anti-virus on our network, as well as protection software like CryptoStopper.io, HackTraps and Carbon Black, but the first line of defense is training our staff.
In several workplaces, for whatever reason, many employees don’t feel comfortable with the IT staff and vice versa. This cannot be an issue. The staff must feel comfortable taking suspicious e-mails to IT, and IT departments must feel comfortable discussing recent threats with the staff. Do not have an environment of, “Sign this policy every year and be on your way.” Issues must be discussed. Never make anyone feel bad for bringing something they think is an issue to IT. Thank them for bringing a false alarm to your attention, or they may not bring a real one next time. Also, provide food. This always makes people happy.
This may be met with groans at first, but if you make the content relevant, you will be surprised by how many people are genuinely interested in how to keep themselves and friends and family at home safe from cybercriminals. Keep it simple at first. Discuss how to keep their social media accounts safe, improving passwords and interesting stories and of individuals getting hacked (yes, in cybersecurity you actually do run into some pretty crazy stories).
Training is essential prior to being attacked. Assume an attack will happen; what is the first thing that needs to be done? Teach employees what a suspicious e-mail looks like. Provide examples. What should be done if a suspicious e-mail is received? This all needs to be done in orientation for new hires and reviewed more than just once a year.
A well-done phishing campaign can be 45% effective. Again, do not harass anyone who fails. I can promise you will have failures. Use this as a time to teach how to spot a fraudulent e-mail: are there any spelling errors? Does this not appear to be the way this sender speaks? Is this from UPS/Fed Ex and you are not expecting a package? Is the salutation vague and not personalized? All of these are signs of a phishing campaign. Teach them to spot them, contact the sender if known before clicking on anything, or contact IT to analyze.
I bet if you surveyed the office you would find many employees store passwords on a spreadsheet directly on their wall or even worse in a spreadsheet on their desktop. I once encountered a situation where an employee had a spreadsheet on the shared file on the server. You may laugh, but did anyone let them know this was a giant no-no? Of course not. The key is, don’t assume your head accountant, top salesperson, or even your CEO knows as much as you do.