Unfortunately, no amount of training for your employees will prevent cyberthreats. If that were the case, those of us in the cybersecurity industry would be without employment. However, training to reduce the risk of cybercriminal activity is essential to a company’s bottom line. Without training and security measures we may as well leave the front door open at night with a sign stating, "Welcome all criminals."
The total global impact of cybercriminal activity is expected to cost businesses over $2 trillion by 2019. This is larger than the cocaine, heroin, and marijuana trade combined.
Cybercriminal gangs are increasing by the thousands monthly, and why not? In comparison with other criminal activity (drugs, robbery, guns, etc.) cybercrime is much easier, more profitable, and less likely to land one in prison. While cybercriminal activity may be on the mind of our government here in the states, the argument can be made it is not nearly as significant as it should be, and it certainly is not of concern to the governments in the far east of the world. If you think the Russian government is overly
concerned with locating small groups of hackers in basements ripping off Americans, you are mistaken.
We can place prevention products like a firewall and anti-virus on our network, as well as protection software like CryptoStopper.io™, HackTraps™ and Carbon Black , but the first line of defense is training our staff.
Here are a few tips for educating employees about cybersecurity that are essential
to business:
1. Create an environment open to discussion on cybersecurity. In several workplaces, for whatever reason, many employees don’t feel comfortable with the IT staff and vice versa. This cannot be an issue. The staff must feel comfortable taking suspicious e-mails to IT, and IT departments must feel comfortable discussing recent threats with the staff. Do not have an environment of, "Sign this policy every year and be on your way." Issues must be discussed. Never make anyone feel bad for bringing something they think is an issue to IT. Thank them for bringing a false alarm to your attention, or they may not bring a real one next time. Also, provide food. This always makes people happy.
2. Create a regular meeting to discuss various concerns on cybersecurity and make it worth employees’ time. This may be met with groans at first, but if you make the content relevant, you will be surprised by how many people are genuinely interested in how to keep themselves and friends and family at home safe from cybercriminals. Keep it simple at first. Discuss how to keep their social media accounts safe, improving passwords, and interesting stories of individuals getting hacked (yes, in cybersecurity you actually do run into some pretty crazy stories).
3. Educate the staff to recognize an attack. Training is essential prior to being attacked. Assume an attack will happen; what is the first thing that needs to be done? Teach employees what a suspicious e-mail looks like. Provide examples. What should be done if a suspicious e-mail is received? This all needs to be done in orientation for new hires and reviewed more than just once a year.
4. Send internal phishing campaigns. A well-done phishing campaign can be 45% effective. Again, do not harass anyone who fails. I can promise you will have failures. Use this as a time to teach how to spot a fraudulent e-mail: are there any spelling errors? Does this not appear to be the way this sender speaks? Is this from UPS/Fed Ex and you are not expecting a package? Is the salutation vague and not personalized? All of these are signs of a phishing campaign. Teach them to spot them, contact the sender if known before clicking on anything, or contact IT to analyze.
5. Lastly, and probably most simply, make sure employees are changing passwords frequently. I bet if you surveyed the office you would find many employees store passwords on a spreadsheet directly on their wall or even worse in a spreadsheet on their desktop. I once encountered a situation where an employee had a spreadsheet on the shared file on the server. You may laugh, but did anyone let them know this was a giant no-no? Of course not. The key is, don’t assume your head accountant, top salesperson, or even your CEO knows as much as you do.