Have you heard the stories about cyber criminals dumping thumb drives loaded with malicious code in employee car parks? They then wait for one to be picked up and plugged into a work computer? Pretty clever, right? Unfortunately, studies have found that 60% of people will actually plug the drive in!
If something this simple works 60% of the time it’s clear employees need some help! Security awareness training is essential. This informs your employees about current security threats and company security policies. It also reminds them of the personal role they play in keeping the business safe from cyber threats
Unfortunately, many businesses don’t know where to begin addressing the basics of employee cybersecurity training. With so much to know and paths you can take, we understand the potential confusion. We are here to help. Together, we can get your employees up to speed. Here’s a peek at some must haves as part of any good program:
- Phishing and social engineering
- Passwords and network access
- Device security
- Physical security
Phishing and Social Engineering
Social engineering is the term used when an employee is tricked into divulging personal information. Phishing, which is an attempt to get sensitive information like passwords and credit cards from someone through email or chat, is a common social engineering attack.
Why are phishing and other social engineering attacks so successful?
They often appear to come from a credible source. This can deceive you into thinking it’s a piece of communication you can trust. Tell-tale signs of a phishing attempt could include; typos and spelling mistakes; links containing a string of random numbers and letters; an odd sense of urgency; or a simple feeling something is amiss about the information being requested.
If a user feels something isn’t quite right, then they should never click on a link or attachment or give out sensitive information. Employees should have a process in place for informing the right person or department in a timely manner if they believe they are receiving malicious email communications. If one employee is being targeted, it’s likely many others are, too. Alerting the right staff in a timely manner is critical for preventing a phishing scam from entering the network and spreading company wide.
Passwords and Network Access
Similarly, employees should be following best practices when it comes to passwords they’re creating. Especially for passwords used to access IT environments. For many industries, enforcement of password policy is a compliance requirement. In general, passwords should be unique to each application and information source. They should be at least eight characters and contain letters and special characters. They should stay away from obvious information like names and birthdays. Passwords should be updated every 90 days. They should never stored on sticky notes fixed to monitors or keyboards or shared with other employees.
It’s less obvious, but employees should also be wary of network connections used outside of their home or work. Even if data on their device is encrypted, it’s not necessary that a connected network transfers that data in an encrypted format. This opens the door to many different vulnerabilities. Plus, public networks may be tapped, which puts all data exchanged on that network at risk. Use a trusted network connection or secure the connection with appropriate VPN settings. Employees should be mindful of the potential security ramifications when logging onto company resources from their local coffee shop’s network.
In an era where more and more personal devices operate within the workplace, employees must understand the potential security risks of connecting to the enterprise network from their shiny new phone or tablet. Understanding this is a key part of employee cybersecurity training. The same threats posed to company desktops and laptops also apply to personal devices. Ideally, you will work with employees to ensure they have the means to securely access resources from their own device. But they should always be mindful of the websites they’re browsing, the applications they are installing, and the links they’re clicking on.
Cyber threats aren’t the only risks to be mindful of. Physical security also plays a role in keeping sensitive information protected. This shouldn’t be overlooked. How often do employees mistakenly leave a mobile device or computer unattended? It happens to all of us. But, if someone were to swipe an unattended phone or log in to sensitive assets from a connected network session, all of your data could immediately be at risk.
This is an area of security often overlooked. This especially true with many employees now working from home. They can become out of practice with good office security measures such as:
- Locking all devices. Employees should re-establish the habit of doing this every time they leave their desk.
- Locking their docs. Sensitive materials should be stored in a locked cabinet, not left sitting on a desk.
- Properly discarding info. When throwing away documents, users should be sure not to place sensitive papers into a general trash bin. The company should have a policy and process in place for appropriate and secure removal of such files.
There are many ways you can carry out employee cybersecurity training. A one-off course can be good for getting people up to speed. However, there are many disadvantages to this approach. Cyber security is a big subject. If you try and cover everything in one day then people may miss important messages. They could suffer from information overload. People also start to forget what they’ve learnt surprisingly quickly.
It can be better to take an approach where lessons are broken down into smaller chunks. Then you can deliver training ‘little and often’. You can also repeat lessons when they are short and sharp.
Another thing to include is checking understanding. Most employees don’t need to study cyber security and pass an exam. But deliver a 5 minute video and then include a quiz at the end to check understanding and you’ll find people more engaged.
How We Can Help
We can offer employee cybersecurity training as part of the ‘Your Cyber Team‘ solution.