Many cyber security threats, such as advanced malware, even ransomware, can only be countered with sophisticated technology. But, on a day-to-day basis, employees, by their behavior, are typically your greatest source of vulnerability.
Your people are either your strongest line of defense … or your weakest link
It might seem hard to believe, but one of the top threats to cyber security is still employees leaving laptops and mobile devices unattended in vulnerable places, such as public transport, cars and restaurants. Or using their organization’s laptop to access public WiFi in unsecured hotspots. Or storing sensitive information on the local hard drive instead of the server or using weak, easy-to-guess passwords. Or, keenly, with 94% of all malware delivered via email(1), clicking on links that appear to originate from legitimate sources, but actually generated by bad actors phishing for opportunities to infiltrate their organization’s network. In sum, whether leaving their physical devices vulnerable to theft or through behaviors that invite attack, employees are practically rolling out a welcome mat for hackers, putting the company's network and data at risk.
In the first instance, you need to make sure your IT security policy is sophisticated and comprehensive enough to cover all possible sources of attack, including the latest threats, and contains a clearly documented remediation plan. However, simply having a policy in place doesn't go far enough. It's not that employees will willfully disregard it; rather, they genuinely lack awareness of the risks and consequences. You can't simply expect new hires to sign an "I have read and understood the company's IT policy" statement during the on-boarding process. In fact, without employees being sensitized to malware’s capabilities to disrupt the business (as well as its consequences for them if it does), preventing malware’s propagation onto the network could prove challenging.
As a result, it's vital that you take a proactive, ongoing approach to educating your entire workforce about cyber security threats and countermeasures before someone or something compromises your systems, data, reputation or even livelihood.
Five tips to educate employees on cyber security
Tip #1: Clearly communicate the potential impact of a cyber incident on your business
Explain the spiraling consequences of everyday activities and bad habits — from financial losses or fines to damaged customer trust. For example, walk through the scenario of what could happen if someone left their laptop on the train, accessed work documents over an open WiFi network in a coffee shop, or opened personal emails on a work device. What are the dangers of revealing personal information on Facebook (kids' names, memorable dates, etc.) which may be used in passwords for work applications? Most people may not even realize how they're potentially undermining your business through every day (mis)behaviors.
Tip #2: Make cyber security everyone's responsibility
No one is immune so include management and IT in your education program. The more senior an employee, the more information they typically have access to, making them a more attractive target to cyber criminals. IT staff have even greater power over the network, making them just as susceptible to determined hackers, so ensure complacency doesn't set in. Remind everyone that your company's infrastructure is only as secure as its weakest (or strongest) link.
Tip #3: Hold regular cyber security sessions
Training needs to happen before your business is hit by a cyber incident, not in its aftermath. In addition to initial cyber security training as part of the on-boarding process, set up a regular event such as a lunch 'n' learn, or an online forum where employees can share information about cyber security – whether that's referencing a topical news story about the latest high-profile breach, or sharing an insightful article on cyber-crime tactics. Make it relevant and engaging.
Intermittently test employees' cybersecurity knowledge. An online survey is a quick, inexpensive and effective way to do this. Or partner with IT to send an unsolicited email to all employees, requiring they click on the link provided to update their password. Those who alert IT support they have received a potential phishing email understand the risk the email represents. Those who do click on the link, however, need additional training so they can better spot, alert and avoid intrusive instances like this in the future.
Tip #4: Issue specific rules for email, internet browsing, social networks and mobile devices
Encourage a culture of "safe browsing" and caution your staff to be wary of suspicious links and attachments from unknown sources when using company devices — whether that's a phishing email or a video on social media. Bear in mind that if you force employees to change their passwords on a weekly or monthly basis, they'll probably resort to writing them down on a sticky note left on display at their workstation. However, if you make it too tricky or convoluted for them to access the systems and data they need to do their jobs, fully expect them to find less secure workarounds like USB sticks or personal email to bypass your controls.
Tip #5: Train your employees to recognize and respond to a cyber incident
Give your staff a clear channel, such as an emergency number, to alert your administrator to any suspicious emails or unusual activity, or for reporting a lost device – even if it turns out to be a false alarm. Some cyberattacks are preceded by a seemingly innocent work-related phone call, purportedly from a supplier or service provider to establish account details or passwords, so don't overlook the significance of such calls as a precursor to cyber-crime. If an attack, breach, or cyber incident does occur, give everyone a timely heads-up to limit the impact of the attack. Ensure you have an internal communications plan and PR strategy in place should the worst happen so your teams are equipped to field questions and reassure concerned customers or investors.
While there's no foolproof method to protect your business, educating your employees about security threats and best practices for online behavior and privacy can, at least, reduce the likelihood of a breach caused by human error.