The Missing Link: Training Employees on Cybersecurity Risks

Employees are the First Line of Defense Against Cybersecurity Threats

You may have spent money on the best technology, software, and monitoring tools, but if you don’t train employees – and not just your IT staff, but all employees – on recognizing and responding to suspicious computer activity, you have left a major hole in your defensive posture. Employees can be one of the strongest tools in your arsenal in identifying and combating security threats. Investing in a robust training program to assist employees with recognizing and responding to constantly changing cyber-attacks is critical to thwarting cybercrime.

Making Training Relevant and Personal

Tell any employee they need to attend training, and you will most likely see the inevitable eye roll. Training is often considered boring, repetitive, and a way for organizations to put a “check in the box”. But training employees on cyber-attacks not only protects the organization, but also helps the employee protect themselves. Computers are not just used in the workplace, they are used outside the office as well. Help the employee understand how important their actions are to securing the company, and ensure they understand that recognizing and responding to cyber-attacks outside the workplace is an important step for protecting their personal information as well.

With so many different types of attacks, what should companies focus on?

Go Phishing….

According to the 2018 Trustwave Global Security Report, phishing is the leading type of attack by hackers seeking to compromise corporate networks. A company may have to protect thousands of endpoints, but an attacker only needs one employee to fall for a phishing attack to gain a foothold in the network. Train your employees never to provide their credentials in response to an email request, to verify the sender before responding to an email with sensitive information, and to be aware of red flags, such as lack of punctuation, an unexpected change in process, a change in the person communicating certain information, and other similar items.

And make sure employees understand the process to ask for assistance if they have received a suspicious email – what should they do, who should they contact?

Other Types of Attacks

There are many ways a hacker may target your organization. For instance, ransomware is a growing – and costly – threat to organizations. Ransomware is a type of malware that encrypts files. Attackers get access to the network, disable and delete backups, use ransomware to encrypt the organization’s files, and then demand a “ransom” in exchange for a decryption key. The Malwarebytes’ Q1 2019 Cybercrime Tactics and Techniques report identified a significant rise in business ransomware detections by 195% from Q4 2018 to Q1 2019, The faster an organization identifies that it is suffering from a ransomware attack, the less damage it will suffer. Train employees on recognizing and responding to ransomware threats.

Attackers also frequently compromise business email accounts, and then search the account for information they can use for financial gain, like wire transfer information, or to send out spam emails to the user’s address book. In addition to obtaining user credentials through a phishing attack, attackers will guess weak passwords and access the email account through the online web portal. Teach employees about why it is so important to use complex passwords or passphrases, not just on work accounts but personal accounts as well. Because it isn’t only corporate information that is at risk, but their information as well.

How cyber-savvy are your employees?

  • Is your corporate culture cyber-informed? Are there built-in systems or processes currently within your organization that help employees understand how and why it’s important to be alert and recognize suspicious communications and activity?
  • What kind of cybersecurity training are you providing your employees and is it the most-effective kind of training?
  • Does cyber-awareness within your organization begin with on-boarding of new employees?
  • Would employees know how to spot a fake email before they clicked on it?
  • Is that request for an external transfer of money really from an internal colleague or from an actual hacker?
  • Is your training updated on a regular basis to include new forms of attacks?
  • Do you require your vendors, contractors, or subcontractors to train their employees on cyber threats?
  • For employees that work offsite or from home, are they using their own devices to connect to the company’s server? Is two-factor authentication enabled on those devices?

While investing in the appropriate tools and systems are important, training employees on cyber threats is critical to protecting your organization. The most sophisticated systems are still vulnerable to the human factor, and protecting your systems requires an investment in employees as well as technology.

Clark Hill’s integrated team of attorneys and technologists frequently provides cyber training to employees, executives, and boards. Contact us today to find out how we can assist you.