Skip to main content
Cybersecurity Bootcamp: 6 Essentials In Raising Employee Awareness

Solarwinds's recent announcement of a data breach compromising as many as 18 thousand customers was a fresh reminder of the need for vigilance in cybersecurity. Yet updating technology isn't the only way to prevent attacks on networks, applications, or facilities. Employee awareness training is a cost-effective and, ultimately, low-tech way to avoid attacks.

Training Humans Is As Important as Tech

Human error, regrettably, presents a significant cybersecurity vulnerability. Coupled with the human impulse to trust others or want to help out another person in need can compromise even enterprises with the most technologically advanced cybersecurity program in place. That's why just as companies offer sexual harassment or loss prevention training, it's also critical to educate employees about what they can do to help protect against and prevent cyber attacks.

Businesses of any size need to be aware of the potential risks. Thinking "it won't happen to us" is just foolish, especially when something as low cost as cybersecurity training can serve as a strong defense against a breach of systems, networks, devices, or physical premises.

In an article titled "Human Error is to Blame for Most Breaches," a BakerHostetler researcher noted that "failing to address the human component of data protection can negate many of the next-generation defense-in-depth technologies in which organizations are investing handsomely."

In other words, it doesn't matter if you're spending millions of dollars a year on your digital defenses if your employees are clueless about security.

Hacking Percentages

While BakerHostetler's visual of threats shows human error coming in second per its 2016 report, it's crucial to recognize that phishing, hacking, and malware also often rely on human action or mistake to be set in motion.

When was the last time you tested your company's defenses? Let RedTeam Security help you get on track. Schedule your free consultation at a time that works within your schedule.

What Training Should Address

Effective cybersecurity training can help employees learn about different cyber threats and methods of operation, targeted information, and countermeasures they can take, ideally through encountering real-life scenarios.

Consciousness Raising. It's a phrase that goes back decades, but today can focus on making employees aware of the role they might unwittingly play in undermining the company's many investments in cybersecurity.

Phishing, for instance, is a prevalent way for attackers to access an otherwise well-protected network. The means of the attack can vary, but overall, employees need to be taught to stop themselves before they take potentially dangerous activities such as:

  • Opening emails from the spam folder or unknown recipients
  • Failing to update antivirus protections and software applications
  • Opening attachments to emails from unknown origin
  • Using "reply" with unfamiliar contacts for business communications. Instead, a user should hit forward and type in the correct address to ensure the information is going to the intended recipient each time.

Abundance of Caution. The third most prevalent cause of data breaches, per BakerHostetler, was external theft. While this suggests responsibility should fall on the bad actors' shoulders, that's not always the case. The criminals are, after all, accessing laptops or mobile devices left in unlocked cars or other unsecured places.

Consider the risk an organization takes by not immediately deactivating a terminated or reassigned individual's access to physical premises or data systems.

Or recognize the danger of employees inadvertently sending sensitive data to the wrong party. It's a mistake, sure, but it can prove a costly one.

Improper disposal of devices, loss of passwords or key cards, leaving doors to buildings unlocked (or even just open while someone perhaps carries a heavy water jug to the break room), and simply plugging in a found USB device (with the intention of getting it to its rightful owner) can all wreak havoc as well. Your employee, however, might not see the potentially malicious side of any of these actions.

By bringing the possibilities to your team's attention, you'll help stem problems caused by people not taking the threat seriously enough.

Password Protections. We mentioned already the person who inadvertently invites access by leaving an external door propped open "just for a sec." Well, a lax view of password security protocol is just as dangerous.

With users today having so many different online password logins, they often rely on easily remembered passwords. Some even retain factory-set default passwords, opening the network door to cybercriminals who can put crucial business infrastructure at risk.

In fact, the most commonly used emails remain "123456" and "password." Come on; we can do better!

Plus, many users repeat their passwords across accounts. This means a breach of one account could make several other ones vulnerable too. Security training can emphasize the need for developing difficult-to-crack passwords and outline best practices in making new passwords meet standards.

Pullout: 9 out of 10 login attempts on web and mobile applications can be attributed to illegitimate users.

Risks of Progress

Working offsite, relying on cloud apps, and having access to IoT devices can boost employee morale and drive greater business innovation and productivity. Yet, these advances can also add to the risk of exposure.

For example, the employee who checks corporate email on a mobile device using public WiFi while waiting for a latte at a nearby coffee shop could be giving fraudsters access to sensitive information. Yet employees don't even think about the risk because they're being the good soldier and making sure they're caught up at work while offsite.

Training can discuss the need always to use secure networks and how to secure mobile devices while encouraging employees to act with caution both on and offsite.

Social Engineering Threats

With the ubiquity of social networking sites, gaining the personal information needed to engage in a social engineering attack is a piece of cake for a hacker.

Just think about your Facebook profile. It's probably packed with personal information like your birthday, alma mater, family members' names (including pets), your hometown, and favorite activities. And each of these could be used to crack a password, answer a security question or contribute to a social engineering scheme.

Enable employees to recognize and warn them to be wary of pressure to act urgently or secretly.

Pullout: 97% of malware seeks to exploit users through some form of social engineering. - Symantec

Responding to Incidents

Employees can slow the progress of a breach by simply reporting when something feels "off." For example, if the IT or finance department employee who receives a questionable call from an external party who "needs a favor" (sensitive data) to smooth something over with his or her boss shouldn't just hang up, but also raise the flag that someone suspicious tried to access the information.

Or the employee who finds herself almost clicking on a link purportedly from the IRS or a vendor or a lawyer, calling for urgent attention, in addition to deleting the message, can give IT the heads up to warn other employees to be hesitant, too.

Keep in mind, though, that simply offering a training session to all employees isn't sufficient. That doesn't make the lessons learned stick. It's also a good idea to plan to test your team on an ongoing basis. Try different social engineering pretexts, amplifying the complexity over time, effectively educating employees on other attack vectors, and identifying vulnerabilities.

Bring in Bootcamp Pros

RedTeam Security offers advanced application, network penetration testing, and physical penetration testing. RedTeam Security is also highly skilled at conducting social engineering tests addressing four core areas of human susceptibility to persuasion and manipulation:

  • Email Phishing
  • Telephone/Text
  • Fax
  • Onsite/Physical Pretexting

See RedTeam Security Social Engineering in action:

If you're ready to learn more about preparing your team and securing your networks, applications and people, click the button below and let's chat!

Click To Schedule Your Free Consultation

RedTeam Security is a proud partner of InteProIQ, one of the leading cybersecurity awareness training firms. Visit them now to learn more about their simple e-learning solutions for promoting cybersecurity awareness within your organization.

Get a FREE security evaluation today and reduce your organization's security risk.
Schedule My Call Schedule My Call

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.