Equifax’s recent announcement of a data breach compromising as many as 143 million people was a fresh reminder of the need for vigilance in cyber security. Yet updating technology isn’t the only way to prevent attacks on networks, applications, or facilities. Employee awareness training is a cost effective and ultimately low-tech way to prevent attacks.
Human error, regrettably, presents a major cyber security vulnerability. That coupled with the human impulse to trust others or want to help out another person in need can compromise even enterprises with the most technologically advanced cyber security program in place. That’s why just as companies offer sexual harassment or loss prevention training, it’s critical also to educate employees about what they can do to help protect against and prevent cyber attacks.
Businesses of any size need to be aware of the potential risks. Thinking “it won’t happen to us” is just foolish, especially when something as low cost as cyber security training can serve as a strong defense against a breach of systems, networks, devices, or physical premises.
In an article titled “Human Error is to Blame for Most Breaches” a BakerHostetler researcher noted that “failing to address the human component of data protection can negate many of the next-generation defense-in-depth technologies in which organizations are investing handsomely.”
In other words, it doesn’t matter if you’re spending millions of dollars a year on your digital defenses if your employees are clueless about security.
While BakerHostetler’s visual of threats shows human error coming in second per its 2016 report, it’s crucial to recognize that phishing, hacking, and malware also often rely on a human action or mistake to be set in motion.
Effective cyber security training can help employees learn about different cyber threats and methods of operation, targeted information, and countermeasures they can take, ideally through encountering real-life scenarios.
Consciousness Raising. It’s a phrase that goes back decades, but today can focus on making employees aware of the role they might unwittingly play in undermining the company’s many investments in cyber security.
Phishing, for instance, is a prevalent way for attackers to access an otherwise well-protected network. The means of the attack can vary, but overall, employees need to be taught to stop themselves before they take a potentially dangerous action such as:
Abundance of Caution. The third most prevalent cause of data breaches, per BakerHostetler, was external theft. While this suggests responsibility should fall on the shoulders of the bad actors, that’s not always the case. The criminals are, after all, accessing laptops or mobile devices left in unlocked cars or other unsecured places.
Consider also the risk an organization takes by not immediately deactivating a terminated or reassigned individual’s access to physical premises or data systems.
Or recognize the danger of employees inadvertently sending sensitive data to the wrong party. It’s a mistake, sure, but it can prove a costly one.
Improper disposal of devices, loss of passwords or key cards, leaving doors to buildings unlocked (or even just open while someone perhaps carries a heavy water jug to the break room), and simply plugging in a found USB device (with the intention of getting it to its rightful owner) can all wreak havoc as well. Your employee, however, might not see the potentially malicious side of any of these actions.
By bringing the possibilities to your team’s attention, you’ll help stem problems caused by people not taking the threat seriously enough.
Password Protections. We mentioned already the person who inadvertently invites access by leaving an external door propped open “just for a sec.” Well, a lax view of password security protocol is just as dangerous.
With users today having so many different online password logins, they often rely on easily remembered passwords. Some even retain factory-set default passwords, opening the network door to cybercriminals who can put crucial business infrastructure at risk.
In fact, the most commonly used emails remain “123456” and “password.” Come on, we can do better!
Plus, many users repeat their passwords across accounts. This means a breach of one account could make several other ones vulnerable too. Security training can emphasize the need for developing difficult-to-crack passwords and outline best practices in making new passwords meet standards.
Pullout: 9 out of 10 login attempts on web and mobile applications can be attributed to illegitimate users.
Working offsite, relying on cloud apps, and having access to IoT devices can boost employee morale and drive greater business innovation and productivity. Yet these advances can also add to the risk of exposure.
For example, the employee who checks corporate email on a mobile device using public WiFi while waiting for a latte at a nearby coffee shop could be giving fraudsters access to sensitive information. Yet employees don’t even think about the risk, because they’re being the good soldier and making sure they’re caught up at work while offsite.
Training can discuss the need to always use secure networks and how to secure mobile devices while encouraging employees to act with caution both on and offsite.
With the ubiquity of social networking sites, gaining the personal information needed to engage in a social engineering attack is a piece of cake for a hacker.
Just think about your Facebook profile. It’s probably packed with personal information like your birthday, alma mater, family members’ names (including pets), your hometown, and favorite activities. And each of these could be used to crack a password, answer a security question or contribute to a social engineering scheme.
Enable employees to recognize and warn them to be wary of pressure to act urgently or secretly.
Pullout: 97% of malware seeks to exploit users through some form of social engineering. — Symantec
Employees can slow the progress of a breach by simply reporting when something feels “off.” For example, if the IT or finance department employee who receives a questionable call from an external party who “needs a favor” (sensitive data) to smooth something over with his or her boss shouldn’t just hang up, but also raise the flag that someone suspicious tried to access the information.
Or the employee who finds herself almost clicking on a link purportedly from the IRS or a vendor or a lawyer, calling for urgent attention, in addition to deleting the message, can give IT the heads up to warn other employees to be hesitant, too.
Keep in mind, though, that simply offering a training session to all employees isn’t sufficient. That doesn’t make the lessons learned stick. It’s also a good idea to plan to test your team on an ongoing basis. Try different social engineering pretexts, amplifying the complexity over time, to effectively educate employees on different attack vectors and help identify vulnerabilities.
RedTeam Security offers advanced application, network, and physical penetration https://www.redteamsecure.com/services/red-teaming/on testing. RedTeam Security is also highly skilled at conducting social engineering tests addressing four core areas of human susceptibility to persuasion and manipulation:
See RedTeam Security Social Engineering in action:
If you’re ready to learn more about preparing your team and securing your networks, applications and people, click the button below and let’s chat!
RedTeam Security is a proud partner of InteProIQ, one of the leading cybersecurity awareness training firms. Visit them now to learn more about their simple e-learning solutions for promoting cybersecurity awareness within your organization.