Hollywood would have us believe that cyberattacks are elaborately planned and use expensive, sophisticated tools developed by nerds in dark rooms and basements. Yet in real life, most cyberattacks are nothing like that. In fact, most initial cyberattacks look more like the opening scene from the 1973 film "The Sting". That is to say, the majority of cyberattacks occur due to nothing more than a simple con.
Phishing remains a primary way to attack. A scammer sends an email that looks legitimate, and an unsuspecting victim clicks on a malicious link or opens a malicious attachment. This in turn may download malware or end up on a webpage that looks credible but is set up to gather personal data like credentials, account or tax numbers, or other information.
We've given this age-old formula a fancy, new-age name: We call it "Social Engineering" and it targets the human desire to help. A hacker might drop an infected thumb drive in the parking lot of the target business. They need only one well-intentioned person to pick it up and plug it into the office system to see who it belongs to. Or maybe they call, claiming to represent a contractor who urgently needs important credentials or information.
Your cybersecurity is only as strong as its weakest link. In many cases, your employees are that weakest link. They are busy working hard, so they don’t stop to question things, or they can be too trusting. A supply-chain attack compromises your vendor. The attackers send a malicious file posing as an invoice to your accounting department. Your people don’t notice, because they usually trust the vendor. Even the best anti-virus and email scanning systems don't always catch everything. So how do we combat this?
Educate Employees about Their Role in Cybersecurity
The largest step to helping mitigate potential threats is education. Every business needs to educate employees about the part they play in cybersecurity. This is easier said than done as some employees may feel that it’s not their concern. They’ll expect IT or someone else at work to handle malware and prevent cyberattacks But the reality is each and every individual has a role.
It can help to put the potential threat in personal terms. Help them to understand that they are not only protecting work data on the network, and it’s not just client personal details: it’s their names, addresses, and social security numbers, too. It’s how much they get paid, healthcare records, resumes, and more, which is exactly the kind of information hackers exploit in identity theft. One hack can have a huge ripple effect.
There’s also the argument that if your business suffers a breach or downtime, everyone could be out of the job. Major data breaches or attacks can destroy a business. Of course, the individual didn’t mean to do anything wrong, but their ill-advised action costs you and your company, which can mean downtime, lost productivity, damaged brand reputation, compliance issues, and more. Helping employees understand the scope of these risks, and the part they have to play, is the key to helping make sure whatever education/training you do provide actually sticks.
Cybersecurity Is an Ongoing Concern
It’s also important that you don’t treat cybersecurity training as a one-off thing. Running through a list of “do nots” in employee onboarding and then moving on is not going to work. Instead, cybersecurity literacy needs to be built into your workplace culture. This means regular reminders to employees about strong passwords, thinking twice before sharing any sensitive data, and what to look for in terms of phishing or other attack scenarios. Just as importantly, remind them what to do in the event they spot something wrong, whether that's submitting an email or file to the security team or letting them know right away about a potential password/account breach.
Your business can also show the importance of employees taking responsibility by:
- Discussing cybersecurity in hiring processes
- Outlining policies and procedures in the handbook
- Reminding employees to regularly update and upgrade technology
- Monitoring applications downloaded onto work devices
- Having a clear policy for people bringing in their own devices
- Adding multi-factor authentication to remote access
Ransomware threats are on the rise globally, cybercrime gangs are targeting any weakness, regardless of business size or industry. Enlist your employees in the ongoing fight against hackers.