Cybersecurity Training For Employees
According to over 1,000 IT service providers, the lack of cybersecurity awareness amongst employees is a leading cause of a successful ransomware attack against an SMB. Employee training is a top component of a successful cybersecurity protection program and most likely the only way to ensure all staff understand the cyber threats they face and, most importantly, what they should look for to avoid falling victim to them.
Cyber Scams 101
In 2016, it has been estimated that roughly 80% of U.S. companies have suffered a cyber-attack of some kind, with 47% experiencing a “ransomware incident.”
At the root of most ransomware attacks is the tactic of social engineering, leveraged by hackers, which involves manipulating a person or persons in order to access corporate systems and private information. Social engineering plays into human nature’s inclination to trust. For cyber criminals, it is the easiest method for obtaining access to a private corporate system. After all, why would they spend the time trying to guess someone’s password when they can simply ask for it themselves?
5 Types of Social Engineering Scams to Know:
Phishing: is the leading tactic leveraged by today’s ransomware hackers, typically delivered in the form of an email, chat, web ad or website designed to impersonate a real system and organization. Often crafted to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.
Tailgating: is when an unauthorized person physically follows an employee into a restricted corporate area or system. The most common example of this is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card. Another example of tailgating is when a hacker asks an employee to “borrow” a private laptop for a few minutes, during which the criminal can quickly steal data or install malicious software.
Baiting: like phishing, baiting involves offering something enticing to an end user in exchange for private data. The “bait” comes in many forms, both digital, such as a music or movie download, and physical, such as a branded flash drive labeled “Executive Salary Summary Q3 2016” that is left out on a desk for an end user to find. Once the bait is taken, malicious software is delivered directly into the victim’s computer.
Quid Pro Quo: Like baiting, quid pro quo involves a request for the exchange of private data but for a service. For example, an employee might receive a phone call from the hacker posed as a technology expert offering free IT assistance in exchange for login credentials.
Pretexting: is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority within the company in order to gain access to private data. For example, a hacker may send an email or a chat message posing as the head of IT Support who needs private data to comply with a corporate audit (that isn’t real).
SETTING UP A CYBERSECURITY TRAINING PROGRAM
The cybersecurity training schedule you choose, will be dictated by the specific nature of your business and the systems, software and hardware you leverage. However, a good start would be ensuring that all new employees receive training as part of their orientation and all employees receive training on a bi-annual basis. It is important to have a formalized plan in place to keep security front of mind and employees informed about new threats.
While formal training is important, informal training can be very effective as well. Point staffers to blogs on key security topics, ask them to take an online cybersecurity quiz, print out and post funny IT security memes around the office, etc. Do whatever it takes to keep people aware and following safe browsing practices. If you don’t have resources to put this type of training together, talk with your IT service provider and see if they can assist with educational materials or plans.
Be certain that employees understand this type of cyber scam is designed to prey upon human fear of breaking the law. Instruct employees who encounter this type of pop up NOT to click. Instead, they should restart the computer in safe mode. Still there? Get IT (or your MSP) involved.
70% of Businesses who experience a major data loss go out of business within a year. You wear many hats, so you’re constantly juggling responsibilities; don’t let your IT plan be the one that keeps getting put on the back burner.