It’s a common belief that people are the last line of defense during a cybersecurity attack. Wrong. In many instances, people are in fact the first line of defense. If your employees are (1) aware and (2) properly trained, then they will be one of your single strongest assets in fighting a never-ending war against cybercrime.
Basic human behaviors such as inquisitiveness, excitement, distraction, and indecision make people extremely vulnerable to one of the most popular and effective cyber-attacks called Social Engineering. Social Engineering is a term used to describe a wide variety of techniques that are used by malicious hackers to exploit human beings and execute a successful cyber-attack. The most common example of a Social Engineering attack is called Phishing. This is an exercise where an email is sent with the intent of tricking the recipient and convincing them to either click on a malicious link, download a malicious attachment, or even relinquish sensitive information such as passwords, credit card numbers, or bank account details. The victim rarely knows they are being exploited until it is too late.
The results of a successful Phishing attack can be devastating. In some cases, the network is infected with malware or a virus causing loss of data and significant outages or disruptions. In other cases, sensitive information or data is stolen and further exploited or resold on the dark web. There are even many documented cases of unauthorized wire transfers resulting in tremendous and unrecoverable financial losses.
Social engineering attacks were utilized in many data breaches. It is very common for cybercriminals to target humans. Your unsuspecting, friendly, and helpful employees are like sitting ducks in the crosshairs of a high-powered hunting rifle. They are perhaps the weakest point of attack and will almost certainly be taken advantage of… unless they are turned into an army of cybercrime fighters.
So, how does an organization take a group of employees and turn them into an effective cybercrime fighting machine? I’m glad you asked. There are three simple steps that must be executed:
Step 1 Develop A Culture Of Security
Cultures are ultimately defined and upheld from the top down. Leadership, Executive and Management teams must commit to the creation and enforcement of cybersecurity policies, procedures, and processes. They must also emphatically message and communicate the importance of good cybersecurity hygiene. Employees should understand how exactly they can be good cybersecurity stewards and more importantly why it is so critical that they are. Lastly, employees who transform into skeptical, protective, and enlightened cybercrime fighting soldiers should be recognized and rewarded.
TIPS to Help Develop A Culture Of Security:
- Create cybersecurity policies – these are the guidelines and rules.
- Publish cybersecurity policies – allow employees to read and digest the content.
- Assign roles and responsibilities – tell employees what they must do.
- Good governance – enforce the rules, reprimand offenders & celebrate achievers.
- Frequent Communication – talk about cybersecurity often, remind and reinforce!
Step 2 Educate And Train
The best armies are well trained. They are not only armed, but they understand exactly how and when to use their weapon. They know who the enemy is. They understand their mission. They know what they are fighting for. They have practiced and are ready for combat. Teach your employees about common threats and dangers such as Social Engineering attacks. Show them how to use software and computers in a secure fashion. Explain the correct processes and procedures are. Provide them with the critical training they need to effectively fight cybercrime.
TIPS to Help Educate And Train
Implement a security awareness training program – commit to the training.
- Be sure the content is meaningful and relevant.
- Make the training fun and engaging – tell lots of stories.
- Make the training mandatory.
- Make the training frequent – at least once a year.
- Focus on the basics – keep the content simple and easy to understand.
Step 3 Test The Effectiveness
It will be difficult to know if your new cybersecurity culture is performing as you hoped unless you test the effectiveness of policies, processes, procedures and awareness training. Is the effort you’ve put into creating an army of equipped cybercrime fighting employees actually providing the protection you desire? There are only two ways to find out. One, wait for a legit attack to occur and hope for the best – or – two, launch a simulated attack yourself. Controlled Phishing attacks, penetration tests, tabletop incident response exercises or even a Monday morning pop quiz can all be effective exercises to test your employees’ level of understanding and compliance. Use the test results as an opportunity to re-engage with employees or even re-tool training efforts. Get better with practice.
TIPS to help Test The Effectiveness
- Launch simulated Phishing attacks – see how employees actually behave.
- Spot check for policy compliance – it is after 5PM, is the Clean Desk Policy working?
- Include social attacks in the scope of penetration testing.
- Conduct tabletop exercises.
- Document and share results.
- Learn and get better.
Right now, your employees are probably the weakest link in your cybersecurity defense chain. Make them your strongest link. You will be glad you did. Your army awaits your command.