Employee Security Awareness Training
Hackers will use any vulnerable point of entry to gain access to your network and your data. It’s impossible to predict the next attack vector a cybercriminal will use, so it’s vital to put defenses in place to protect your business from all types of attack. This layered approach to cybersecurity should include:
Network-level security, including network firewalls, intrusion detection and intrusion prevention systems, and antivirus and antimalware software
Application-level security, including defense against denial of service (DoS) attacks, artificial intelligence (AI) and machine learning to detect and stop zero-day attacks, and protection from web application security threats such as cross-scripting and SQL injection
Endpoint protection and management that locks down mobile devices, keeps corporate data separate and secure on employees’ personal devices, and enables administrators to wipe lost or stolen devices
Email security, spam filters, and data loss prevention, which secure business communications, prohibiting the transfer of sensitive information and securing accounts
Access control solutions that enable administrators to strictly control who can access specific applications or data
IT security best practices, such as keeping security patches up to date, disabling unused ports, network segmentation, and using virtual private networks (VPN) to connect remote workers
Even if you put the most sophisticated security in place, however, your business will still be vulnerable to attack if you overlook one key element of a comprehensive security strategy: employee security awareness training.
Your team is comprised of people with different backgrounds and experiences — and varying knowledge of IT security best practices. They may not understand different tactics that hackers use and how to prevent them. Furthermore, hackers have realized that as security solutions have grown more efficient at protecting against attacks on infrastructure or an application, the greatest vulnerability they can exploit is the person using it.
Kaspersky research found that human error played a part in about 90 percent of data breaches affecting public cloud infrastructure.
How Cybercriminals Target People
Hackers use a variety of social engineering attacks in attempts to trick your employees into taking actions that deploy malware or making other security mistakes. Types of social engineering attacks include:
Phishing
In a phishing attack, actors craft emails that look legitimate, but they’re actually an attempt to get the recipient to provide information or open a link or attachment that deploys malware. It is getting increasingly harder to distinguish a phishing email from a legitimate one. Cybercriminals may escalate their attacks to target specific people in “spear phishing attacks.” This type of attack involves researching a company to use actual names and titles — and even personal details that they scrape from social media — to build trust and convince your employees to open or download information, click a link, or provide login credentials.
URL Spoofing
Cybercriminals may create spoofed websites or landing pages that look legitimate. Once your employee opens the link, they may be asked to enter sensitive information or click a malicious link. The fraudulent URL may be hard to detect, even if employees are used to hovering over the link to see if it matches the sender’s domain — sometimes the URL is very close to the legitimate site. Spoofed URLs are distributed by phishing, but sometimes they are embedded in click-bait ads or in social media posts.
Stealing Login Credentials
Hackers may count on the fact that people use simple, common passwords. They may use an attack known as “password spraying” to try to gain access using passwords like “password” and “123456.” They may also use keyloggers to record what an employee types on their keyboard when they log in. But there are less sophisticated methods of stealing login credentials. A criminal may see a username and password written on a piece of paper or a sticky note and use it to log in.
Stealing Devices
Cybercriminals may also look for opportunities to steal mobile phones, flash drives, laptops, or other devices that may contain data or unprotected access to a network or applications.
Establishing a security awareness training program will make your employees aware of these threats — and protect your business by decreasing the chances that you’ll become victimized by them.
Topics to Include in Your Employee Security Awareness Training Program
One of the primary objectives of security awareness training is to teach employees to follow security best practices. These can include:
Using Strong Passwords
Employees may be tempted to use simple passwords that are easy to remember, but weak passwords are also easy for hackers to guess. In addition to strong passwords, you may require multifactor authentication, especially to access sensitive data or proprietary information. If a password falls into the wrong hands, a cybercriminal wouldn’t know the other authentication method and could not access your network.
Spotting a Phishing Email
Provide your employees with tips for spotting malicious emails, such as making sure the domain of the email matches the alleged sender. Also, they should take note of misspellings or odd wording that may indicate the email text has been generated by a software program or translated from another language. Remember to take a deeper dive into current scams and tactics your employees may encounter and show them specific ways to recognize attempts to get them to click on links, open attachments, or give up sensitive information.
Don’t Open Attachments from Unknown Senders
Stress to your employees that if there is any doubt, or if they don’t know what an email or an attachment pertains to, not to open it. Also, explain the consequences that can occur if they open an attachment designed to deliver a cyberattack’s payload, such as launching a ransomware attack.
Don’t Trust the URL
One way that people learned to avoid clicking a malicious link is to enter the company that an email is supposedly from in a search engine and click the link in search results. Some cybercriminals aware of this safeguard actually run legitimate-looking ads with search engines during a phishing campaign. It’s safest to bookmark sites of the companies you do business with and use them if you want to check to see if one of their representatives really needs information from you.
Don’t Download
Browsing on a work PC or mobile device may present the temptation to download an image, meme, or other content from the internet. Train your employees not to take this risk.
Clickjacking & Fake Ads
Cybercriminals may also embed malicious links in ads or on social media icons, so when the user clicks, they deploy malware. Make your employees aware of activities that are prohibited on work devices.
Avoiding Public Wi-Fi
Teach your employees the importance of following proper procedures when working outside the office, including using secure, private networks when accessing work applications remotely.
Safe Use of Social Media
Review sites and dangerous practices that your employees should avoid. Also, advise them to be careful what they post on social media — the information could be used against them in a phishing or social engineering attack.
Mobile Device Security
Educate your team about best security practices using mobile devices, including securing them with passwords or biometric authentication, keeping them locked, and immediately reporting to your business if they are lost or stolen.
The Principle of Least Privilege (POLP)
Explain the importance of granting access, write, or execute permissions only to the people with job roles that require them. POLP ensures that only authorized employees can access systems or data, and, if login credentials are stolen, the hacker can only gain access to the part of the network that the employee has permissions to use.
Elements of Effective Training
Just as important as having a solid agenda for employee security awareness training is planning an effective way to deliver it. Keep explanations clear and simple, and not overly technical, so employees with all levels of IT expertise can understand them.
It’s also important to connect the dots for your employees between cybersecurity and the corporate policies you have in place. This is an effective way to increase the rate of compliance with BYOD, access control, and other policies aimed at stronger cybersecurity.
When conducting any type of employee training, remember that different people may learn in different ways. Listening to a presentation with the backdrop of PowerPoint slides may be effective for some of your team. Others, however, may benefit more from hands-on activities that let them experience how easily a cybercriminal could trick them into making a security mistake.
Taking a quiz can also help solidify concepts. Consider using resources, such as:
The Federal Trade Commission’s Phishing Quiz or Phishing Scams interactive video
The FTC’s Beware of Spyware interactive quiz
The Cybersecurity Knowledge Quiz from Pew Research Center
Your organization must also make a commitment to hold ongoing employee security awareness trainings to see a significant difference in employee behavior. Over time, employees can become overly confident, complacent, or forgetful, and reminders can help. Moreover, with the constantly changing threat landscape, your employees will need to learn about new types of attacks and the best ways to defend against them.
Webroot research shows that when businesses hold employee security awareness training once or twice each year, 35 percent of them will still click on suspicious links in a controlled exercise. When businesses increase training to once per month, however, the number of people who click on malicious links decreases by 70 percent.
The ROI of Employee Security Awareness Training
Investing time and effort into employee security awareness training will have a measurable return for your business. It will reduce downtime and IT costs related to security events. Well-trained employees will also keep your business in compliance with standards and industry regulations, which can help you avoid costly fines. Perhaps most importantly, your employees can become a force that proactively protects your business, rather than accepting the fact that dealing with cyberattacks as an inevitable cost of doing business.
Train your employees to become an effective part, rather than a weak link, in your layered cybersecurity strategy. Need help building and implementing a plan for complete network security? Click the button below to learn how Black Mountain Dynamics ensures that the information technology and data networks your enterprise depend on are secure and frictionless.