Why You Should Train Your Employees on Cybersecurity

Equipping employees with how to recognize typical and non-typical cyber attacks is crucial as cybercrime is an ever-growing threat.

Why you should train your employees on cybersecurity

As business ventures become more sophisticated and advanced, so too do cybercriminals. Most organizations are wildly under-equipped regarding this threat. Business insurance can mitigate this risk, but the resultant downtime is detrimental to online retailers. It’s crucial that digital retailers prepare all employees on how to combat these security breaches. 

What are the most common cyber risks?

Knowing which type of cybercrimes most commonly occur can help individuals know what are and are not risks. You can essentially only fend off attacks you’re aware of.

  1. Social engineering

Social engineering takes advantage of the human psyche. It manipulates human emotional responses to gain access to private networks and sensitive information. Attackers use several techniques to get access and often endure planning and research on a target employee.

The main techniques are Phishing, Scareware, Quid pro quo, and Tailgating.

  • Phishing uses credible-looking emails to infiltrate. They may request sensitive data, prompt the recipient to open a link or contain malware as attachments.

Phishing attacks may contain official business logos, niche information, or just look interesting to the target. Some emails may aim to create a sense of urgency and panic in the recipient.

  • Scareware uses a pop-up of sorts that will inform you that malicious software exists on your PC. You’ll then see that you need their specific anti-virus software to combat them. There may either be a fee to pay for the useless or malicious software that will install itself if you engage.
  • Quid pro quo involves offering IT services to those in coincidental need of such services. This is not a research-heavy technique and usually involves cold-calling individuals until an individual in need of IT services engages. The hacker offers help and is then granted access to the target PC.
  • Tailgating involves waiting for an individual that has access to a secure building to use an entrance. The attacker then follows them into the building. Sometimes attackers will dress like the employees or wear some type of official associated emblem to be more convincing.
  1. Ransomware

Ransomware is a type of file encryption that demands money for file decryption. In some cases, the entire PC can become unusable until the user makes payment. This type of malware proliferates via phishing emails.

  1. Distributed Denial of Service (DDoS) attacks.

The acronym stands for Distributed Denial of Service. This is an attack on a designated server, service, or network. This technique aims to overwhelm the infrastructure with so much internet traffic that it is no longer operable.

  1. Third-party software

This is any software developed by a company that is different from the user operating system (like Microsoft). These can include apps, commercial software, and open-source software.

Every company employs some type of third-party software. The risk comes in when an employee might download software that has some known vulnerabilities. The vulnerabilities are then exploited by hackers.

  1. Cloud computing vulnerabilities

The cloud is a rich source of information for cyber attackers. This can give them access to employee information as well as be a direct conduit to the sensitive information they’re aiming for.

The vulnerabilities associated with cloud computing are poor credential/access management, exploitable bugs in the cloud computing software of choice, and even malicious employees of the company itself.

Importance of training employees in cybersecurity

Cybersecurity is something that every employee of a business must handle. It’s not solely the domain of an IT department or even software packages to protect a company’s sensitive information.

Equipping everyone with how to recognize typical and non-typical cyber attacks is crucial. They can be empowered not to get emotionally triggered or prompted to fall for the scams.

Most organizations are unprepared for “fifth-generation” cyber attacks. Additionally, nine out of 10 cyber breaches were due to human error in the UK in 2019. These frightening attacks can begin on a cell phone and make their way to an associated cloud and data center.

According to the DBIR (Data Breach Investigations Report), most cybercrime uses phishing attacks. Anti-phishing campaigns and training have been statistically proven to reduce phishing success.

The very same report also provided statistics that show the decrease in click rates of suspicious emails. With the right training, click rates reduced from 25 percent to 3 percent between 2012 and 2018.

Effective cybersecurity training and best practices for Employees

It is important to empower employees rather than have them riddled with fear over cyber attacks. Investing in interactive and even entertaining cybersecurity training has proven successful. Employees will engage with and not feel bogged down by overly technical information.

  • Apply the principle of least privilege (POLP). This restricts the user privileges on a PC and allows just enough access to do one’s job. In this scenario, third-party software installations are limited/prevented. It also limits the employee’s access to resources beyond their scope as well as the potential hacker’s reach.
  • The creation of strong passwords and the usage of multi-factor authentication is a must. Employees must use passphrases rather than passwords and refrain from using the same password across several platforms. Strong passwords contain a mixture of characters (uppercase, lowercase, numerals, symbols).
  • Make cybersecurity a regular practice and priority. Have the IT department send out mock phishing emails with links and attachments to test employees (without any consequences). The same department can also send out short updates and emails containing information and short quizzes on said topic.
  • Conduct formal cybersecurity training once every quarter and make it part of an employee onboarding process.
  • Employees should always wear security tags. Tailgating even for employees you know must always be monitored or prevented.

How to spot Cyberattacks

  • Keep an eye out for mysterious emails. Email links should always be viewed with caution even if it looks like it’s from a reputable source. Employees must never respond to these emails as they can cause more aggressive phishing campaigns to ensue.
  • Be aware of unusual password activity. If an employee has not changed a password but receives correspondence as if they have, this indicates a compromised password. This is best prevented by randomly creating strong passwords that are changed every quarter.
  • If network traffic has spontaneously increased this can be a tell-tale sign of a cyber attack. If a network/website has slowed to a halt, inform your IT department as soon as possible.
  • Pop-ups that appear suspicious or well-meaning could be a way for cyber attackers to infiltrate. Employees should not interact with such pop-ups (even to close them).
  • A more active way of spotting cyber threats is to use anti-virus and anti-malware software. An employer can also make use of threat detection logs to track cyberattacks and investigate them further.

How to report cybersecurity threats

Cybercrimes are heavily under-reported which can be an incentive to potential cybercriminals. Sometimes this is because of a lack of knowledge around reporting protocol.

Law enforcement agencies have a department dedicated to cybercrime alone.

You can report internet crime to the local FBI office. Or file reports on the Internet Crime Complaint Center (IC3) website.

Conclusion

Cybercrime is an ever-growing threat and rapidly becoming more sophisticated. Each day employees can either act as a strong line of defense together or present as vulnerable targets to opportunistic cybercriminals. Don’t allow it to be the latter.

David Lukić is an information privacy, security and compliance consultant at IDstrong.com. The passion to make cyber security accessible and interesting has led David to share all the knowledge he has.