Cybercrime costs Canada 0.17% of its GDP, which is equal to $3.12 billion a year.[i] Many cybersecurity threats, for example, advanced malware, require sophisticated technology to combat the attacks. However, daily, a company’s greatest vulnerability is its employees. Too often, when faced with a cyber attack, a shareholder worries about possible technology weaknesses. Instead, they need to take a hard look at the people they employ and whether they’ve been properly trained.
Employees can either be your strongest line of defence against cyber attacks, or your weakest link. It all depends on how informed your employees are about the cybersecurity threats your organization faces. From employees leaving mobile devices and laptops unattended in public places, using weak passwords, or storing sensitive data on the local hard drive, to inadvertently communicating confidential information to a hacker during a socially-engineered spear-phishing campaign, human error is the greatest threat to your company’s cybersecurity. Almost 90% of cyber attacks are caused by human error or uninformed behaviour.[ii]
You can’t fault the employees if they’ve never been educated in cybersecurity best practices. An employee education and training program is a vital part of any-sized company’s cybersecurity defence and should be part of every company’s incident response planning. The program needs to encompass all employees, from the C-Suite to the summer intern, who have access to your company’s technology, even if only to email.
Be proactive and pro fun with your cybersecurity training
Spread the cybersecurity word any way you can, from lunch and learns (free food tends to draw a crowd) and seminars, to newsletters, emails and webinars. The important thing is reaching each employee in a meaningful way so that they understand the value the company places on cybersecurity.
Cybersecurity education needs to happen prior to your business being hit by a cyber attack, not in the aftermath. Make cybersecurity education part of your onboarding process and then, in addition, create opportunities for ongoing cybersecurity refreshers to bring it to the conscious level of all employees regularly. Make the refreshers relevant and engaging, perhaps highlighting when cybersecurity breaches make headlines and how the newest malware can impact them personally, as well as professionally. Make learning about cybersecurity fun with online surveys and competitive quizzes, and awards for demonstrating good cyber hygiene at work. Getting employees to buy into the cybersecurity training willingly will be far more successful than if they feel forced.
Cybersecurity 101 for Employees:
Here are a few topics that need to be covered in your cybersecurity lesson plans:
What the threats are
Online threats that they face including email scams, malicious links and phishing attacks, botnets, trojans and viruses. It’s not just emails that they need to worry about but malicious apps, text messages, and inquiry phone calls. As they say, knowing is half the battle, so inform your employees about what cybersecurity threats look like and from where they come. If possible, show your employees real-life examples so they can look the cyber-enemy in the eye.
“So what if I use the same password for all my accounts both at home and at work – what’s the big deal?”
Communicate to employees the potential impact a cyber attack can have on your business, showing them precisely what the big deal could be. Explain how the consequences of poor cyber hygiene at work can lead to a cyber attack, also addressing the fallout from an attack or breach, such as financial loss, fines and loss of customer trust.
Make it personal by showing staff how their actions can affect their job and those of their co-workers. Illustrate this by taking them through realistic scenarios based on common mistakes. For example, guide them through the scenario of what can happen when an employee leaves a laptop, with a weak password and sensitive data stored on it, on a coffee shop table while they grab a refill, or use the public Wi-Fi in that same coffee shop to access work documents that contain important information. Reveal what dangers there are in posting personal details on social media, such as kid’s names and birthdays that may be used in work application passwords. Many employees don’t realize how their misbehaviours could be potentially undermining your business’ cybersecurity.
Rules and reasoning
Create and communicate specific rules for safe browsing at work, including accessing social media and using personal devices on the company Wi-Fi. Also, inform employees as to why those rules are in place. People are more apt to follow the rules if they understand the reason for them. Caution employees to be skeptical of suspicious links or attachments from unfamiliar sources when using company devices – whether that’s a video on social media, a link in a text, or a phishing email. Make rules realistic. Banning the use of smartphones at work is no longer a realistic rule. You want employees to follow the rules, not balk at them.
How to spot and respond to a cyber attack
Show them exactly what to look for and then give them a protocol to follow if they spot evidence of an attack. Make it clear and easy for staff to report unusual network activity, suspicious emails and texts, or a misplaced device – even if it turns out to be nothing. It’s better to be cyber-safe then cyber-sorry. Even odd phone calls from an unrecognizable vendor or supplier can be an early phishing attempt. It’s better to have a consolidated record in case the same suspicious number has contacted multiple employees. It’s also important that staff feel comfortable reporting these issues, even if they seem insignificant. If staff feel embarrassed, then they are less likely to come forward with an incident, and that can be costly.
Cybersecurity is everybody’s job
Make cybersecurity easily adoptable for employees. If you force your staff to change their passwords too often, they’ll most likely resort to writing them down, and sticky notes are not secure. If you make accessing the systems or data that they need to be successful at their jobs too tricky, then you can almost guarantee that they’ll find less secure ways, like personal emails and apps, to cheat the system and bypass your cybersecurity measures.
Cybersecurity is every employee’s responsibility. Therefore, every employee needs to be educated on good cyber hygiene and safe cybersecurity behaviour. The C-Suite, upper management and IT all need to be part of the training program. The higher placed in a company, the more sensitive information they have access to, which puts a larger cyber-target on their back. The IT department has greater influence over the network making them susceptible to hackers determined to breach your defences. You must ensure that cybersecurity complacency doesn’t occur. Remember, your company’s cybersecurity is only as strong as its weakest link. Fortify your cybersecurity defences by educating your employees.
happy back to school!