Almost every day we hear about the damaging effects of a cyber attack on a business. The website Business.com estimates that a data breach can cost a small business anywhere from $120,000 to $1.24 million. And for the larger businesses, the figure is even higher.
The small business owner may feel exempt from cyber attacks, thinking that hackers are more interested in the “big fish,” but in fact nearly half the cyber attacks that occur in the country are aimed at small businesses, and that 68% of small businesses have experienced some sort of cyber attack in the last 12 months.
Security Today magazine points out a statistic that many in the industry know: that human error is the biggest cause of security breaches. They cite a joint study of Stanford University Professor Jeff Hancock and security firm Tessian claiming that 88 percent of data breach incidents are caused by employee mistakes, where as IBM Security puts the number at 95 percent.
As daunting as that statistic may seem, InfoSec Resourses observes that an organization’s employees can also be a huge asset for an organization’s cybersecurity in that with the proper training employees can act as a first line of defense for a company.
This is a complex topic, and it will take more than one blog to do the subject justice. Here are some starting key points that any training program should include.
- Email awareness: Phishing attacks are a common point of entry for hackers looking to breach an organization’s network. “Lack of awareness” and “human nature” are a hacker’s best friends. A cleverly-worded email can offer some incentive if the recipient will click on a link – and that is where the problem starts. Employees should be trained to recognize these bogus emails, and taught not to trust unsolicited emails. The company can further assist by being certain that all anti-virus and firewall programs are up to date. In particular, make your employees aware of the dangers of opening attachments.
- Passwords: Employees should be trained on the importance of creating strong passwords that are difficult to “crack.” There are strategies you can use to train your employees, including providing a unique password for each online account, tips for how to create strong passwords (using a combination of symbols, numbers and letters), and to use multi-factor authentication (MFA) to provide additional security. This training component could be accompanied by bringing in an expert to attempt to hack into employees’ emails to test the system’s vulnerability.
- Employees using personal devices: A big potential problem for infrastructures is the improper use of personal devices in the workplace. The practice can improve efficiency, in that employees are familiar with how the devices operate and it also opens the door to their putting in extra hours at night or over the weekend, but there are security steps your training program should instruct employees to follow, including:
- Strong passwords on each device
- Encryption for all devices
- Use a VPN on all devices if in areas with unknown Wi-Fi services (i.e., public places like coffee shops and malls)
- Every personal device should run company-approved antivirus
- How to use the Internet in safety: With the workforce being a combination of in-house and virtual, it is especially critical to train employees to follow the strictest of Internet safety rules. In training employees, teach them the importance of recognizing domains that are suspect – with misspellings that look almost like “the real thing.” Training should emphasize the importance of verification of everything before opening it. This is especially true of anything with links, downloads or files with unusual suffix endings.
- Don’t overlook the obvious: When implementing training protocols for employees, don’t overlook the importance of security both in the office and in the home office. Sensitive data should be stored under lock and key. This includes paper products, as well as portable and removable devices. Employees should be trained in practices of locking away documents with sensitive information, and also in the practices of shredding no longer needed paper documents.
There is much more involved in a comprehensive training program for employees, and in part two, we’ll delve more deeply into the topic. Other areas we will cover include social media, office security, and some practical tips for some training that you can do internally. We’ll also look at how a company can protect itself, liability-wise, from a breach through cyber insurance. It does make sense to partner with a technology/IT firm with expertise in training to make certain that your employees are as educated as possible on how to detect and avoid potential breaches.
1. Protecting Your Data In The New Year
2. Spear Phishing And Whaling: Not Deep Sea Adventures, But Threats To Your Personal Information
3. Training Your Employees To Be "Cyber Aware"
4. Common Password Mistakes That Put You At Risk
5. Malware Is Running Rampant - Stop It In 3 Moves