Use Your Discretion: Cyber Awareness Education for Employees
Make a plan for educating employees
Employees are usually left to use their discretion with corporate-owned technology on your networks pretty much all the time. As such, a lot of power is in their hands when it comes to what emails to open, what files to download, what portable media to plug in and what sites to visit.
There is an assumption that you can always monitor employees with technology. But, you can’t—or don’t – want to always do that. The fact is, that if security controls stand in the way of them doing what they want, they often find a way to bypass those controls.
Every organisation needs a plan for educating employees on what can happen if they don’t use their discretion
In our recent Cyber Resilience Think Tank insight Employees Behaving Badly? Why Awareness Training Matters, we quoted Gary Hayslip of Webroot:
“As a CISO, I would hope that employees would be somewhat educated on good practices for being on a computer and using the internet. With that said, time and again, I’ve found that this isn’t the norm. I believe it’s the responsibility of the organisation to provide security awareness education and resources, continuously over time, to remind employees that security and threats are dynamic and continuously changing.”
He continued, "When you have employees who don’t trust or understand your security program, they ignore proper security controls and work around them. This begins a whole lifecycle of the organisation’s security program having to put out self-induced fires because they haven’t done a good enough job evangelising the value of their program.”
Gary is completely correct about the CISO point of view on this. You can hope your employees are prepared for the correct ways to handle technology today, but you can’t assume anything. Because it’s impossible to keep tabs on your employees at all times, it’s up to you to ensure they’re well-educated about what can happen if they don’t use due care.
Bad Habits Have Consequences
In general, employees are not doing bad things on purpose or out of malice, but their actions can greatly impact the security of your business and data. According to our 2018 State of Email Security Report, 61% of organisations suffered an attack where malicious activity was spread from one infected user to other employees via email. How?
Here are four common ‘bad habits’ your employees may not know can be dangerous, without awareness training:
Opening Email From People They Don't Know
They might think: It’s just email after all, right? What’s the harm in opening it? The truth is, the act of opening the email itself might not cause a tremendous amount of harm. It’s what comes next once an email is opened that causes problems, and we’ll get to some of those in a moment.
When an email comes in from an unfamiliar address, your employees are best advised to just ignore it. It’s the easiest way to avoid many issues, such as…
Opening Attachments Without Care
Cyber attackers love to use malicious attachments to spread malware on unsuspecting victims. A classic example of this is when hackers send fake resumes riddled with malware to HR professionals. Opening such attachments can wreak havoc on corporate networks.
Your employees need to proceed with caution when opening attachments from unknown sources. You never know what might be lurking inside, no matter how innocuous they may look.
Clicking Links Without Validating Them First
The key here is validation. If an email has malicious links, the attackers have likely tried to socially engineer the email to entice the recipient to click on them. Those clicks can lead to a whole host of problems that employees may not be aware of.
Those links could, as with attachments, spring malware on an unsuspecting victim’s computer and infect an entire network. Or they could lead to prompts where victims put in their personal information or are asked to transfer funds.
It’s critical to provide employees with the cyber awareness training to know that they shouldn’t click on suspicious links in emails. It’s best to validate with the sender, either over the phone or in person, that they actually sent it.
Using Work Devices For Personal Use
In late 2018, Mimecast commissioned a Google Consumer Survey of 1,000 participants to examine the behavioral trends of employees using work devices for personal use. Within that survey, about a quarter of respondents weren’t aware of even the most basic threats to their organisations—including phishing and ransomware.
This lack of cyber awareness could put your organization at risk. If employees don’t know what can hurt them—and their organization—they’re more likely to engage in the kind of risky behaviors that could take down your network and leave you with a mess to clean up.
So, how do you change the tide? Taking proactive steps to ingrain cybersecurity awareness into your employees and encourage good habits employees is where to start. Training has to be engaging, fun, conducted consistently and in short bursts. It’s also imperative to get buy-in from senior leadership, so they see the value in these exercises.