• Profile picture for user Michael Madon

    Michael Madon

    Michael Madon is Senior Vice President and General Manager of Mimecast Security Awareness. From 2009-2014, he served as Deputy Assistant Secretary in the Office of Intelligence and Analysis of the Treasury Department. He was awarded the National Intelligence Distinguished Service Medal, the Intelligence Community's highest award; as well as a Bronze Star.

    Comments:0

    Add comment
Michael Madon

Use Your Discretion: Cyber Awareness Education for Employees

Content
Make a plan for educating employees

Employees are usually left to use their discretion with corporate-owned technology on your networks pretty much all the time. As such, a lot of power is in their hands when it comes to what emails to open, what files to download, what portable media to plug in and what sites to visit.

There is an assumption that you can always monitor employees with technology. But, you can’t—or don’t – want to always do that. The fact is, that if security controls stand in the way of them doing what they want, they often find a way to bypass those controls.

Every organisation needs a plan for educating employees on what can happen if they don’t use their discretion

In our recent Cyber Resilience Think Tank insight Employees Behaving Badly? Why Awareness Training Matters, we quoted Gary Hayslip of Webroot:

Quote

As a CISO, I would hope that employees would be somewhat educated on good practices for being on a computer and using the internet. With that said, time and again, I’ve found that this isn’t the norm. I believe it’s the responsibility of the organisation to provide security awareness education and resources, continuously over time, to remind employees that security and threats are dynamic and continuously changing.”

Content

He continued, "When you have employees who don’t trust or understand your security program, they ignore proper security controls and work around them. This begins a whole lifecycle of the organisation’s security program having to put out self-induced fires because they haven’t done a good enough job evangelising the value of their program.”

Gary is completely correct about the CISO point of view on this. You can hope your employees are prepared for the correct ways to handle technology today, but you can’t assume anything. Because it’s impossible to keep tabs on your employees at all times, it’s up to you to ensure they’re well-educated about what can happen if they don’t use due care.

Bad Habits Have Consequences

In general, employees are not doing bad things on purpose or out of malice, but their actions can greatly impact the security of your business and data. According to our 2018 State of Email Security Report, 61% of organisations suffered an attack where malicious activity was spread from one infected user to other employees via email. How?

Here are four common ‘bad habits’ your employees may not know can be dangerous, without awareness training:

  1. Opening Email From People They Don't Know

    They might think: It’s just email after all, right? What’s the harm in opening it? The truth is, the act of opening the email itself might not cause a tremendous amount of harm. It’s what comes next once an email is opened that causes problems, and we’ll get to some of those in a moment.

    When an email comes in from an unfamiliar address, your employees are best advised to just ignore it. It’s the easiest way to avoid many issues, such as…

  2. Opening Attachments Without Care

    Cyber attackers love to use malicious attachments to spread malware on unsuspecting victims. A classic example of this is when hackers send fake resumes riddled with malware to HR professionals. Opening such attachments can wreak havoc on corporate networks.

    Your employees need to proceed with caution when opening attachments from unknown sources. You never know what might be lurking inside, no matter how innocuous they may look.

  3. Clicking Links Without Validating Them First

    The key here is validation. If an email has malicious links, the attackers have likely tried to socially engineer the email to entice the recipient to click on them. Those clicks can lead to a whole host of problems that employees may not be aware of.

    Those links could, as with attachments, spring malware on an unsuspecting victim’s computer and infect an entire network. Or they could lead to prompts where victims put in their personal information or are asked to transfer funds.

    It’s critical to provide employees with the cyber awareness training to know that they shouldn’t click on suspicious links in emails. It’s best to validate with the sender, either over the phone or in person, that they actually sent it.

  4. Using Work Devices For Personal Use

    In late 2018, Mimecast commissioned a Google Consumer Survey of 1,000 participants to examine the behavioral trends of employees using work devices for personal use. Within that survey, about a quarter of respondents weren’t aware of even the most basic threats to their organisations—including phishing and ransomware.

    This lack of cyber awareness could put your organization at risk. If employees don’t know what can hurt them—and their organization—they’re more likely to engage in the kind of risky behaviors that could take down your network and leave you with a mess to clean up.

    So, how do you change the tide? Taking proactive steps to ingrain cybersecurity awareness into your employees and encourage good habits employees is where to start. Training has to be engaging, fun, conducted consistently and in short bursts. It’s also imperative to get buy-in from senior leadership, so they see the value in these exercises.

     

SVP & GM of Mimecast Security Awareness

Michael Madon is Senior Vice President and General Manager of Mimecast Security Awareness. From 2009-2014, he served as Deputy Assistant Secretary in the Office of Intelligence and Analysis of the Treasury Department. He was awarded the National Intelligence Distinguished Service Medal, the Intelligence Community's highest award; as well as a Bronze Star.

User Name
Michael Madon