It’s easy to underestimate the amount of risk a typical employee takes on each business day. Especially now that many teams have gone hybrid or fully remote for the foreseeable future, we’re all interacting more than ever before with virtual interactions that are sometimes easy to fake! More than ever before we’re seeing even high-profile companies become the target of successful data breaches and cyber-attacks. In 2021 the Identity Theft Resource Center’s annual report showed that the number rose 68% to an all-time high of 1,862 known breaches.
For small businesses, the effects can be even harder to manage. Kaspersky Lab found that the average direct costs of a security breach on small businesses was $38,000, which doesn’t include costs to reputation or damage to your brand or intellectual property!
So, the short answer is yes, especially if you participate in remote work. Nowadays not having ANY employee training on cyber security is simply a bad idea. But if you don’t have anything in place, where do you even start? What are the things you should be making sure your employees are identifying? Let’s go over the basics.
Cyber Security: Email
Let’s set the scene: your coworker gets an email. It’s from their superior. They want to meet with the employee privately, so there’s a link to join the meeting at 2:00 today. “Huh, that’s weird, I don’t usually meet with this person” the coworker might think, but they click the link anyway and BOOM. This is called a phishing scam, and that’s an easy way that malware infections to spread.
How can you mitigate this risk? Your employees may need training to remind them not to trust emails that look like they’re coming from coworkers, superiors, or leads. Phishing attacks make up a reported 80% of all cyber-attacks, so this is a big one!
As a rule of thumb, your training needs to remind employees to…
- Delete anything that looks “fishy”. If you have an IT department, employees could also forward the message to confirm the email is a phishing attempt
- Check for slightly “off” email addresses or misspellings
- Do not trust anything coming from a new untrusted email address without checking with the IT department first
Some ways to train employees to watch out for these scams are:
- Provide them with education, and then continuing education or microlearning to keep these tips top of mind
- Frequently check or quiz employees on what to look for
- Consider running an email test to make sure employees are following protocol. If anyone falls for the test scam, remind them of the guidelines so aren’t fooled next time
Cyber Security: Passwords
Here’s the scene: your newly remote employee has downloaded 5 new applications to their computer, and all these applications require passwords! The employee feels overwhelmed and is having to reset their passwords every time they need to use the new software. Frustrated, they decide that they’ll just make all their passwords the same, so they never forget. (But you see where this is going right?)
Password protection is a HUGE way that cyberattacks can occur! If the password isn’t strong, or even worse if an attacker can use the same password to access every area of your business, then you’re just asking for trouble.
Employees will need to be reminded…
- Password1! is not going to keep them or the company safe
- Every password will need to be different and strong enough to protect against a cyber attack
- Change passwords regularly and do not write them down in emails or messages
Some ways training can help…
- Provide tips on strong passwords
- Encourage or invest in a password manager for employees who may have trouble juggling multiple passwords or applications
- Reinforce processes to confirm shared applications are not using shared passwords between employees
‘Drive By’ Download Attack
Here’s the scene: your coworker just got a notice from a website they don’t remember subscribing to. They scroll down to click the “unsubscribe” button at the bottom of the message. By clicking this button, they’ve inadvertently given consent to a download of unwanted or even malicious software, or even to take personal information or spy on the user.
This can also happen innocently by clicking on popup ads, opening email attachments, or visiting sketchy websites.
Employees need to know…
- The risks and how to avoid visiting these disreputable sites and downloading things they don’t want on their computer
- What to do and how to contact IT immediately if they think they have clicked something suspicious
- How to protect their computers from an attack
Some ways training can help…
- Reinforce employees downloading patches regularly and keeping their systems up-to-date
- Encourage a strong relationship between the employees and IT team, so that they aren’t embarrassed to send alerts or to check with them if things seem wrong
- Remind employees regularly to be careful what they download to company machines
Even with all the best laid plans, there’s still a risk that you may encounter a cyber-attack, so we encourage everyone reading to do your best to prevent it before it starts! Get these tips in motion asap for the best chance at protection.
Would you like a consistent cyber security training program in place at your company? Contact Digitec (now Apti) to find out more about our NetDefense Pro subscription.