Submitted by: Martin Straub
Hopefully your Network Administrator or external IT company hasn’t told you “they’ve got you covered” when you’ve asked about the security of your network. Nowadays, there is no such thing as a completely secure network. Cyber criminals know that the weakness in any system is the people and thus, most cyber threats and attacks prey on social engineering and human behavior.
If you’ve recently filled out a cybersecurity insurance application, you may have noticed a question about cybersecurity awareness training. Or, better yet, your insurance company may have provided links and free resources that included self-directed cybersecurity awareness training. Why? Insurance is a risk-mitigation business and insurance companies have quickly learned that one of best defenses against threats are educated and cyber-aware end users.
Cyberbreach statistics indicate that most malware and cybercrime originate at users’ PCs and other devices – by following links or replying to phishing emails, opening a virus-laden file, transmitting sensitive data without encryption, or interacting with a malicious website. The best defense against socially engineered phishing and malware is awareness – understanding how cyber criminals work, how they target end users and actions users can take to ensure they are practicing “safe computing hygiene.”
There are several factors that contribute to the value of conducting at least annual cybersecurity awareness training. First off, criminals are continually modifying their tactics; even savvy users may no longer be able to easily recognize a legitimate from a spear phishing email. (If you are reading this and questioning the definition of spear phishing email, that’s a perfect example of why awareness training is so important). Another factor is employee turnover. There is no way to know how “cyber aware” new employees are. In addition, inexperienced employees likely won’t be familiar enough with the company’s culture and communication style initially to easily identify legitimate vs spoofed emails. The new administrative person eager to please their boss may be tempted to follow the instructions they received in email and purchase ten $50 gift cards as employee recognition gifts!
Finally, annual cybersecurity awareness training also provides organizations with an opportunity to remind employees about other organization IT policies such as expectations regarding posting to social media, internet browsing during work hours, use of company PCs for personal business, mobile device policies, etc.
Finding awareness training that is a good fit for your business isn’t necessarily easy. Although the number of options has multiplied, many of the available resources don’t reflect current threats or are too generic to be relevant. The better tools aren’t as easy to deploy as you might think. For instance, phishing awareness campaigns can be an effective tool to educate users (by sending sample phishing emails, then alerting them to the dangers if they attempt to access a malicious link) but require configuration of your email server to ensure phishing emails (ironically) are delivered to their intended recipients and not blocked. Similarly, because the most sophisticated spear phishing campaigns are targeted by industry, education tools often need to be customized to best match the risks for your business.
Typically, the very best training is delivered by an IT provider or security expert that is familiar with the risks and controls in place at your organization. Effective training is also complimented by a culture that continuously reinforces awareness by discussing risks and sending occasional examples to all employees. Contact your IT provider for guidance on cybersecurity awareness options that are most appropriate for your organization. If you’d like additional information, we’re here to help. Contact SimplePowerIT at (509) 433-7606 for a free initial consultation.
About the author: Martin Straub has more than 20 years of experience developing, building, and maintaining frustration-free technology solutions. He founded SimplePowerIT in 2013 to focus exclusively on delivering frustration-free technology solutions to NCW businesses and nonprofits.