Human error continues to be the leading cause of data breach. Even after attending mandatory cybersecurity training more than half of employees tend to click on spoofed links, open phishing emails and fail to practice good cybersecurity judgment.
In almost every case employees don’t intend to let cybercriminals in. After all, we are human and we make mistakes. Cyber attackers are experienced in various techniques to fool us into allowing malware to be installed and allowing them to steal our data.
Annual training for employees simply isn’t enough. Continuous training, testing and reminders are required to make employees more cyber aware.
Following are a few basic suggestions to help:
1. Communicate the dangers of email.
Teach employees not to open unexpected attachments or click on embedded links in emails that don’t seem quite right. No replies should be sent to any email requesting sensitive information. A call to the sender to verify authenticity is always best practice. Spear Phishing is the most effective form of phishing where hackers use social media to customize emails making it seem like the sender knows the recipient. These can be a hoax.
2. Communicate the existence of a cybersecurity team and ensure employees know who to call with questions or concerns regarding information security.
It seems simple but if employees don’t know who to call, they won’t call anyone.
3. Communicate with employees about leaving found hardware alone.
It is not uncommon for malware to be loaded onto disks or flash drives and then left for employees to find. Human nature is to be curious, people often pick these items up and insert them in order to see what it is. If the disk or flash drive contains malware, it is then installed. Several well-known attacks have occurred this way. Disable the use of these drives if possible.
4. Repeat and remind (repeat and remind).
Repeated communications with reminders regarding desired behavior will ultimately change those behaviors allowing for good practices to take hold. It’s been reported in one study that after only three phishing exercises, clicks on phishing emails decreased from 54% to 30%.
Cybersecurity training needs to be constantly changed, refined and communicated in order to be effective. Cybercriminals work overtime to build and refine malware to trick us so we need to remain equally vigilant in our efforts to fight back.
This blog was authored by CBE’s Security Team.