Even with the best firewalls, malware scanners, encryptions, system backups, password protection, and other security measures in place, there’s one element of every company’s cybersecurity strategy that can make or break everything: Your employees.
In order to have the absolute best defense against cyberattacks for your company, you need to pay attention to what your employees are doing. Below, we’ll go over the specific impacts your employees have on your business’s cybersecurity overall. We’ll also hear from some experts in the tech industry about the best ways to educate your workers in cybersecurity strategies.
What roles do employees play in terms of protecting a business from cyberattacks?
“Employees play a pivotal role in protecting a company from cybersecurity attacks,” says Ilan Sredni, of Palindrome Consulting, Inc. “A company is only as protected as its least educated employee.”
Why?
Because “employees are the number one reason for security breaches” in the first place, says Anthony Buonaspina, CEO and Founder of LI Tech Advisors. Philipp Baumann, President of BoomTech agrees: “You and your employees are the number 1 threat to your company’s security. While 97% of breaches could be stopped with today’s technology, it’s your employees that click on a link or visit a seemingly legitimate website that bypasses your security measures.”
What Philipp is primarily talking about is phishing scams — the top cause of security breaches in the nation.
What are phishing scams?
Generally, a phishing scam involves an email sent to an employee, which claims to be from a legitimate sender — for example, the employee’s bank, a service site like PayPal or eBay, or even a friend or coworker. Within the email will be an “ask.” The ask might be to download a document, open a PDF, click on a link, or reply with personal information (like a login).
As Guy Baroan, President of Baroan Technologies, explains, “An employee is typically a target of phishing campaigns and [is] very easily tricked into providing their credentials. Once that happens, if the other protections are not in place, a company is vulnerable.”
How has the COVID-19 pandemic affected cyberattacks targeted at employees?
To make matters worse, phishing scams are more prevalent than ever because the COVID-19 pandemic has caused millions of employees to start working from home.
Hackers know this and are taking advantage. As Philipp Baumann explains, “Today, the hackers are stepping up their game pursuing employees in their home offices where they are off guard … We’re seeing everything from hackers pretending to be their employers’ IT resource [team], to sending emails that appear to be from their spam filter and asking them to review suspect emails.”
Anthony Buonaspina concurs: “Company policies now need to be extended to include employees home network.” In other words, with so many workers at home, hackers are looking for new weak spots and targeting the loosened cybersecurity measures that are now the norm for remote employees. Buonaspina makes note that, “With so many employees working from home … companies [aren’t] doing enough to protect consumer data especially since the impact of the COVID-19 shutdown and [the] resulting in remote work environments. Companies are forgetting that [personal] PCs are now soft targets for hackers and bad actors.”
In fact, says Buonaspina, “The United Nations disarmament chief has stated that cybercrime is on the rise with a 600% increase in malicious emails during this crisis.”
Why is adequate employee training so important?
The best way to combat cybersecurity attacks that target employees is to train your employees well.
Guy Baroan explains: “The more vigilant an employee is about providing their credentials and being on the lookout for things that don’t look normal, the stronger the security will be at a company that has good cybersecurity protections in place.”
Here are some tips for providing optimal employee-training to your workforce:
1. Look into cybersecurity training through your MSP and/or your insurance company.
The good news about training your employees in security awareness is that you, as head of your company, don’t have to be responsible for it. Instead, you have quite a number of options. First, certain insurance companies now offer employee cyber awareness training in order to mitigate security breach occurrences. You can also consult with your managed services provider or your in-house technology department for more information on education and training opportunities.
2. Remember: Employee training is not a one-off.
Says Anthony Buonaspina of LI Tech Advisors, “Ongoing training is very important to maintain a heightened level of awareness of cyber threats.” Threats and risk factors are always changing, so it’s important to keep cybersecurity at the forefront of your employees’ minds.
3. Test employees to make sure the lessons have sunk in.
Here’s another recommendation from Anthony Buonaspina: “Purchase a cybersecurity training service that will automatically send out fake phishing attempts to test your employees and train them if they fail.” There doesn’t have to be severe penalties for failing to miss a malicious email, but knowledge of any errors should teach employees the seriousness of cybersecurity training, in addition to what to look for in the future.
4. Don’t exclude yourself or upper management from training.
Everyone at your company needs to have awareness training. As Nick Allo of SemTech IT Solutions says it: “If [cybersecurity training] is not followed as part of company culture, then more incidents will arise from that over other risks. I see owners or other staff is exempt from the stricter policies and this puts the company at risk.”
Employee Cybersecurity Training: Where to Start
Unfortunately, as Ian Hansen of Philantech3 puts it, “Since the weakest link in any business is still the human element — regardless of even state of the art security technologies that may be in place … employee vigilance must be first and foremost.”
To get started training your team on optimal cybersecurity measures, including what to be aware of and how to spot suspect communication, speak to your managed services provider. An experienced, full-service MSP will have a training system in place to make your employees adequately prepared at fending off hackers.