IBM reported that human error is the main cause of 95% of cybersecurity breaches. With the rise of working from home decreasing companies’ visibility across the full IT infrastructure and decreasing the ability to enforce proper cybersecurity training means this number has the potential to grow.
Accompanying the uncertain new work environment is the development of modern, and more intellectual cyberattacks, that traditional user awareness training may not cover, or may not be able to train employees how to effectively identify and report.
Why should you train your employees on cybersecurity awareness?
Well… the answer to why you should train your employees on cybersecurity awareness is one we’ve already mentioned… 95% of cybersecurity breaches come from human error.
You may be thinking, ‘my company’s fine… we use tools such as Sentinel One and Mimecast that keep the business safe’. Whilst these tools are highly effective there is still an element of human error that can ensure cybercriminals can bypass any form of cybersecurity that your organisation has in place.
Human error regarding cybersecurity covers much more than just downloading a dodgy file from the internet, it encompasses a range of actions and non-actions such as using weak passwords across multiple tools and sharing sensitive data through an unencrypted messaging service. The nature of these issues makes it difficult to monitor and improve on, as it all comes down to a choice made by your employee.
Key topics to include in your cybersecurity training
Poor password hygiene is like handing the key to your company’s IT infrastructure over to a cybercriminal. Poor password hygiene includes using a weak and easily guessable password, using the same password across multiple devices and tools, keeping the same passwords for extended periods, not using multifactor authentication, and storing passwords in an unsecured location.
If a bad actor gained access to an employee’s email account using a weak password, and the employee does not have multi-factor authentication set up across other tools, then the bad actor can reset passwords to other tools, granting them access to other companies data and information.
Furthermore, if a device is lost or stolen and is not password protected, then a bad actor will have access to all information stored on that device, and once again, may be able to gain access to corporate email accounts as well as company data and information.
Keeping your devices up to date with software updates is imperative to ensure any bugs have been removed, and any vulnerabilities in the security have been repaired.
Hackers can utilise ‘security holes’ by creating code that exploits the specific vulnerabilities using malware. This type of malware can infect your device without any action from the user and can simply be triggered by visiting an insecure website or opening a compromised message.
If your device is infected, it may not just be you that is a victim. Your device could pass the virus onto friends, family and colleagues through emails, files transfers and can even infect the companies’ network.
Identify suspicious emails, links, and webpages
Training your employees on how to confidently check and identify if emails, links, or insecure webpages, or potentially have malicious content attached, will help them confidently navigate through the cyber landscape, and be able to make decisions based on training and knowledge that will help prevent and reduce risk of cyber breaches and attacks.
Phishing and Social Engineering Awareness
Social engineering is the use of deception to manipulate individuals into sharing confidential or sensitive data that can then be used for fraudulent purposes. It was reported that 66% of cyberattacks use some form of social engineering.
Social engineering includes phishing, smishing, vishing, baiting, whaling, spearfishing, and tailgating. Check out our related blogs at the bottom of the page to learn more about social engineering and phishing. It has been reported that 90% of cybersecurity breaches come from some form of a phishing attack. Phishing attacks are a form of fraudulent behaviour, where, a bad actor impersonates a known sender, or legitimate brand to gather personal information, data, or login information.
Phishing is becoming dangerous for multiple reasons. First and foremost, no security software can block 100% of attacks, phishing attacks, specifically regarding email. Phishing attacks are evolving and becoming more sophisticated which means more malicious emails are slipping through cyber defences. Furthermore, email addresses can be ‘spoofed’ which means the email can appear to be coming from a trusted source but is not.
This can be done in two ways; first, the bad actor can change the display name, so it appears as if you’re receiving an email from email@example.com however when you hover over the ‘from’ address, it will reveal a random and unrelated email address such as firstname.lastname@example.org.
Secondly, bad actors can set up an email address that is almost identical to the legitimate email address. For example, email@example.com.
Secure remote working
Due to the covid-19 pandemic, more people than ever are working from home, or hybrid working. Furthermore, due to the unplanned nature, very few proper IT security practices have been put into place, therefore possibly exposing more ‘security holes’ than usual.
Employees using their personal devices to access company data, employees using company devices to access unauthorised and unsecured website sites and connecting to public networks are all ways employees could be opening the business up to possible cyber breaches and attacks.
Compliance training ensures that all staff are up to date, and knowledgeable about company policies, rules, regulations, and legal requirements that will affect their everyday role. Not being compliant with the industry standards can result in fines, damage to your company’s reputation, loss of customers, possible legal consequences, as well as an increase of risk of possible cyberattacks.
How to train your employees on cybersecurity
First and foremost, businesses must start prioritising cybersecurity training for all employees. Including comprehensive training during the employee’s onboarding process will mean that all staff have a standardised basic knowledge of how to navigate the cyber landscape confidently and securely. As a company could be on-boarding multiple people throughout the year, it is best to use online training for this type of circumstance.
In addition to onboarding online training, businesses could also host regular workshops that update employees on new cybersecurity software’s, practices, and compliance regulations, as well as any new/advanced threats that are currently circulating at the time of the workshop.
Phishing simulations are a great and particle way of testing your employees to see whether they would be able to effectively identify a phishing email, and how to deal with it appropriately once they had received it. From these results, the business can focus on whether specific people or event whole departments need further cybersecurity training.
Cybersecurity training should be an ongoing process to help keep employees up to date with the latest information and trends. Whether is a monthly newsletter, or regular posts on an internal forum, keeping cybersecurity on the front of your employees’ minds will help strengthen the company’s first line of defence against cybercriminals.
AZTech IT’s user awareness training
AZTech IT's User Awareness Training helps educate your users on cyber threats, suspicious activity, and how to stay safe online. With 90% of security breaches occurring due to human error, user awareness training is key in keeping your organisation protected against cybercrime.
According to ID Agent, 92.4% of malware is delivered via email. Phishing attacks are becoming more sophisticated and highly targeted, making them harder to detect. If your users don't know the warning signs, they won't know they're being tricked into handing over private business data - but we can help.
- IT Security audit checklist for small and medium businesses
- Cyberattacks during the pandemic: How to protect your data
- How to prevent cyber attacks on your business
- How to protect your digital assets from cybersecurity threats
- Phishing frequently asked questions
- Four types of security audit your business should conduct