Every now and again, a story will hit the headlines about a company that has been the victim of a cyber security breach and a little piece of us thinks “how could they be so careless?” However, as this article proves, when it comes to cybercrime, no company is truly immune to the problem, with heavy hitters including Target, Yahoo, and the Marriott hotel chain falling prey to these attacks (and that’s despite the presence of big-time internal security set ups).
The key here is training your employees to be aware of the threats, to know how to thwart them, and to truly understand how to stop them. Below, we outline the key considerations for a comprehensive cyber security training program.
Raising awareness:
Before you can even train your employees in cyber security, you must first make them aware that there is a problem at all. Despite threats being fairly common place, surveys suggest that employees are blissfully unaware of how these breaches occur and their very important role in their prevention. With this in mind, it’s imperative that you teach workers that there is risk with every device that employees use and with every file, download, and email they open. However, you should also teach them that these breaches are almost always preventable with a little training and a hefty dose of common sense!
Start at the beginning…:
In order to be most effective, cyber security teaching should be a component of any onboarding program. At the start of their job, employees need to know what types of data within your company are protected, what information should never be shared, and most importantly, who to contact should they suspect a threat. At this time, you should let them know that they are responsible for the respect and protection of company data and this should be a component of the contract that they sign when they endorse their new employee handbook.
…But keep the momentum going:
If you’ve spent any time in the IT arena, you know that technology advances at the speed of light and cyber criminals are constantly thinking of new and innovative ways to dupe employees into giving up critical information. You’ll want to make cyber security training a regularly occurring event on the company calendar. In doing so, you can keep cyber security a front-of-mind topic, allow employees to brush up on their skills on a regular basis, reinforce company policies, and provide important updates on the latest and greatest scams facing business owners.
Phishing prevention:
One of the biggest and most dangerous scams for business owners is that of phishing scams. Teach employees what falsified emails look like, where they might come from (such as an email that is similar in nature to something you are familiar with, save for a few different letters or digits), and what kind of information the scammers typically try to procure. In general, a phishing email will ask employees to hand over usernames, passwords, personal information, or financial data components that would allow scammers to assume the employee’s identity and cause havoc.
Downloading don’ts:
A second big source of cybercrime comes in the form of downloads of malicious software. According to the pros, there are two main sources of bad software: Malware, which is any computer virus or other software that damages the functionality of a device, and the newer ransomware, which takes over the company’s website or other platforms and then extorts money to give you back what was already yours. To protect your employees and company, make employees aware that they are not allowed to install unauthorized software or even perceived software updates on any company device.
Password protection:
Train your employees on not only how to select a strong password from the beginning (including that they shouldn’t be generic or easily guessed) and then set up a system whereby employees have to periodically update their passwords for added privacy. Remind them that passwords shouldn’t be written down (and especially not put on a post-it on their computer screen!) and shouldn’t be shared with others.
Policies and procedures:
As always, it all boils down to having good policies and procedures in place regarding employee use of email, internet and even various social media platforms. Specifically, your policy should outline what types of links employees are allowed to click on; what types of data can be shared, with whom, and under what circumstances; and what types of internet browsing and social media is allowed on company devices and using company email.
Reporting requirements:
As part of a comprehensive training program, employees should be taught not only what a cyber security risk looks like, but also how to respond to such a threat. During trainings, make it clear that employees should report all pop ups warning about malware or new software updates and even if their device is running slower or if things “just feel different” (such as the appearance of new icons or operating systems). In these cases, they should know who to contact – be it internally or externally – for further investigation and only proceed with updates or data sharing provided they have gotten confirmation from the chain of command and preferably through face-to-face verification!
Feel overwhelmed just thinking about this topic? You don’t need to be – we at Abel can help you to develop a comprehensive training program for your employees, as well as help you think through areas of your organization where security may need to be beefed up to keep you safe from cyber harm.