Hackers will go out of their way to infiltrate small businesses. Studies have shown that 60% of hackers will dump thumb drives loaded with malicious code in employee parking lots in the hopes that someone will pick it up and plug it into their computer. Pretty crazy, right?
Employee Cyber Security Training
To combat the efforts a bad actor might use to break into your technology, training your employees about cyber security threats, company security policies, and each staff member’s role in keeping your business safe from cyber threats is essential. You’re not simply relaying the latest cybersecurity trend; you’re also communicating tactics hackers might use in the future and what your company plans to do to prevent a successful cyber attack.
Unfortunately, many businesses don’t know where to begin developing a cybersecurity training program or what areas to prioritize. Each company needs to make a training program that fits its needs, which can make the process confusing, time-consuming, and overwhelming.
Let’s get your employees up to speed on the basics of security awareness and guidance on a clear employee security policy and how it relates to the work processes in your business. We've included more advanced topics below if you already have an existing cybersecurity awareness training course. We’ll be covering the following:
- Phishing and social engineering
- Passwords and network access
- Device security
- Physical security
Phishing and Social Engineering
Social engineering is a type of attack that deceives a user into divulging business information of any kind. Phishing, an attempt to get sensitive information like passwords and credit cards from someone through email, phone calls, or chat, is a common social engineering tactic.
Phishing and other social engineering attacks tend to be successful; they appear to come from a credible source, deceiving you into thinking it’s a contact you can trust. Tell-tale signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or the contact requesting information in a way that triggers mental alarm bells.
How to Prevent Phishing and Social Engineering Scams
Communicate to your employees that they should never click on a link or attachment or give out sensitive information if something doesn't feel right. Employees should know exactly who to go to and promptly inform the right person or department if they believe they receive malicious emails in their inboxes. If one employee is being targeted, many others are likely, too. Alerting the right staff is critical for preventing a phishing scam from entering the network and spreading company-wide.
Unfortunately, accidents happen, and your employee could be fooled into clicking or giving out information to a bad actor. It’s still important to report the attack immediately, even after they’ve responded or clicked, to minimize further damage.
Passwords and Network Access
What kind of passwords are your employees creating? Are they short or easy to remember and guess? Do their passwords involve information you could find on their social media profiles? If so, your employees could be at risk for a breach without their knowledge. Employees should be following best practices regarding the passwords they create.
How To Create a Secure Password
In general, passwords should be unique to each application and information source, at least twelve characters, contain capital letters and special characters, and avoid obvious information like names and birthdays. Based on our recent password policy blog, your employees don’t need to reset their passwords every three months, only when they believe a data breach has occurred. Remember, if it's easy to figure out for your staff, it will be just as easy for the hacker to guess.
To ensure your employees don’t recycle passwords, we recommend using a password manager for more secure and unique password creation. Furthermore, employees should never use business credentials- such as work email and passwords- for personal websites and apps. If that website becomes compromised and they recycle their password for other business-related sites, that could lead to a potential breach.
Are Public WiFi Networks Secure?
Employees should also be wary of network connections outside their workplace, such as when they decide to work at their favorite coffee shop. The public WiFi network they’re connecting to may be tapped or monitored by a malicious actor recording valuable information going in and out of the system. This puts all data exchanged on that network at risk.
Use a trusted WiFi connection or secure the connection with appropriate VPN settings, which encrypts your data while working. Employees should be mindful of the potential security ramifications when logging into company resources from their local coffee shop’s network.
In an era of continuous interconnectivity, employees often use their personal devices in the workplace if not otherwise provided by your company. Most employees may not know that the potential security risks they face on their company laptops and desktops also apply to their phones or tablet.
Being mindful of the websites they’re browsing, the apps they’re installing, and the links they’re clicking on could prevent their devices from becoming a vulnerability for hackers to exploit. Demonstrate where the security settings are located on internet browsers to deny access to the computer’s camera or block pop-ups. Signs for a secure URL are when it starts with HTTPS (instead of HTTP) as well as a locked icon in front of the URL.
Physical Device Security
Remember what we said earlier, how hackers would leave USBs in employee parking lots for a potential payday? Physical security also plays a role in keeping sensitive information protected. This includes employees locking their mobile or work devices when they’re not around. If someone swipes an unattended phone or logs in to sensitive assets from a connected network session, your data could immediately be at risk.
Even if your employees are used to working from home, remind them that office security measures keep their data and the company’s data safe. Refresh them with tips such as:
- Locking all their devices every time they leave their desk
- Putting sensitive materials or documents in a locked cabinet instead of on their desk for easy access.
- Discarding sensitive items safely and securely, don’t throw away documents into a general trash bin.
As you walk your employees through the data security awareness training program, provide time for feedback and questions. We recommend bringing in your IT service provider to respond to any questions you don’t know the answer to and provide expertise on the cybersecurity landscape.
Advanced Cybersecurity Training Suggestions
If you already have an employee training program that covers these topics, way to go! Here are a couple of items you can also add to your cybersecurity curriculum to take it up a notch:
Malware is the mother of all cyber-evil as the software is designed to disrupt or damage a computer system by gaining unauthorized access. Company data usually become corrupted when an employee downloads malware, which may occur accidentally if the employee is not paying attention to websites or ads they click on. Make sure employees only download authorized software used for business purposes.
If their computer does become infected, their desktop will show the following warning signs:
- Runs slower than usual
- Constantly crashes
- Displays error messages
- Irrelevant ad pop-ups
If their device displays these signs, they must immediately disconnect from the system and report what happened to their manager and IT provider.
Assess Employee Knowledge
As easy as it may seem, more than a simple PowerPoint is needed to communicate the urgency of maintaining safe cyber habits. We’ve provided a list of ways you can keep your employees engaged throughout the training session:
- Provide a Jeopardy-style game or quiz at the end with a prize to incentivize participation, such as a gift card to a local coffee shop or Target
- Have employees guess whether an email is malicious or not by calling out the signs
- Break employees into smaller groups and provide questions for them to answer
- After the training, send out employee surveys so they can provide feedback on how the session can be more comprehensive
Simulated Phishing Emails
At CoreTech, we also provide our clients with simulated phishing emails- harmless emails that check to see if an employee will click on a link or download an attachment they’re not supposed to. Don’t worry; nothing will happen if they click or download, but they will be required to review phishing training videos as a refresher. If they report the email, that is a sign that your employees are staying alert and watching out for cyberattacks!
Need additional help with structuring your cybersecurity training?
Creating a cybersecurity training curriculum from scratch can be time-consuming and overwhelming. We provide cybersecurity resources through our blog, eBooks, webinars, and social media channels. Your small business can also partner with an expert, like CoreTech, who will update your staff about incoming cyber tactics and threats they must be aware of. We’d love the chance to get to know your business and start protecting your team, your customers, and your data. Click below to learn more!