Every organization has its list of must-have conversations with employees. Some are more difficult or necessary than others. Some are a bit more lighthearted and easy-going, but still important.
Perhaps one of the most important discussions executives can have with members of their teams is the one about cybersecurity. Kaspersky Lab recently found that employee carelessness accounted for 46% of data breaches in 2017. This means that nearly half of last year’s cyberattacks could have been avoided with more employee training and security awareness.
By having “the talk” with employees, making them aware of the risks facing the organization, defining policies and procedures for thwarting an attempted attack, and emphasizing everyone’s role in the company’s security posture can make all the difference in avoiding a data breach.
Insiders are the biggest risk
Just as a sports team is only as strong as its weakest player, a network is only as strong as its weakest link. Careless and uninformed staff members are one of the most likely causes of a serious security breach. Think about that for a moment: “careless and uninformed employees.” The biggest threat to your company’s network and resources is your own team’s lack of awareness.
While disgruntled employees working against a company can account for a percentage of information system breaches, more often than not, a breach results from an employee doing something they assumed was correct and acceptable. From clicking on seemingly innocent email links to falling for a social engineering scam, employees usually have no intention of doing harm, despite the potential outcome – which is exactly why explicit training and ongoing education are so vital.
How to have “the talk”
It is crucial that your employees hear you loud and clear, and that they understand the importance of cybersecurity and how their daily actions can affect the company’s safety. Here are a few tips on how to make the most of this conversation:
Keep training, tests and educational materials upbeat and lighthearted.
There’s no need to use scare tactics. In fact, doing so could backfire and keep your employees from reporting a breach out of fear. Share training videos or comics about the dangers of cybersecurity that are non-threatening, easy to understand, and on-message.
Constantly reinforce and retrain employees.
Telling your employees to be vigilant and watch out for cyberattacks only once, usually during onboarding training, won’t do the trick. People need to be consistently reminded about what to look for and how to report suspicious activity. They should also be put through test runs in order to truly grasp the importance of cybersecurity and how easily one can be tricked. A great way to do this is by sending out practice phishing emails to employees to gauge how many open/click links, report the phishing email to IT, etc. These types of drills can not only keep your team aware of potential threats, but alert you to your weakest links and where additional training is needed.
Muhammad Ali once said, “It’s the repetition of affirmations that leads to belief. And once that belief becomes a deep conviction, things begin to happen.” Constantly reminding your employees about the dangers facing them, the potential outcomes, and the role each one of them plays in ensuring that the company doesn’t fall victim to an attack will help transform behaviors into rock-solid protocols.
Educate employees about a variety of attack types.
Phishing emails aren’t the only type of attack targeting employees although email is often used as a delivery mechanism for other types of attacks. Malware, ransomware, business email compromise (BEC), social engineering scams, Internet pop-ups, IoT, and poorly secured devices are just a few others that can wreak havoc on a company – and the bad guys continue to grow more clever and devious every day. That’s why, in addition to “the talk,” it’s important to send out messages regarding new threats, keep an updated list of attack types in employee handbooks and on posters where employees can see them regularly, host regular meetings to keep employees informed and teach them what to look for and how to navigate these situations, and include mentions of cyber security in normally scheduled meetings.
A few questions employees can ask themselves to identify different attacks include:
- Does the LinkedIn request from the CEO of a competing company look a little too suspicious? It’s probably a social engineering scam.
- Does the domain name on an email that appears to be from a colleague not match up exactly? This looks like a BEC scam.
- Was I expecting an email, especially one with an attachment, from this person? This might be a phishing email.
- Can I trust the source of this thumb drive? A random device can contain malware.
This is the moment you’ve waited for! An employee suspects suspicious activity and reports it to you. But it turns out to be a false positive – the email was legitimate. That’s okay! Remind the team member that they did the right thing and make sure everyone else knows it, too.
This also applies when it’s the real deal. Even if they’ve already opened a malicious attachment, it’s important to let them know they followed protocol correctly and that they aren’t in trouble. Again, this will ensure that others know they can confidently and safely report potential issues instead of hiding possible errors in judgement.
Education starts from the top
Probably one of the more important things to remember when implementing a culture of security is that tone begins at the top. If employees see that managers, executives, or even board members aren’t concerned about the cybersecurity of the company, why should they care?
Aside from sharing information, providing training, and conducting tests for your employees, one of the biggest ways to show your commitment to cybersecurity from an executive standpoint is by being prepared. Management and HR need to have a plan in place for employees to follow when (not if) something happens.
The business continuity/disaster recovery plan should be easily accessible and straightforward enough for non-technical employees to understand and follow. It should outline exactly what to do from a user perspective, how to respond, and who to report to. As security and IT professionals, it’s easy to forget that most other employees are not in the nitty-gritty world of cyber every day and may not know what to do next. That’s why it’s also imperative to reinforce the importance of reporting all potential incidents and making it simple to do. With just one individual reporting, those of us who do see the down-and-dirty every day can assess the situation, determine scope and execute a plan to mitigate any damage.
There are plenty of threat actors out there looking for ways to bring your company down or make a quick buck off your company’s pain. You can implement countless layers of security, partner with the best providers, and still fall victim to a cyberattack due to careless and uninformed employees. Make sure your security posture isn’t compromised by a lack of preparedness. Have “The Talk.”