Data breaches are becoming remarkably prominent in the past couple of years. Recent reports by Risk Based Security shows a huge increase in data breach incidents of more than 50% compared to the same time in 2018. This could be blamed on more sophisticated cyberattacks or even on the ‘Internet of Things’ as we’re now all so connected within a huge web of network that we are more vulnerable to cyberattacks. But still, data suggests that the number one contributor to the rising number of data breach incidents is, of course – human error.
Us humans are still the weakest link when it comes to cybersecurity (sorry, I know this may be hard to admit - we’re just humans with human emotions). In many cases, the cause of a cyber breach is something as simple as someone in an organisation unknowingly engaging with a suspicious email. If the malicious email wasn’t recognized as a threat and the recipient interacted with it, this gives cyber criminals opportunity to delve into the network - because criminals prefer the path of least resistance.
We can put all of the best technology in place, we can install fancy firewalls, we can implement multi-factor authentication, but at the end of the day what we really need to be addressing is our people. Now the team members in our organisation want to do the best thing. None of them are out looking to get the network breached by a malicious actor (we hope and, if they are, you have bigger problems), so what we need to help them with is recognising these threats and training them on how to respond when they do detect or recognise one of these threats.
Cybersecurity is often overlooked in small businesses. As a business owner, it's imperative to learn how your organisation responds to cyber threats and understand whether your staff has enough cyber awareness. If you discover that not all team members have sufficient awareness around how to identify and resolve cyber threats, you need to consider providing training opportunities to prevent the worst from happening.
"So how do I minimise human error as a threat to our cybersecurity?"
One of the first actions to take is to assess how much your staff know about cybersecurity, and then instigate training for the whole organisation. Make sure that all employees, executives, and top-management are on the same page when it comes to online safety and cybersecurity. It’s important to foster a positive environment around cybersecurity, because it only takes one team member to be the weakest link in order for a cyberbreach to occur.
Here are some ways to keep your team members cyber aware:
- In your next team meeting, discuss cybersecurity and see how well your team understands the risks and known sources of cyberattacks.
- Create a short form and ask relevant questions to evaluate your staff’s cyberawareness.
- Deploy a friendly phishing campaign. This gives you a clearer view of how your team reacts to phishing attacks.
- Put policies and procedures in place to ensure the basics of cybersecurity are actioned for all employees, such as setting strong passwords, enabling multi factor authentication, having screen locks, monitoring access and downloading the latest security patches.
- Make training fun. Cybersecurity isn’t the most exciting topic, so how can you turn it into a game so that staff members want to participate?
- Ensure that team members understand the importance of swift action when they think they’ve been the cause of a cyberbreach. They might be embarrassed to admit it, but the sooner the right people know about it, they can address it and ensure the network is secure. Reward those who highlight vulnerabilities in security, rather than admonishing for potential breaches.
- Don’t make cybersecurity training and programs a “one-off”. Threats to cybersecurity are constantly changing, so the training and understanding around cybersecurity needs to be current in order to be effective.
- Make cybersecurity an ongoing topic of conversation.
What is a Friendly Phishing campaign?
A friendly phishing campaign is an automated phishing attack simulation. It is an intuitive strategy to test how your staff responds to phishing attacks. This way, you will be able to learn how much knowledge your organization has about phishing and better understand where to focus the training and education for your team around cybersecurity.
There are a number of providers that will offer a friendly phishing campaign service as part of a full cybersecurity training program for your team. You may also find free versions online that you can run within your organisation, such as this one from Infosec Institute.
Once you’ve gathered enough data to tell you where your people are placed with regards to cybersecurity, you can then plan action to educate your staff about the best cybersecurity practices for your business.
Educate your Staff
Once you’re able to gauge your team's ability to recognize and resolve a threat, you should continue to make sure that they know the right ways to do so.
It is vital that staff receive comprehensive proper training about what to watch out for to easily identify a cybersecurity threat. There are plenty of options with regard to formalised training options for organisations, either in person or through an online program. A quick Google will give you a list of cybersecurity training options in your area, but feel free to touch base with us if you want recommendations for your organisation.
Prepare some guidelines around cybersecurity and relay these to your team either via one-on-one training or by discussing in team meetings. Ensure staff completely understand the risks of ignoring the signs and mishandling data. Then give them a clear instruction on what to do next if they accidentally engage with a malicious threat.
Keep your team up to date about what you’re doing around cybersecurity. Perhaps you have a new intelligent firewall installed - bring it up on your next team huddle to make sure everyone knows how important cybersecurity is to the organisation.
The best way to keep your team aware around cybersecurity is to ensure that it’s a topic that is discussed regularly in your organisation. Keep the lines of communication open so that your team members fully understand the risks of cyberattacks and keep their eyes wide open to suspicious activity.
If you need advice about cybersecurity training for your team, don’t hesitate to reach out to the #nerdherd. We’d be happy to help.