We often point to statistics showing that human error is a business’s greatest cybersecurity vulnerability. Cybersecurity training is absolutely vital to preventing those mistakes. But what, exactly, should that training consist of?
In this post, we break it down for you.
Implementing the right technology is essential too, but that alone is not enough to prevent a major disaster. The tips below can help reduce the chances of “little” accidents snowballing into an operational catastrophe.
Why human error can be so costly
In a previous post, we highlighted some of the ways that human error puts your business at risk. We can’t underscore this enough. When unsuspecting employees accidentally allow a malware infection, for example, it can disrupt your entire business and causes millions of dollars in losses.
Here are some more specific examples of how things can go wrong:
- Opening a malicious attachment disguised as a legitimate invoice, leading to a ransomware infection that encrypts all your data for days.
- Being a victim of a phishing attack, which looks like a legitimate email and/or sign-in page but instead captures an employee’s login information, leading to sensitive data being compromised.
- Installing unapproved software that is laden with malware, crashing your systems and making them vulnerable to future attacks.
- Accidentally deleting important files or folders that are critical to your operations.
When any of these “oops” moments cause downtime, the costs can be crippling. Just one hour of downtime can cost businesses between $10,000 and $5 million, so the stakes are insanely high.
But don’t freak out just yet. Here’s how to effectively prevent those errors with the right cybersecurity education.
1) Get real about the risks
A good way to set the tone of your cybersecurity training is to clearly state the seriousness of the risks, right from the beginning (kind of like we have in this post).
Employees must have a clear understanding of what’s at stake:
- Explain how a cyberattack can disrupt the entire business
- Use real figures to show how much a breach can cost
- Go over how common it is for businesses to shutter after certain disasters
- Let them know that their actions can have real consequences on the business, which is why the training is so important
2) Include everyone
Every employee, every department. Yes, that means upper management and IT folks, too.
Regardless of skill level or pay grade, every employee should receive this training.
3) How NOT to use the web
A good place to start your Internet cybersecurity training is with a basic lesson on not visiting websites that don’t have anything to do with a worker’s job responsibilities.
Some organizations are more lax about this than others. At many companies, it’s common for employees to have access to their favorite sites for news, social media and personal email. But employees should still be strongly discouraged from browsing the web willy-nilly, which can lead them to visiting sites that are loaded with malware.
When in doubt, set strict policies about which websites are allowed and which aren’t. As an extra precaution, consider blocking traffic to blacklisted sites within your network/firewall settings.
4) Email from unknown senders
Set a specific protocol for handling email from unknown or suspicious senders. These are the kinds of emails that look legitimate but come from sources that aren’t already within the recipients’ contacts.
Staff should know what to do next, whether it’s asking a supervisor for advice, cross-checking with coworkers, submitting a help desk ticket or something else entirely.
Regardless of the protocol, employees should be advised to be immediately suspicious of every email from an unknown sender. Do not click or do anything until the sender’s identity is verified.
5) Identifying a suspicious email
By the end of training, employees should know how to spot the tell-tale signs of a potentially dangerous email.
While some spam and phishing emails are very cleverly disguised, employees should know how and what to inspect in every message they receive. Here are just a few topics you’ll probably want to cover in your training:
- How to verify sender information
- Ways to view hyperlink locations without clicking
- How to determine if a message in the Spam folder is legitimate or not
- Common signs something is wrong: odd characters and misspellings, unusual delivery times, etc.
6) Spotting a phishing attack
A good social engineering attack can circumvent nearly every cybersecurity defense you have. This is why it is so important to train employees how to recognize a phishing attempt.
We’ve mentioned a few of the red flags above, but here are some additional points you’ll want to stress in your training:
- Being wary of sudden prompts to change passwords
- Verifying that website URLs match up with the sites that users were expecting when clicking an email link. For example, an email claiming to be from Paypal, but the link redirecting to paypal.account.xyz.com.
- Any requests for user names or personally identifiable information.
- Sender names not matching email addresses. For example, sophisticated phishing emails can sometimes include the real name of a colleague, but if sender information shows something other than a real company email, then you know something’s not right.
7) Password strength
Weak passwords are a recipe for disaster. Hackers use automated software to plow their way into your systems by making hundreds of password guesses a minute.
You may be able to configure some of your applications to require stronger passwords, but when you’re using third-party apps, you don’t always have control over this.
Educate personnel on the importance of setting passwords with the following requirements:
- 8-12 characters long
- Use letters, numbers and special characters
- At least one letter capitalized
- No personally identifiable information (names, email address, user names, etc.)
Passwords should also be changed on a regular basis.
8) Unauthorized apps and software
This policy is generally pretty simple: Users should not install any software or third-party apps unless they have been given explicit approval to do so by their managers (or unless IT personnel install it for them).
It’s the responsibility of IT and management to equip personnel with the software they need from the beginning. And after that, nothing else is allowed. There is simply too great of a risk for malware when users have free reign to install any software they choose.
As an extra safeguard, make use of O/S configurations that prevent unauthorized applications from executing in the first place.
9) Handling of data
This is an especially important topic if your organization must adhere to HIPAA or other regulatory guidelines for record-keeping and data storage.
Employees must be thoroughly trained on these rules, including how they send, store and handle sensitive data. Even the most basic reminders to save files on company servers (rather than on users’ desktops) are important.
Finally, instruct staff on using caution whenever moving folders to different directories. This is one of the most common causes of accidental file loss. And although a good data backup system may help you retrieve those files fairly quickly, it’s still a headache for your already-strained IT teams.
10) Patches and updates
In an ideal world, your IT teams will be updating systems when patches become available, or using patch management systems to streamline the process across a fleet of machines. But not every business is set up to do it this way, especially smaller companies.
Employees must be educated on how to recognize legitimate system update notifications and the danger of postponing those updates. If you’re going to give users the responsibility of handling these updates themselves, then you need to make sure they do it.
11) Personal devices from home
Set a clear policy about what kinds of external devices are allowed to be connected to users’ desktops (if any). When in doubt, prohibit all devices unless workers need them to perform essential job duties.
Some examples of devices you may want to prohibit:
- USB thumb drives or other external drives
- Tethered mobile phones and tablets
- Wifi assistants and speakers, i.e. Amazon Alexa, Google Home, Sonos
- Cameras and peripherals
You never know when an employee’s personal device may be carrying malware. So it’s a good rule of thumb to keep those off your network and disconnected from company machines altogether.
In addition to cybersecurity training, here are some final precautions to avoid disaster
Remember, technology can help you mitigate the impact of human error. Mistakes are bound to happen no matter what. These precautions can help stop them from becoming disasters:
- Backup data constantly with a dependable business continuity & disaster recovery solution
- Use application whitelisting to prevent any unauthorized or unknown software (like malware) from running
- Use pen testing to identify critical security gaps before there’s an issue.
- Utilize every possible cybersecurity defense to prevent malicious email from reaching inboxes and prevent those emails from doing damage if users interact with them. Defenses include spam filters, anti-malware, firewalls, IP blocking, etc.
- Utilize managed detection and response (MDR) to get real-time threat detection, response, and remediation through a fully managed security operations center
- Set anti-malware software to scan and update automatically
- Install patches and updates as soon as they’re available, if not automatically
Deploy a better backup system
For more information on protecting your IT infrastructure from a cybersecurity disaster, contact our business continuity experts at Invenio IT. Request a free demo, call (646) 395-1170 or email success@invenioIT.com.