Be a Hard Target: Train Your Employees in Security Awareness  

Most organizations today are justifiably obsessed with cybersecurity, but many overlook their greatest IT vulnerability: their employees. The best way to strengthen a company’s defenses is by providing every employee with security awareness training. 

Related on MHA Consulting: Single Points of Failure: Protecting Yourself from Hanging by a Thread

Your Biggest Weakness 

Everywhere MHA’s consultants go these days, it’s “cyber, cyber, cyber.” Everyone is concerned about cybersecurity, and rightfully so. However, many companies focus on technology-based defenses and neglect the most significant weakness they have: their employees.  

Unfortunately, the hackers are not ignoring company staff. They are targeting them with everything they’ve got, and with a degree of sophistication much higher than in the days of the Nigerian prince scam.  

Employees are most organizations’ biggest vulnerability when it comes to IT security. Staff members’ clicking on malicious email links is the biggest vector by which malware infects company networks. 

The costs for the company can be staggering. The repercussions can range from financial, legal, and reputational impacts to the inability to carry out critical operations and loss of competitiveness. 

Consider Security Awareness Training 

For the reasons discussed above, every organization should give their employees formal security awareness training. Such training can be obtained through online providers, as a SaaS solution, or through consulting firms. It is generally affordable and is well worth the investment, considering what’s at stake and the pervasiveness of the threat.  

A typical training program includes didactic materials such as videos that teach people about attackers’ tricks and how to foil them. Most security awareness programs also provide testing, data, and statistics, such as identifying anyone in the organization who persistently clicks on insecure items.  

Incidentally, for any security awareness program to be effective, “frequent clickers” need to be subject to consequences. These might include, after a certain number of unsafe clicks, remedial training, downgrading the person’s access, or moving them to a different position. Organizations that allow known frequent clickers to go on their merry way might be letting themselves in for a world of hurt, both in terms of a potential breach and the legal and regulatory aftermath. 

Security Training Program Content 

To be effective, a security awareness training program should train and test employees on the following three areas: 

• Phishing attacks. A typical phishing attack consists of an email that tries to fool the target into providing sensitive information or doing something that will allow malware into the computing environment. ​Attacks can also be via text messages, phone calls, or voice mail. In the early days of the internet, phishing attacks tended to be crude and easily spotted. The requests were outrageous and the spelling and grammar usually all over the place. Today, attacks can be highly sophisticated. They might include the logos of real companies, making them harder to identify as phony. Often, phishing emails strive to create a level of urgency by suggesting that if the target doesn’t act quickly, something bad will occur. This can override people’s natural caution. A good training program will educate employees about attackers’ techniques and teach them about the importance of verifying email domain names and other precautions. It should also test them. Such tests help people become more vigilant and identify those who need additional training (or reassignment). 

• Socially engineered attacks. Social engineering is phishing on steroids. It can also be a factor in other types of attacks such as physical intrusion (see below). It involves the use of sophisticated techniques to manipulate people into doing things they shouldn’t. This can involve making attacks highly relevant and appealing to the target, such as threatening that an account of theirs will be closed unless the person clicks on a link or opens an attachment. Alternately, a socially engineered attack might impersonate an executive at the target’s organization. These attacks are likely to become even more potent with the spread of AI. Socially engineered attacks are very insidious and can be devastatingly effective. A solid training and testing program can go a long way toward helping employees know about and be on guard against this type of attack. 

• Physical intrusion. This refers to criminals’ efforts to physically enter a company’s facilities and manually introduce malware into someone’s computer, typically by inserting a USB drive into an unlocked computer. Alternately, the attacker might just leave a drive around for someone to find. This type of attack isn’t as common as remote attacks but they do happen. Using social engineering techniques, the attacker might chat up an employee on a smoke break, pretending to be an employee themselves, then they follow their new friend back inside. Alternately, the attacker might piggy-back on a random employee heading into the building, saying they forget their badge and asking the person to badge them in. Physical intrusion attacks exploit people’s natural tendency to be trusting and helpful. Training to protect against them should educate employees on the importance of, for example, never plugging a strange flash drive into their computer or letting another person follow them in without badging.  

A security awareness training program that trains and tests people on these three types of attacks can go a long way toward making the company a harder target.  

Strengthening the Weakest Link 

In today’s cybersecurity landscape, employees are often the weak link in an organization’s defense. The costs of neglecting this vulnerability can be substantial, encompassing financial, legal, reputational, and operational consequences.  

To mitigate these risks, organizations should invest in comprehensive security awareness training that covers phishing attacks, socially engineered attacks, and physical intrusion. Such training can fortify the company’s defenses while empowering employees to recognize and thwart potential security breaches. 

Further Reading 

• Single Points of Failure: Protecting Yourself from Hanging by a Thread 
• Cyber Self-Defense: Prepare for the No. 1 Threat By Taking These Five Steps 
• Rumors of War: Protecting Yourself from State-Sponsored Cyberattacks 
• What BC Professionals Can Do to Help Guard Against Cyberattacks 
• BC’s Big Four: The Most Disruptive Problems in Business Continuity