TEISS guest blogger Sam Reed, Chief Technology Officer at Air IT, explains the importance of effective cyber security training.
Most businesses now take measures like using anti-viral software to protect them from a cyber attack. But using technology is only one part of staying safe online.
Employees also play a critical role in maintaining online security, so they need to be educated about what to do.
The WannaCry attack which crippled the NHS in May 2017 is thought to have started when an employee either downloaded an infected attachment, or clicked on a malicious link.
In Ernst and Young’s latest Global Information Security Survey, careless employees were named as the most likely source of a cyber attack by 74% of the respondents. The survey polled 1,735 global executives, information security managers and IT leaders.
Also of interest: Most CISOs don't trust their employees' knowledge
Educating employees about online security
Educating employees about cyber security needs to go beyond a few cursory measures. Simply handing new employees a document on your company’s IT policy isn’t good enough.
You need to foster a company culture where cyber security is prioritised. This means that those in senior roles need to show their commitment to it.
Training needs to be engaging. Consider creating an e-learning course where employees have to interact with the content. You could also run a face to face training session where you include real life examples to illustrate the consequences of a cyber attack.
Try to make training sessions more relevant to employees by talking about the importance of cyber security in their personal lives too. For example, you could talk about preventing identity fraud.
Also of interest: The need for phishing training
Keeping passwords secure
Cracking an employee’s password is one of the easiest ways for a cyber criminal to gain access to sensitive business data. Your employees therefore need to understand how to create a strong password. They should follow best practice guidelines such as:
- Avoiding using any dictionary words, or contractions of words, in any language, because criminals can use technology to crack such passwords in minutes.
- Avoiding using personal information, like your birthday or postcode, because criminals could track this information down elsewhere.
- Using the first letter of each of the words in a memorable phrase.
- Using a mixture of symbols and numbers, with both lower and uppercase letters, in a random fashion.
Employees should change their password every three months or so, and choose a completely different one when they do so, rather than simply altering one or two characters.
You can also use two-step authentication to add an extra layer of security to your most critical systems. Just make sure the device your verification code is sent to is kept up to date.
Also of interest: Fixing the UK cyber security skills gap
Recognising potential attacks
You can’t assume your employees know how to spot an attempt to attack you, especially since criminals are continually getting better at disguising their efforts.
The UK Government’s latest cyber security survey found that fraudulent emails are the most common type of attack experienced by businesses.
You can’t rely on spam filters to prevent such emails getting through. Employees still need to be suspicious about emails which seem out of place, or come from people they don’t know. They should avoid clicking on links, or downloading attachments, in suspicious emails.
Unfortunately, criminals are now better at making their emails appear authentic. They may include a company logo or make the email appear to come from a colleague of the victim.
For instance, in CEO fraud, they may find out the personal details of someone senior in an organisation so they can impersonate them convincingly when they ask for sensitive information. Verifying such requests with a source you know and trust doesn’t take long and can prevent a lot of stress.
Be especially wary about emails that ask for an urgent action to be completed, or offer a reward. And watch out for poor grammar too because it is still often a sign an email is fraudulent.
Employees should also be careful about sharing sensitive information with others and be discerning about online ads, or social media links.
Keeping mobile devices secure
Many employees now work on the go, or at home, often using their own devices. Every device they use to access company information needs to be secure, including their mobile phones.
Employees need to know that the same security guidelines for using PCs apply to mobile phones, including using passwords, carrying out software updates, and being wary about what links (including adverts) you click on.
Start by identifying your security priorities, so you can make sure your most critical business assets are safe.
Then make sure you have the necessary technology in place to protect yourself, so it is as simple as possible for employees to play their part. For example, you could use a password manager to make it easier to keep multiple passwords secure, rather than expecting employees to remember them all.
Employees also need to feel comfortable about speaking up if they notice signs they may have been attacked, like a slow computer.
Getting your employees to take their role in cyber security seriously could prevent you from experiencing a significant amount of stress and financial loss.
Image of adult education under licence from thinkstockphotos.co.uk, copyright inarik