While deploying the latest and greatest security solutions can go a long way toward protecting your enterprise from external threats, one of the most often overlooked parts of your organization’s network security is employee training. Since your enterprise is serious about protecting its sensitive data, training your staff with the industry’s best security practices needs to be a priority. In fact, we recommend that you institute a hands-on approach that will make your employees understand just how important this issue is.
We recommend a strategy of comprehensive testing to ensure that each of your employees knows how to respond to specific threats, including some of the most deceptive attacks out there. Phishing scams, whaling attacks, pop quizzes, and social engineering scams can take down any company, so making it clear that they can’t use the same old tactics becomes essential.
Make IT Clear
Consider These Ways to Test Your Employees
- Phishing attack simulations: Purchase domains that look like official businesses, and then email your employees from those domains asking for sensitive information. Use phrasing such as: “please confirm your email for your purchase of XYZ software by clicking this link”. Keep track of who responds, who ignores it, and who reports the problem to IT. Make sure that you make the message look as real as possible, but be cognizant that to be a useful training tool, you still have to give your employees irregularities to find within the message.
- Whaling attack simulations: Similar to the above scenario, you want to trick your users into thinking that someone is masquerading management, and be sure that you check who is responding properly to such an attack.
- Social engineering schemes: This is where you can get a little creative. Do some background work to find information on your employees. Information such as their addresses, phone numbers, personal email addresses, etc. will work best.Use the information to try and obtain private information from them without them knowing you are behind the correspondence. Make sure that you cover all avenues of social engineering, including those through phone calls and on-site visits.
- Desk security: Are your employees locking their computers and keeping sensitive information out of view? This could include physical documents, but also online accounts that may remain signed in on a PC, allowing anyone who opens the computer to use them without a password.
- Fake ransomware installations: You can remote into your employees’ workstations and display a screen just like a typical ransomware infection would. Take note of who responds to the threat by reaching out to IT, and who tries to resolve the problems on their own.
Emphasize Why Employees Should Care
Employees won’t always understand that you have everyone’s in mind when you stress the importance of following solid security practices. Be sure to tell them why security is important for the organization, as well as for their own good. The best way to do that is by phrasing your comments in a way where it makes the fight against online threats personal. Presenting urgency is key to successfully accomplishing this. Two examples are:
- Their sensitive information is at risk: Remind employees that it’s not just your organization’s data that’s at risk; it’s also their information. If your human resources or accounting departments were to suffer breaches, they would also be vulnerable to identity theft or worse. Therefore, they have an obligation to understand network security.
- The business’s future is at risk: What happens when an enterprise goes out of business, either due to financial troubles or legal duress? The employees find themselves out of work. Hackers can use a plethora of methods to make business difficult for your organization, especially if they steal data that could affect the business’s reputation. After all, a data breach makes your organization look bad, and you’ll likely lose out on business opportunities, which may result in your company seeing smaller profits. Smaller profits mean fewer employees, and nobody wants to lose their job. Therefore, protecting data and intellectual property is in your employees’ best interests.
Tips on How to Implement Company wide Cybersecurity Training
- Provide annual training: Your employees should be receiving training on a regular basis, especially in terms of security. Have them run through the basics of how to stay safe online, and make the decision easy for them by scheduling it on their days. Offer this training to both seasoned employees and new recruits.
- Quarterly pop-quizzes: Retaining information, like how to stay safe online, isn’t always easy for employees. Besides, business moves fast. Help your staff stay fresh on how to protect themselves and your enterprise by breaking out a pop-quiz every now and then. If an employee underperforms, take the time to explain why and how it’s so important to your organization’s continued success.
- Offer incentives: If your employees directly benefit from security training, they’ll be more apt to adopt the practices themselves. This could range anywhere from professional development to freebies like gift cards. Make learning about network security worthwhile for your employees and they will go out of their way to make sure they adhere to company policy.
IronEdge Group offers a stellar program called KnowBe4, that puts your employees through a rigorous training procedure designed to improve their awareness of network security best practices. What we offer presents valuable training materials alongside hands-on phishing identification exercises and intelligent reporting, so you’ll know who is struggling to keep up and how to approach further training.
Our solution allows your users to be tested on several different types of threats, including (but not limited to) phishing scams, ransomware, CEO fraud, and so much more. KnowBe4 is so successful that it allows CIOs to dramatically reduce vulnerability to common phishing attempts. Over a 12-month period, it can reduce your phishing vulnerability from an average 15.9% to a low of 1.2%. It’s clear that this type of hands-on training combined with frequent threat simulation is a valuable investment for your enterprise.
To learn more about what IronEdge Group can do for your enterprise, reach out to us at 832-910-9222.