It is common knowledge that employees are the weak link as it pertains to corporate cybersecurity. You don’t need advanced hacking skills to break into corporate networks – you just need to trick someone into opening an attachment and/or clicking on a link. 90 percent of all data breaches and security incidents are traced back to phishing attacks according to a recent Verizon investigative report.
So employee training and simplified policies are your best defense. Let’s take a brief look at the basics.
Focused employee training. For most companies (my guess would be 98 percent), security training is much too broad to be effective. We’ve all sat in that quarterly cybersecurity presentation – pretending to pay attention while we’re emailing and surfing the web.
If you go back to the real threat – phishing attacks – you begin to see how hackers work. And they work really specifically. They put some thought into their game plan. Example: if I want your bank routing information, I’m going to target your CFO. I’m going to spoof a banker or client who wants to execute a money transfer payment – I’m going to specifically create and craft an attack on an individual. That is a teachable moment.
So, you’re training needs to be focused on those teachable moments. Each department needs to be analyzed as to what a phishing attack might look like – and employees need to understand how they might personally be targeted. That way, they can really just concentrate on the likely, not the probable. Focused training, by department, by job responsibility, will have the greatest impact on reducing your risk vis-à-vis the human element.
User friendly security policies. The most glaring policy that doesn’t work is requiring complex passwords and the need for employees to change them out every few months. That just doesn’t work anymore.
Employees, if left to their own devices, will just change up their password by capitalizing the first letter or adjusting a number – they’ll tend to get lazy as it takes away from their real job responsibilities. And if you want your people to have really complex passwords, they’re going to end up writing them down and posting them on their monitor. Being an IT geek is not their job.
So, allow your people to use a password manager and cut/paste passwords as needed. Use multi-factor authentication – such as codes sent to their phone or key fobs. Keep them focused on being smart about what they open with regards to their email – that is your most vulnerable attack point.
To sum up – spend more time on teachable moments and less on complicated policy. KISS – Keep it simple, stupid.