The world of cybercriminals, phishing, and malware is scary enough without risky employee behaviors contributing to the frights.
It’s Halloween. Time for zombies, witches, ghosts, and… cyber threats?
Even the best-intentioned employees can sometimes do scary things that expose your organization to security risk. Whether it’s getting hooked by cleverly-crafted phishing attacks, leaving laptops exposed, or even allowing unauthorized people into secure facilities, mistakes happen – and they can be costly.
It’s well-established that humans are one of today’s greatest corporate risk vector. Here are seven tips on using training to help your employees recognize and avoid unsafe behaviors.
Protecting Sensitive Information
Sensitive information comes in many forms, sometimes in ways employees may not even be aware of.
Let’s start with the obvious. Personally Identifiable Information (PII) is sensitive data about customers, partners, or employees that can be used to identify exactly who specific individuals are – and that could lead to identity theft or other problems. Data privacy is all over the news these days, and many more regulations about allowable use of PII are being enacted.
Training Tip #1
Use training to connect the value found in the PII your company handles to the tangible, real-world consequences the compromise of such data would create. For example, describe how the exposure of a customer’s (or coworker’s) tax information could ruin them financially by allowing a cybercriminal to steal their identity.
Social media is another channel through which sensitive information can be revealed – often unwittingly. Tagging or posting photos with co-workers, publicizing team projects and accomplishments, highlighting job promotions or life events—all of this can be pieced together by bad actors to inform phishing attacks.
Training Tip #2
Awareness training about safe social media use should present both the good and the bad and employ real-life examples of the kinds of social posts that can get both individual employees and the whole company into hot water. Be clear about what’s OK and what’s not OK to share and make sure employees understand the real-world consequences of violating your company’s social media policies.
Then there’s the cloud. Organizations use cloud-based systems and storage in many different ways. It’s important to have company guidelines on what kinds of information you place in the cloud and how and by whom it can be accessed.
Training Tip #3
Awareness program managers should use training to help employees differentiate between housing personal information in cloud storage and using cloud tools for work information.
Raising Threat Awareness
Cyber attackers regularly devise and deploy methods that make cyber threats truly hard to detect. Phishing emails (often carrying ransomware payloads) abound, often looking just like the real thing.
Training Tip #4
Leaders should consider using simulated phishing tools to teach employees how to read the signs of unexpected emails that may be suspicious. Additionally, phishing-focused training should train employees how to identify the ways that scammers attempt to steal information and offer practical advice and training on avoiding phishing attempts on all kinds of devices.
Also, make clear that even seemingly minor computer behavioral anomalies could be signs of malware infection. Include discrete steps to take if malware is suspected, and drive home the importance of regular software updates.
Reporting Cyber Threats
With virtually all employees being so busy these days, it’s easy to ignore a glitchy behavior that could indicate malware. Who has the time to deal with it?
Or, if an obvious cyber incident does occur, employees simply may not know what to do. But this should be no excuse to ignore the importance of sound incident reporting practices.
Training Tip #5
Awareness training managers should build real-life examples of reportable incidents into employee training, along with information about company policies on how to report cyber threats and who to report them to.
Working Remote, Safely
Many of today’s employees perform work from remote locations.
These can include while traveling, at home, or in public places like coffee shops. The convenience and productivity gains can be a boon, as long as connecting from outside the firewall is done cautiously.
Training Tip #6
In your cyber training program, describe the methods cybercriminals can use to intercept data shared across unsecured networks. Explain the importance of using your company’s VPN when working out of the office and to be very cautious about using any kind of public Wi-Fi. Teach them to use only Wi-Fi networks that offer password protection, and to always look for the look for “https://” on websites to be sure they’re secure.
Maintaining Physical Security
Protecting the physical work environment is still high priority! Describe what’s at stake in terms of both company and personnel well-being if an unauthorized person was given access to your work environment.
Training Tip #7
Teach employees to be on guard for suspicious actions wherever they encounter them. Emphasize the need to always independently verify that any attempts to get information or enter your workplace are legitimate before granting access.
Employee Behavior Shouldn’t Be Scary
It can be scary out there, but your employees’ actions and knowledge of security and privacy best practices should not be a source of terror. This Halloween, don’t leave your employees vulnerable to cyber zombies! Teach them to play it safe and avoid the graveyard.
The right approach to awareness training will go a long way toward helping them make smart and secure moves to protect themselves and your organization.
Learn how MediaPRO can take the scary out of establishing a risk-aware culture through a comprehensive awareness training program.