How To Train Your Staff In Cybersecurity Awareness
Your staff is your first line of defence against cybercrime. A lack of cybersecurity awareness is to be at the root of over 90% of successful cyberattacks.
Blaming individuals for a data breach is not a solution. The onus is on firms to ensure their workforces are aware of the threats to cybersecurity and what actions they must take to identify, prevent and report threats.
Cybersecurity awareness should be a priority. If people are aware of the threats that malicious actors pose to the ongoing future of your business, they are more likely to be more vigilant.
And it is worth pointing out that around 60% of small businesses that are the victims of a data breach go out of business within six months.
Despite the risk of individuals and their colleagues losing their livelihood and their income, you may still experience some pushback from certain employees.
To avoid this, approach cybersecurity awareness training with a strategy that makes cybersecurity personal rather than protecting your business. This is true. Hackers do not discriminate between businesses and personal email accounts.
It is estimated that 95% of malicious attacks start with an email. And there is an attack every 39 seconds. If your staff use their personal devices to access your business network – or their online banking – they will want to know how to prevent a data breach.
Inform Employees How Cyberattacks Can Occur
In order for employees to be aware of cyber threats, they need to know where they need to be most vigilant. Cybercrime can occur through any of the following channels:
- Loss of device (or theft)
- Phishing and spear phishing
- Malicious malware
- Zero-day exploits
- Brute force attacks (weak credentials)
- Macro attacks
- Failure to update apps, plugins and operating systems
- Accidental insider
- Malicious insider
- SQL injections
- DOS attacks
- IoT attacks
- Intercepted texts/emails
Provide Cybersecurity Awareness Updates
The threat presented by hackers is constant. The tools and techniques deployed by threat actors continue to evolve – which means vulnerabilities in your business could be exploited at any time.
If cybercriminals are consistently developing new ways to breach cyber defences, cybersecurity awareness also has to be an ongoing conversation.
For example, in February this year, Microsoft reported hackers are dropping documents infected with malicious malware in Teams chats. Because the attachments appear to have originated from a trusted party, employees are more likely to open them – and in doing so infect their computer with malware which allows hackers to do more harm.
We also recommend providing weekly updates – even if the update is to inform your employees that there are no new security threats to look out for. When hackers do change their tactics and new threats do arise, your staff should be informed, and possibly trained on how to identify the latest hacking strategy.
Train Employees How to Identify Threat Actors
The ability to identify potentially dangerous emails is the most important aspect of cybersecurity awareness training. This section of the training program will mostly centre around identifying spoof emails.
Spoofing is a common technique used by hackers in phishing attacks. These types of attacks involve designing emails that appear to be sent by trusted parties such as a client, supply partner, bank or energy company etc.
Malicious actors have become very skilled at disguising emails to make it appear as though they have been sent from an authentic address. This will include similar wording, the company logo and graphics used by that particular company in emails.
However, it is impossible to completely spoof a 100% fail-proof email. So your employees need to know the indicators to identify to ensure spoof emails do fail!
1. Check the email address
The biggest giveaway in a spoof email is the email address. It will be slightly altered which makes it look unnatural. Or at the very least, it should raise suspicions. Typical examples are:
Please note the above examples are not precise. They are merely to highlight how email addresses are manipulated in an attempt to escape detection.
2. Check links and attachment roots
Investigating links and attachments is an absolutely critical piece of your cybersecurity awareness training program. Malicious links and attachments usually have hidden text so they cannot be detected by email filters. However, it is possible to determine if a link or attachment probably contains a malicious link by hovering your mouse pointer over it and waiting for the URL or file name to show up.
It’s important that you don’t click links or open attachments until you have performed this check. Malicious links are usually hidden in an email address that appears to be authentic, but when you hover over it the link address does not match the business name of the sender.
Attachments are usually given friendly names or a label that makes them appear important or enticing. However, the extension will not match the document folder and will have a string of numbers and symbols after it.
PerformanceAnalytic$78209&20%097^3#
Again, not a precise name, but you get the point.
3. Be aware of messages that convey a sense of urgency
You can sometimes detect a malicious email by the wording. Less skilled hackers will send emails with incorrect spelling or grammar. Or it will just be poorly worded.
Emails that start with ‘Dear Customer’ are also a red flag. Typical tactics cybercriminals employ are to create a sense of urgency or panic. This is especially the case if the spoof email appears to come from a government agency or financial institution.
Raise The Importance of Secure Passwords and MFA
Weak passwords can easily be cracked by hackers using sophisticated software that uses trial and error methods to guess a password. This technology can try millions of password combinations on the same login page.
Strong passwords should include:
- At least 8 or more characters
- Include both upper and lowercase letters, symbols and numbers
- Don’t use a password that can be determined from your public data such as the name of your partner, children or pets
- Avoid using common words or phrases
- Change your passwords at least once a month
- Do not use the same password for more than one account
Ideally, a password should be a codeword that is personal to the individual. Phrases you make up are the best. Avoid using cliches. Also, replace letters with numbers.
A few examples that are unbreakable.
- #My5up3rrank1ng5 (#my super rankings)
- 5l1pp3r5ar3w311c0mfy (slippers are well comfy)
- 1l0v3h0bn0b5! (I love hobnobs)
You get the point.
Show Cybersecurity Awareness User Cases
There is no shortage of actual cybersecurity awareness content on the internet that you can use as case examples. You probably even have phasing attempts that have come to your business and personal email accounts that you can use.
If you’re not confident about creating and delivering cybersecurity awareness training to your staff, get in touch with the experts at Micro Pro. We ensure that nothing gets left out.