According to Monster.com, 96% of workers will be voluntarily seeking new employment in 2023. At the same time, the tech industry is dealing with a wave of layoffs, leaving employees left behind to pick up the slack. All of this poses a massive cybersecurity challenge for companies that are scrambling to train new employees and keep current team members engaged when they may be overworked and checked out. A small mistake such as clicking on an attachment in a phishing email or reusing login credentials that have been compromised can result in a cyberattack costing businesses millions of dollars.
While people are the number one source of cybersecurity problems, they can also be the most essential part of the solution. Here are the five most important ways to upskill your team to keep the entire organization cyber-safe.
1. Tackle social engineering head on
Phishing attacks increased by 61% in 2022 and according to the US Federal Bureau of Investigation, they will continue to increase by as much as 400% year-over-year. Companies typically conduct penetration tests to discover vulnerabilities in their networks, and to see how well employees fare against a typical social engineering attack. These assessments provide invaluable data and are an important part of enterprise security, but statistics alone are not enough. Security professionals need a plan in place to take that data, identify potentially vulnerable employees, and create lasting behavior change.
First, handle your most at-risk employees. Cybercriminals know that companies utilize software that blocks a majority of malicious emails, so they’re getting creative. Instead of sending a phishing attempt to a large group of employees, they’ll simply target a handful, making it much easier to bypass email security systems and reach a potential victim. With phishing simulation testing and reporting in place, you’ll know quickly which members of your team are the most susceptible to those attacks.
But what next? Quick intervention and targeted training is key here. We know that annual or even biannual training is simply not enough and is not always effective. Employees quickly forget what they’ve learned. On the other hand, if an employee fails a phishing simulation test and is immediately given constructive training, they’re much more likely to understand the problem, retain the information, and change their behavior in the future. If you don’t intervene and provide them with targeted training, chances are they’ll click on a suspicious link in the future as well.
Second, make sure every member of your team knows what to do after they receive a social engineering email. Many employees can spot suspicious communications, but what are they doing next? Are they letting the email sit in their inbox? Are they simply clicking delete without notifying you? If they do take action, how quickly are they notifying you? A 2022 Global Cybersecurity Awareness Training Study of 1900+ CISOs, security leaders, and IT professionals found that just 42% of participants reported involving their employees in security detection with the use of such measures as a Phishing Incident Button.
Make sure every employee has an easy and effective way to notify the security team about a potential breach. Establish an open-door policy with your security department so that the team feels comfortable reaching out with concerns, even if they turn out to be nothing. It’s better to be over-vigilant than miss the warning signs of a real attack.
2. Create a Personal Device Policy
A lot of people got into a bad habit during the pandemic, using their corporate devices for personal business and their personal devices for work. This opened up the door for phishing, malware and a host of other cyberattacks.
Start rethinking how your applications are accessed from insecure home networks, and develop sound policies for employee access to company accounts on personal devices. This is especially important if you’re planning a hybrid workplace where employees will still work remotely part time.
If employees did download corporate data to their home computers, it should be removed immediately. Also review new email, system and vendor accounts that were set up remotely to make sure they are sufficiently secure.
3. Adopt Stronger Password Guidelines
Easy-to-guess password choices are one of the top reasons for credential-based attacks like account takeover. Establish a policy that requires employees to choose passwords that are a minimum of 16 characters with a combination of upper and lower case letters and special characters – and educate them on the consequences of password reuse.
Even though it’s a well-known problem, password reuse remains too common. Encouraging the use of unique passwords for every account is the job of corporate security teams, but only users themselves can ensure that’s the case. Consider offering password managers as an employee benefit and encourage its use across work and personal accounts.
Forcing the use of two-factor authentication (2FA) is also a good idea, requiring users to present multiple, distinct pieces of evidence (credentials + a physical device or authenticator code, for example) in order to log into accounts. 2FA will act as a deterrent to some forms of cybercrime.
4. Stress the importance of tracking your digital footprint
An increasing number of cyber threats begin from someone following a victim’s social media accounts. You’ve probably seen at least one Facebook post from a friend saying that someone hacked their profile. Most people are unaware of their digital footprints which includes everything from websites that you frequent to what you shop for online.
Our digital footprints can build a picture of who we are, what we like, and even where we live – all things that cybercriminals can later use to engineer an attack. Stress to your employees the importance of being aware of the information that they share online. A quick review of their digital footprint could protect you from getting hacked – thus keeping your business secure.
5. Implement tailored and consistent training
All cyber criminals exploit weaknesses in human behavior, from password laziness to innocent-looking emails to execute their attacks. Create a continuous education and training program that helps your employees understand, recognize and respond appropriately to threats. Make it clear that these are policies they can use not only to keep corporate accounts safe but to protect their own personal accounts as well.
The turbulent job market will most likely not ebb any time soon, but it doesn’t need to impact the quality of enterprise cybersecurity. Security professionals should be proactive by consistently educating employees on the latest threats and arming them with the skills to protect both themselves and their employers.