Liability to Asset: Employee IT Security Training

When it comes to cybersecurity, employee training is a step that many employers neglect or undervalue. Too many companies think that installing a suite of antivirus and anti-malware software is enough to protect them from malicious attackers, but in the world of phishing scams and social engineering attacks that just isn’t enough. An untrained team of employees can be the largest security loophole in your business if you don’t keep them trained.

If you do train them, your employees can become one more vigilant layer of defense against hackers—and an adaptable one at that. Consistently training your team about phishing and social engineering is the first step towards making security an integral part of your company culture.

So what are some common forms of social engineering that you can keep an eye out for? To begin with, there’s the classic phishing scam—posing as a trusted or trustable source to trick you into revealing your sensitive data—with its variations. There’s the standard phishing email, there’s voice phishing (phone scammers are rarer these days, but still be careful), and there’s spear phishing. The latter is a form of phishing that is explicitly targeted and uses additional information specific to that target, as opposed to the quantity over quality approach standard phishing utilizes. Spear phishing might reference a recent purchase of yours that was skimmed off the seller’s website, or might use information that is publicly accessible. The easiest way to deal with these kinds of attacks is to never click on unknown links in emails or messages, and to check the sender’s email address. If they’re really from a trusted source, then you should have previous emails to double-check. If there isn’t a match, report the suspicious content to your security or compliance officer.

It should be noted that these same rules and policies can also apply to texts, as some hackers impersonate managers or executives of a company in order to trick an employee. This can take the form of a text message claiming to be from your supervisor asking you to drop some files in a non-company dropbox, or click on a link to some service. If you have any doubt about the instructions given to you by a supervisor or colleague, follow up with that individual in person or via voice, for safety’s sake. This is especially true if any kind of money transfer or access request is involved.

Other forms of social engineering include things like tailgating, where an individual asks you to let them onto your company premises at the same time as you. This is generally relying on the social cues around professional behavior and general politeness; they’re hoping that you will give into your polite instinct to hold the door for a stranger. This will let them get on company premises, and from there they can learn more and cause more damage. This problem also has a really simple solution: have strict security that requires appropriate credentials and authorization to enter. For extra safety, apply differing levels of authorization to different areas of the business—like the server room, for example. General security and strict policy should prevent this kind of social engineering entirely.

The most efficient way for a business to take their first steps towards a robust and reliable cybersecurity initiative is to talk to an IT or security company. Our job is to help you analyze your risks, identify what information might be targeted, and educate your team on safety. Book an introductory call to get started.