Some time ago, I was expecting a delivery. I got an email from UPS, opened it, clicked, and then realized the email was not, in fact, from UPS.
It was a phishing email, a test from our IT security team at SecurityScorecard, and I’d failed it.
Why am I telling you this? Because anyone — even the chief technical officer of a security-focused company — can fall for a social engineering attack. That’s why phishing tests are so important; they’re drills for real-life attacks and an important tool for training your employees.
Employees Are Hackable
Humans will always be the weak spot in your organization’s cybersecurity strategy. It doesn’t matter what software you invest in and what controls you put in place: If someone clicks a link or falls victim to a social engineering scam, your company’s networks and data will be at risk.
Too many people and companies practice poor cyber hygiene. They’re not aware of the threats in their inboxes, how easy it is to expose their data to bad actors, or how just one click can put an entire company at risk.
Fortunately, there’s plenty you can do to educate your employees about cyber hygiene. Here are some best practices to keep your employees’ — and your company’s — data safe:
1. Know What Your Employees Are Sharing
One thing I see quite often is employees oversharing online. Take LinkedIn, for example. Many professionals keep their LinkedIn profiles up to date. That might be helpful for their careers, but it’s unfortunately also helpful for criminals, who will search through a company’s employees’ LinkedIn profiles for valuable information. They might see accounting personnel talking about the systems they use or engineers discussing the languages they write in.
Why might this be disastrous for a company? Imagine the CFO’s executive assistant lists all the technologies they are proficient in on LinkedIn. A smart attacker can use that information to perform a spear-phishing attack. They might pretend to be a coworker in an attempt to gain the employee’s password, or hackers might try to get the employee to open an attachment containing malware designed to exploit the software they know the company is using. This level of insight into an organization’s operations wouldn’t be possible in a world where people didn’t overshare on social media.
2. Provide Training
When it comes to cybersecurity, some of the most damaging human errors stem from a simple lack of education about good cyber hygiene. A good training program will help your employees determine what information they should not share online, and it will help every employee improve their overall cyber hygiene. In this day and age, that’s a crucial life skill to have.
There are several well-designed security awareness training programs that every company should go through. You’ll want to look for a program that’s useful, engaging (you don’t want your employees tuning out during a module), and relevant to your industry’s standards and practices. Need recommendations? Pluralsight, Cybrary, and the SANS Institute all offer solid security training that will be helpful for your staff.
For more expert HR insights, check out the latest issue of Recruiter.com Magazine:
3. Realize That Occasional Education Is Not Enough
It’s not enough to train your staff only once, offer intermittent cybersecurity programs, or observe National Cybersecurity Awareness Month and ignore security for the rest of the year. Security should be a core value at your organization. It needs to happen year-round, and there needs to be an active component.
Take, for example, the phishing test I mentioned at the beginning of this article. At SecurityScorecard, our internal security team regularly conducts these exercises to see who falls for different types of phishing attacks. The names of those who do are posted on an internal leaderboard, but your company might choose to have a manager speak to those who click links or send those employees back to training.
The measures you’ll take depend on your company culture, but keep this in mind: The goal of these exercises isn’t necessarily to “catch” people, but to remind your employees that social engineering scams are always happening and that they shouldn’t rely on their spam filters to catch every malicious email.
4. Know That IT Is Your Partner
How can HR handle both education and internal security exercises? Put simply, you can’t — at least not all by yourself. Just as cybersecurity is the job of everyone in an organization, cyber hygiene awareness should be a collaborative effort between HR and a company’s internal security team.
It’s the job of the security team to ensure that the right level of security awareness education is in place at the organization. Meanwhile, it’s HR’s job to provide training on an ongoing basis and ensure that it’s being completed by all employees. It’s also the job of the internal security team to make sure the right processes and procedures are in place to help mitigate the impacts of any breaches that do occur.
Communication between HR and a company’s IT organization shouldn’t be limited to training. In fact, the lines of communication should always be open. When an employee leaves a company, for example, IT needs to know immediately so that person’s access to various company systems can be deprovisioned. The last thing your company needs is to have former employees with active logins to critical systems and networks — especially if that person didn’t leave the company on good terms.
Focus on Cybersecurity Essentials
It’s important to understand that you can’t completely eliminate cyber risk in your organization. Getting rid of risk is impossible, but you can manage it.
The best way to manage risk is to make sure your organization is doing the basics: identify the assets your company needs to protect, make sure your systems are patched and up to date, keep critical data separate from other systems, and implement basic protections like two-factor authentication. That way, if an attacker does get someone to click on a link or manages to get ahold of someone’s credentials, you minimize the potential impact.
There will be times when your employees fall for social engineering scams, even if they know better. It’s your job as a company to make sure that when they do click a link, the impact of that mistake is limited.
Glen Pendley is CTO at SecurityScorecard.