Cyber criminals have access to sophisticated technologies these days, yet some of the most successful tried-and-true social engineering tactics continue to bypass technical security layers -- targeting the humans behind the technology.
Companies need to be proactive when it comes to teaching employees the behaviors they need to be a strong layer of defense, especially now with the proliferation of remote work. Individual responsibility for security is more important than ever.
So how do you defend your post-COVID hybrid workforce from unintentional clicks, mistakes, and errors in judgment? The answer is to create a culture of security.
The way you do that is to help people understand the risks they face every day, teach them how to recognize and respond to potential attacks, and nurture their sense of responsibility through enforcement and accountability.
Getting everyone in a security mindset is all about your company's methods, attitude, and ongoing approach with cyber security awareness training. One seminar just won't do it. Training needs to be continuous.
You can get started by diving into some best practices.
- Use Stories: Real-World Examples of Employee-Targeted Hacking
- The Forgetting Curve: Teaching Cyber Security Over Time to Retain Knowledge
- Interactive Cyber Security Training
- Walk Through the Ultimate Password Creation Process
- Run Cyber Security Drills for the Whole Workforce
- Get Company Leaders Involved Publicly
- Make Cyber Security an Ongoing Priority
Use Stories: Real-World Examples of Employee-Targeted Hacking
The first step is to help your team personally care about cyber security -- the best way to do that is to share stories of real cyber attacks. Because stories activate empathy in the listener's brain, they make the message more understandable and memorable. Through stories, employees will better understand what's at stake when it comes to defending company data and network integrity.
Take a page from the media and find a few hacker stories with a human-interest angle.
- Tell the tale of a hotel front desk clerk who was "vished" (phishing scam over the phone) into opening malicious information that supposedly verified a guest's booking.
- Tell of the convenience store clerk who missed their card reader keypad being swapped for a hacked device face.
- Paint a word picture of the professional roped in by the latest wave of COVID aid-themed phishing schemes.
Make it real by putting people into the roles instead of "hackers" and "companies." This will show how every day, an employee is the first line of defense against the bombardment of hacking and phishing attempts.
Regularly Share News Reports of Recent Hacks
As you continue promoting cyber security awareness, bring back the human interest on a regular basis. Stay up on hacked business news reports and when you find a story, share it with your team. Share the red flags. Share how it happened.
Remind everyone that employees are being targeted every day -- but they don't have to be among those who fall victim to the phish.
The Forgetting Curve: Teaching Cyber Security Over Time to Retain Knowledge
Have you ever noticed how cyber security training often goes in one ear and out the other? It's not because your workforce isn't paying attention. It's a scientific factor that many on-the-job training methods completely disregard. It's referred to as -- The Forgetting Curve.
Source: eLearning Industry
Discovered by Herman Ebbinghaus in the 1800s, the curve has been respected for two centuries. And it stands the test of time, as the research was reproduced again in 2015.
The forgetting curve reveals the limits to how much material a person can retain. Fill someone's head with all the information they need on day one, and they will remember half or less in two days.
The correct method to nurture long-term learning is to review several times and add new information with each review. The reviews re-establish the connection to the original learning and help turn that information from short-term into long-term memories.
Hold weekly or monthly online classes and practice activities, instead of one or two days of one-time seminar training. With many team members at home post-COVID, regularly reviewing the subject through virtual lessons will keep the information fresh. Over time, as training and activity sessions continue, more will be remembered and become second nature.
Interactive Cyber Security Training
Learning is enhanced when employees are engaged, so make cyber security training interactive. Not everyone learns best by sitting and listening or reading the material. Many people need to handle the information, putting it to use and processing the steps with their own mind before they really learn it.
KnowBe4 is well-known for its virtual cyber security awareness lessons and simulated phishing practice to fight social engineering tricks. This training allows your team to practice identifying phishing emails and suspicious signs of lurking malware.
Training doesn't stop at identification but includes teaching employees how to respond so that they'll know whether they need to just forward a suspicious email to IT or shut down their workstation and call the IT department right away.
Use Micro-Learning for Cyber Security Refreshers
To avoid the forgetting curve, don't forget micro-learning. Think of micro-learning as very small slices of training that can be accessed whenever they are needed. This is especially useful for remote team members self-managing most of the time. Make micro-learning available (sometimes even mandatory) for your team and they can refresh their knowledge at any time.
Start with micro-learning lessons on recognizing the signs of a phishing email, or the correct procedure to report an attempted hack, so that employees don't have to rely on their memories alone to respond correctly in the event of a cyber incident.
Walk Through the Ultimate Password Creation Process
Next, help your team master password security. Passwords are critical for a remote and hybrid team in the post-COVID workforce because every account and device that employees log into can be a door for a cyber criminal to sneak through.
Strong passwords are tough to make and remember for most people because they don't know the trick. A secure password, by default, is hard to remember as a random string of letters, numbers, and symbols, unless you use a funny memory trick to remember the password. It's important that the memory cue be funny (we remember humor better than facts), and it can make entering your password fun.
Teach employees how to turn a funny acronym into a strong password. Write a sentence that makes you laugh. Here's an example.
Example Phrase: "No one knows this password but me and my pet turtle"
Pretty secure, right? If the phrase makes you laugh a little each time you type the password, all the easier to remember it.
For people who need a unique password for every login, password managers are a helpful tool. A password manager can solve the problem of one stolen password opening many accounts.
Use Multi-Factor Authentication to Increase Security
Multi-factor authentication (MFA) is really a must-have in today's world when hackers have so many ways to crack passwords. They work by sending a code to a phone number or authentication app that is then typed into the account.
Biometrics like fingerprints and eye scans are increasingly being used because they are unique to every individual. There are also creative and memory passwords like drawing a picture in a dot matrix or selecting the right sequence of photographs.
- Multi-Factor Authentication (MFA) Options for Businesses: What They Do, How They Work, and How Much They Cost
- Top 5 Places Businesses Should Use Multi-Factor Authentication
Run Cyber Security Drills for the Whole Workforce
Nothing is better than cyber security drills to keep your team on their toes. Security drills are fun for the whole company because you can ask your IT staff to play the "hackers" and then challenge your workforce to catch the hacks.
The way cyber security drills work is to spoof various types of phishing and malicious programs to see if your employees catch the dud before it "infects" their computer which in this case is sending a report back to IT. At first, your team may need a little brushing up but with practice, you may have an entire on-site and remote workforce of professionals who become great at spotting a hack before the infection occurs.
Celebrate Detected Cyber Security Drills
When someone succeeds at spotting, stopping, and reporting a phishing email or similar spoof attack, congratulate them publicly. Send everyone a gift card or host a video pizza party. Post their response on the message board and spotlight the success for others to follow.
If a spoof attack gets through, spotlight the attack but leave the employee who "got hacked" out of the spotlight to keep it a learning opportunity instead of a shaming situation.
Done correctly, cyber security drills can keep your team on their toes and become a workplace favorite activity that everyone can support. Then when a real hacker stumbles into the inbox of your elite trained staff, they won't stand a chance.
Get Company Leaders Involved Publicly
If any cyber security awareness initiative is to be effective, leadership needs to get involved. Employees mimic the priorities of their boss, who mimics their boss, who mimics their boss. This means that if upper management isn't in on the cyber security efforts, then the entire company will fail to take it seriously.
Another reason to get executives involved is that they're targets too. Spear phishing and whaling are known hacker strategies directed at execs. Have your leadership team take part in cyber security training with the rest of the company. If one of your C-suite either misses or catches a spoofed attack, spotlight it so the entire team can see that even the execs are getting the same training that they are.
Make Cyber Security an Ongoing Priority
If your cyber security initiative fades in the workplace, then your team will default back to your normal company priorities. This is a natural form of workplace adaptation - to value what the company culture values and mirror what the bosses do. So if it becomes apparent that your company cares less about vigilant cyber security, so will the people.
This means cyber security must become an ongoing priority and part of your company culture. Find ways to bring it back to front-and-center. List cyber security among the company's values. It may be helpful to choose a cyber security tactic to spotlight each week or to share another story of recent hacking to keep the team engaged.
Training Your Employees to Be a Strong Cyber Defense
To protect your company from cyber threats you need a multi-layered strategy that includes both technical and non-technical layers.
Your workforce, tech or not, can become a highly trained defensive force for your company data and network. All they need is the right kind of training and to be part of an ongoing company-wide security initiative. Get everyone involved, practice regularly, and have fun with cyber security training.
Get a Cyber Security and Risk Assessment
Knowing where you need to go with cyber security is much easier when you have a clear picture of where you are right now. A cyber security and risk assessment gives you a new understanding of your vulnerability, provides recommendations for improvement, and helps you close the gaps that are exposing your business to unnecessary risk. Contact us to learn more about security assessments.