You may have noticed a trend when it comes to cybersecurity recommendations: training your employees in security. Every one of our security blogs has mentioned it. No one’s saying all your employees need to have an advanced degree in computing or cybersecurity, but they do need to have at least a basic understanding of how to keep themselves and your company safe. A lot of articles will tell you what you need to do, but without a clear explanation as to why. Here are our top three things your employees need to be educated about and some examples that illustrate what happens when they aren’t.
Social Engineering
Social engineering isn’t a new thing; it’s been around since long before the age of technology (Trojan horse, anyone?). Yet it is still a huge issue that causes problems for companies. Most people want to believe in the good of others, and social engineering takes advantage of the unwary. From letting strangers walk into your office to falling for a phishing campaign, social engineering takes many forms and can be particularly damaging.
What Happens When You Don’t Train:
- Your receptionist might let in a person dressed as a maintenance worker without checking his credentials.
- Another employee may hold the door for someone that appears to have a legitimate badge.
- Someone in HR may fall for a phishing email and give an attacker confidential employee information.
- Someone in Finance may fall for a phishing email and give an attacker confidential financial information
And just like that, someone can steal equipment or commit identity fraud with your employees’ identities. The average amount a company spends a year recovering from successful Social Engineering attacks in the US is $2.76 million. Can you afford that?
Malware
Malware and social engineering can and do frequently intersect, though they don’t work quite in the same way. While social engineering focuses on less technical methods to try and trick people into giving away information, malware is the “upgraded version”. Malware includes ransomware, viruses, worms, and many other bad programs/coding. Using malware, the attackers don’t have to be particularly charming or really even interact with your employees.
What Happens When You Don’t Train:
- An employee may download a seemingly innocent program that comes with an unwanted trojan that could infect your system.
- Someone may open an infected attachment in an email, unleashing a virus.
- A different email might contain ransomware, locking down all your systems unless you pay a ransom, completely halting company operations.
While attackers may use social engineering to convince someone to click a link, it’s ultimately up to the staff member to spot and think before doing anything that could compromise your systems. The average amount a company spends a year recovering from a successful Malware attack in the US is $3.82 million. Are you willing to risk it?
Passwords
By now, we’re all pretty much sick of “password this, password that”. But we can’t afford to be lax on this. There are so many programs out there that let even the most inexperienced hacker try to force their way into your account, and the weaker your password, the easier you make it. Not to mention the fact that many seemingly impenetrable companies have already been hacked (i.e. Facebook), making access to your data even easier. Train your employees to maintain good password policies, or you could be in serious trouble.
What Happens When You Don’t Train:
- Your employees’ email passwords could be easily cracked and used for nefarious purposes.
- Someone may be able to get into your bank account and completely drain it.
- A hacker may find company data through weakly protected personal email or email with no MFA enabled.
Modern password cracking programs can guess up to 350 billion passwords a second. 90% of employee passwords are crackable within 6 hours, and 65% of people use the same password everywhere. Do you want to test that theory?
Of course, this list of three things your employees need to have a basic understanding of is not complete. Security awareness training is necessary for everyone in your company, particularly if you fall under any special regulations such as HIPAA or PCI-DSS. Training your employees to better protect you and your assets is a no brainer; keep them up to date and sleep soundly at night.