97% of malware targets users through Social Engineering. This means that employee education is a vital component to a sound cyber security strategy.
Many companies today throw thousands (millions!) into IT security technology, and those can often be sound investments. But one of the simplest, most-overlooked components to a cyber security strategy is spending a few minutes with your team educating them about what to look for, how to investigate an external email, how to protect themselves … and their organization.
Consider this: According to KnowBe4, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% instead targets users through Social Engineering (manipulative tactics against humans to infiltrate networks and steal confidential information).
In other words, in 2020, they’re not after your network. They’re after YOU, essentially.
So it’s up to you (and your employees) to have a sound defense in place. This requires some solid training.
How do social engineered scams work?
Here is one potential example of how a socially engineered scam might work.
- A cybercriminal scans a company website to determine who the senior leadership team is (business owners, presidents, CEOs)
- The cybercriminal places calls into the company to determine names of key people in human resources and finance departments
- The cybercriminal sets up a fake email address using the real name of the most senior people in the company
- The cybercriminal sends email messages to the key people in the human resources and finance departments requesting a list of IRS W-2 filing data that is being prepared for all employees
- The human resource or finance department people receive this message, respond to the email, and provide the data as requested
Further investigation into how email phishing scams similarly manipulate employees, particularly amid COVID-19, can be found at this blog.
How should you approach training?
In short, as proactively and regularly as you can. Here’s four tips:
- Communication: It starts here. Whether it’s through internal IT staff, or an outsourced training partner, communicate the urgency of cyber security awareness to anyone who touches a computer at your office. Share password best practices. Break down the anatomy of an email so your end users know what they should be looking for. Cut out the buzzwords and provide real, practical advice.
- Cognizance: Protecting yourself from cyber criminals in 2020 calls for constant awareness and suspicion of every email (or phone call or text) that comes across an end user’s desk. It also includes not allowing documents to sit on top of copier trays, eventually thrown away without being shredded. Such documents can provide valuable information for potential cyber criminals.
- Consistency: A one-time training event or webinar won’t do the trick. Continue to reinforce the necessity of recognizing social engineering effectively. Programs like TechCare University offer employee cyber security training that includes password best practices, education on social engineering, and even simulated phishing email "attacks" that test employees.
- Common sense: This goes a long way in detecting phishing attacks or social engineering ... a perfect example being the email from your “boss” requesting iTunes gift cards. In short, if it sounds "off," or too good to be true, it probably is. Practice multi-factor authentication with communication: Follow up via phone, or walk down the hallway, and check with the individual to substantiate the email request.
How equipped is your company?
The question is not just what technology have you equipped your IT team with – it’s how well have you equipped your employees? Answer the following few questions to gauge your collective state of cyber security awareness.
- Do you check links in email messages to make sure they are safe before clicking them?
- Do you review email addresses in the email you receive to make sure they are legitimate before responding?
- Do you use the same password for multiple logins for different companies and services?
- Have you ever received social-engineered or scam “phishing” email?
- Does the company you work for tag email from outside the company with “external” or some other warning to make it easy to spot potentially malicious email?
Ready to learn more about equipping your team with cyber security best practices? Unsure where your company stands with cyber security preparedness? Schedule a technology assessment to begin uncovering next steps for shoring up your security vulnerabilities.