Some of the key threat vectors for data breach or cyber security attacks are directly in the employee’s control.Employee Passwords The conventional wisdom from experts is that passwords that uses phrases rather than numbers/letters/symbols are easier to remember and less prone to hacking attempts. Additionally, employees need to be encouraged and reminded to use multifactor authentication - ideally standardized by the company via a uniform Password Policy. Tugboat Logic provides a free trial to view some sample template policies. Whether you require a code sent to a mobile device such as Google Authenticator or a biometric method of authentication, your organization should be incorporating the importance of multifactor authentication as an easy-to-use security measure. Employees Control Their Email Email remains the number one risk vector for a cyber attack into an organization. Most training programs should incorporate an anti-phishing component. Google’s Anti-Phishing Quiz is a free and easy way to start aligning your team around the threat of phishing and social engineering attacks. Further, not every email can be encrypted. Employees sometimes need the gentle reminder that information sent unencrypted can be intercepted. Sending attachments that have sensitive information risks that data’s safety and should be sent in a password-protect zip folder (a low cost security solution). Security awareness training needs to empower employees so that they realize they can protect their interests as well as their clients’ interests. Employees Control Their Internet Browsing
In 2019, the Internet is such that fake news and real news can sometimes be indistinguishable, Employees know that when something looks sketchy, it is not work-appropriate and should not be engaged. The challenge is that phishing scams make websites look official, and often trick people to give up sensitive information or socially engineer to gain their trust and reveal corporate information.
Employees must also understand that they can check the email address hidden underneath a sender’s name. Also, remind employees that they have the power to see the links embedded in hyperlinks without clicking through to a corporate website. A Bank of America link within a seemingly legitimate email may lead to something that says www.bankofamerica.login.com or www.bnakofamerica.com. These small changes are the sign of hackers attempting to install malware on your systems.Right Size Your Program Whether you develop your own security awareness training program or use a service provider, first determine what business risks you’re trying to accomodate. The risk priorities of a Fortune 100 company are very different from a mid-enterprise online retailer. There are several factors to consider, including the regulatory obligations of your industry, nature of your business, maturity of your employees, distribution of team members etc. Often the most critical risk factor to account for is identifying the scope and extent to which your company gathers, processes and stores customer information. Check out our previous guidance on how to right-size your security awareness program.