Originally published: October 2018
Updated: August 2024
You may have noticed a trend when it comes to cybersecurity recommendations: training your employees in security. Every one of our security blogs has mentioned it. No one’s saying all your employees need to have an advanced degree in computing or cybersecurity, but they do need to have at least a basic understanding of how to keep themselves and your company safe. A lot of articles will tell you what you need to do, but without a clear explanation as to why. Here are our top three things your employees need to be educated about and some examples that illustrate what happens when they aren’t.
Social Engineering and Phishing
Social engineering isn’t a new thing; it’s been around since long before the age of technology (Trojan horse, anyone?). Yet it is still a huge issue that causes problems for companies. Most people want to believe in the good of others, and social engineering takes advantage of the unwary. From letting strangers walk into your office to falling for a phishing campaign, social engineering takes many forms and can be particularly damaging. Phishing is the most common social engineering technique. “Vishing” (video) and “smishing” (SMS text messaging) are becoming prevalent as well. The rise of AI and automation along with evolving attacks, have led to increasingly believable phishing attempts.
Business email compromise, or “BEC” is also on the rise. This type of social engineering attack can result in large financial losses, privilege escalation on accounts, and other security issues. In 2023, it was reported that 1 in 10 social engineering attacks was BEC, up from previous years.
What Happens When You Don’t Train:
- Someone in your building might let in a person dressed as a maintenance worker without checking his credentials.
- An employee may hold the door for someone that appears to have a legitimate badge.
- Someone in HR may fall for a phishing email and give an attacker confidential employee information.
- Someone in Finance may fall for a phishing email and give an attacker confidential banking information
And just like that, someone can steal equipment or commit identity fraud with your employees’ identities. The average amount a company spent recovering from a data breach in the US is $4.45 million. Can you afford that?
Malware and Ransomware
Malware and social engineering can and do frequently intersect, though they don’t work quite in the same way. While social engineering focuses on psychological and social methods to try and trick people into giving away information, malware relies on technology. Malware includes ransomware, viruses, worms, and other malicious programs, files and coding. Using malware, the attackers don’t even have to interact with your employees.
What Happens When You Don’t Train:
- An employee may download a seemingly innocent program that could infect your system.
- Someone may open an infected attachment in an email, unleashing a virus.
- An email might contain ransomware, locking down all your systems and completely halting company operations.
While attackers may use social engineering to convince someone to click a link, it’s ultimately up to the staff member to spot and think before doing anything that could compromise your systems. The average amount a company spends a year recovering from a successful Malware attack in the US is $3.82 million. Are you willing to risk it?
Passwords
By now, we’re all pretty much sick of “password this, password that”. But we can’t afford to be lax on this. There are so many programs out there that let even the most inexperienced hacker try to force their way into your account, and the weaker your password, the easier you make it. Not to mention the fact that many seemingly impenetrable companies have already been hacked (i.e. Facebook), making access to your data even easier. Train your employees to maintain good password policies, or you could be in serious trouble.
What Happens When You Don’t Train:
- Your employees’ email passwords could be easily cracked and used for nefarious purposes.
- Someone may be able to get into your bank account and completely drain it.
- A hacker may find company data through weakly protected personal email or email with no MFA enabled.
Modern password cracking programs can guess up to 350 billion passwords a second. 90% of employee passwords are crackable within 6 hours, and 65% of people use the same password everywhere. Do you want to test that theory?
Of course, this isn’t a complete list of things your employees need to have a basic understanding of. Regular Security awareness training is necessary for everyone in your company, particularly if you fall under any compliance regulations such as HIPAA or PCI-DSS. Many cyber insurance companies also require that your business has regular, updated security awareness training in place for employees. ADNET recommends annual security awareness training for every employee – regardless of their role, or your industry. No business is too small to be a target. Training your employees to better protect you and your assets is a no brainer; keep them up to date and sleep soundly at night.
Need help educating your team on cybersecurity threats? Reach out to us – we’re here to help.