A study from the Aberdeen Group and Wombat Security Technologies suggests that training employees on how to recognize and avoid cyber crime can reduce your business risk of a security breach by anywhere from 45 to 70 percent. If you’ve been wondering how your small business can find the funds to recover from a security threat, you may be asking yourself the wrong question. How can you free up funds to invest in training, and what sort of training will provide the best return on your investment?
The study termed end users to be the "greatest evolving security" threat to businesses. Simply by educating users around harmful or potentially dangerous behaviors, and suggesting alternate behaviors to use instead, businesses can curb their risks.
If your business has an annual revenue of $200 million, you stand an 80 percent chance of losing $2.5 million in a single cyber attack, the study estimates. There is a 20 percent chance that you could lose as much as $8 million, according to the Aberdeen-Wombat study. Worse, the study authors say that these estimates are conservative – so you could stand to lose a lot more!
In many cases, IT professionals are aware of the risk posed by end users. Yet senior management may need more convincing to allocate budget funds for education, not prevention. With this data, IT professionals can convince key stakeholders that education is prevention – and among the best ways to reduce enterprise risks.
Oftentimes, companies have thrown a significant amount of financial resources at trying to protect the business from cyber crime. Whether purchasing new technologies or hiring a managed service provider (MSP) to monitor system resources, many companies have demonstrated the seriousness of their commitment to protecting the business. Yet as this new research proves, all of this investment is necessarily diluted when staff members unwittingly expose the business to risk of cyber crime due to lack of awareness.
Let’s face it. Even if you have done everything you can to properly protect your business from cyber crime, you can never be 100 percent safe. Human error will always leave you at risk. To close the loop, and protect your business and your staff, you must invest in education.
Ways to Train Staff (and Reduce Risk)
To teach employees how to recognize and avoid a threat, you’ve got to think like the attackers. What information do they want, and how will they try to get it?
In some cases, a cyber criminal can resort to a different technology to try to gain access to staff credentials – the phone. A criminal might pose as a potential new client, contact at a local business, member of the press, or other party who could have a legitimate question. Yet in conversation, a hacker will try to get credentials that a legitimate caller would not ask for. This initial outreach could come via email as well.
One common example of this type of scam is when a hacker will contact a low-level employee (say, your receptionist) pretending to be your bank or credit card provider. They will try to get that employee to give out the business credit card number or checking account number. Savvy hackers know that a higher-level employee might be suspicious of the call, and ask for credentials before providing the information, but a new entry-level hire might not think twice before passing on the information. Once the employee gives the business credit card number, hackers have everything they need to seriously harm your business. Can you honestly say that all of your employees would recognize this type of phone call as a scam and deter the caller or emailer?
Train employees to recognize when phone calls or emails come with red flags that could indicate a phishing alert. While many of your staff members may realize that anyone who asks for an account password over email is a potential hacker, they may not realize that someone casually inquiring for their date of birth or the name of a spouse could be trying to gain account access. Any information that could be part of an employee password interests a hacker. All a hacker needs to do is guess one staff member’s password, and obtain their work email address, to infiltrate your network.
Your staff should also understand the danger of clicking on a link in a suspicious email. Even if your employee does not complete a form, download an asset, or otherwise take action, following the link alone could expose your business by triggering malicious code. The code can then scan the individual’s computer for sensitive information, passing it along to a hacker.
It’s important to train every staff member on the threat of cyber crime. While the phone attacks mentioned earlier might target low-level employees, spear phishing attacks specifically target high-rank, high-value staff members. These attacks resemble traditional phishing attacks but only target one particular individual that a hacker has pre-identified as being of high value. An attacker may spend weeks researching their target online, creating a phony website, and crafting an email. Busy executives and their personal assistants may unwittingly fall prey to a well-executed spear phishing attack. A variant of spear phishing is "vanity hacking" in which the ego of a high-level user is stoked in an email in an attempt to gain information.
Another growing area of vulnerability is chat systems. Many businesses are turning to live chat modules to provide efficient customer service. Team members who correspond with customers via chat should be included in cyber crime awareness training. A hacker could provide a suspicious link in the chat in hopes of luring the customer service staff member to visit a malicious website.
When staff feel like something is suspicious, they should immediately contact the proper channels (i.e. your in-house IT department or your MSP). If a suspicious email contains an attachment, the employee should never open the attachment.
This advice may seem simplistic, but it is not. Each time you prevent a staff member from clicking on a link in a phishing or spear phishing email, you protect your business assets. When your staff understand the threat, identify it in time, and take the proper actions, you can approach that "70 percent safer" milestone.
Making Awareness Part of Your Business Culture
If you do not have protocols in place for how staff should handle a suspicious incident, now is the time to develop those protocols. Working with your security expert, develop policies that cover common scenarios including phishing and downloading suspicious software.
Incorporate cyber crime awareness into your hiring and training policies. Human resources can screen candidates to see whether there are any issues of cyber crime in an individual’s past. This is especially key when you are hiring for jobs in finance, accounting, IT, or legal, where staff have access to sensitive information. All staff members should receive education in cyber crime awareness during the on-boarding process. Never assume that a new employee understands the risks or knows what to do. The reporting protocol you have in your business could look different from what the person is used to.
The impact of a one-day training is limited without follow-up. If you teach staff about cyber crime, yet have no follow-up throughout the year, you leave your business at risk of attack. Employees will forget what they learned in one-time workshops.
If something is prioritized in your organization, then staff will remember and react as you want them to. Make it a habit to track cyber security statistics yearly and offer an annual "state of the business" cyber crime report. Tracking what’s working and what isn’t working isn’t only beneficial, it allows you to identify holes and fix vulnerabilities before an attacker finds them.
Other ways to keep training relevant year-round include circulating memos as new threats arise, praising staff in meetings when they follow protocol in reporting suspicious emails, and hosting awareness events during National Cyber Security Awareness Month.
The Department of Homeland Security provides weekly themes for National Cyber Security Awareness Month, which is held in October. The themes provide inspiration and practical education ideas for businesses. The 2016 National Cyber Security Awareness Month themes include everyday steps toward improving safety, cyber crime throughout the workplace, how to recognize and combat cyber crime, app-specific cyber crime, and resilient infrastructure.
There is no question that these are big issues facing small businesses. Managed service providers (MSPs) can help your small business address cyber crime threats and provide training for staff. Other companies can provide dedicated training on how to recognize and avoid certain known risks, like phishing.
Start now with any investment you can make in raising awareness and training. Continue to invest in staff training until your staff model best-class behaviors, and revisit issues as threats change. Since hackers are always changing their tactics to infiltrate businesses, the threat facing you is always changing.