It’s a clear fact that phishing is one of the main cybersecurity risks that organizations of any size face, and it’s a major way in which an organization can become compromised. But it’s also a poignant truth that, despite the growing threats that organizations have to face every day, many of them still don’t have a cybersecurity plan. Something to ensure that baselines have been adopted within the organization.
The truth is, many organizations’ corporate cultures truly lack the security basics of working in this digital age. For example, do your employees know not to click on links that people send to them unless they’re sure the links are coming from trusted sources? In this blog, we’ll look at why your end users are the most basic, and arguably the most effective, tool that you can hone, in order to keep your organization safe from cybersecurity attacks.
Does your corporate culture lack the #Security basics of working in this digital age? Your #EndUsers should be the first line of defense in your #Cybersecurity plan.
Cybersecurity Starts with Your Employees – A Cautionary Tale
One of the cool features about Office 365 is the ability to send fake phishing emails to your employees/end-users to test whether or not they’d click on a malicious link, or engage in other unsafe behaviour. These emails are a fully-customizable, generated email that fakes a phishing attack and provides reporting on the end-users that failed the test.
In an effort to make sure that ProServeIT’s end-users were practicing what they preached, so to speak, the management team decided to send these fake emails to various members of our team, to see what would happen. They sent an innocuous, “here is the minutes from today’s meeting” email, with a fake phishing link. To his chagrin, our go-to security expert actually clicked on the link! Imagine his surprise when he received the message, “You’ve been phished!”
So, why did this happen? How could our security expert, with over 20 years of experience in the technology sector (10 of those as a security expert), and a holder of the Certified Information Systems Security Professional (CISSP) designation, fall for such an easy dupe? His answer is simple – he became complacent.
In his defense, ProServeIT has implemented some great security tools, like Microsoft’s Office 365 Advanced Threat Protection (ATP), to keep our organization safe. So, our security expert no longer saw the need to be constantly reviewing malicious content. But it’s a cautionary tale that even the most experienced people having an off-day can click on a link that seems to be so banal. That’s why end-user education plays such an important role in keeping your organization safe.
End-User Education – the Best Line of Cybersecurity Defense
Not educating your end-users in cybersecurity initiatives is like trying to keep a flood at bay using a screen door. Your end-users are the first line of defense against cybersecurity attacks (like phishing scams). So, how do you educate your user? What needs to happen?
Here are three steps you can take to make cybersecurity top of mind in your organization:
1. Implement a cybersecurity policy and procedure document.
If you don’t already have a cybersecurity policy and procedure document in place, you need one. This document should contain a section that details action items, in case your end-users encounter perceived or real compromises. Remember, it doesn’t matter if you’re a one-person organization, or a 10,000-person organization – you need to detail your action items long before a threat is identified, or else you won’t be able to cover all your bases when you’re under pressure.
2. Build your cybersecurity strategy around educating your end-users.
Education is paramount to building a successful strategy. Almost every employee has an email address, and access to the Internet. These simple services that you provide to your employees, unfortunately account for about 90% of the breaches that are seen today. Very rarely do we see the “Hollywood version”, where someone in a basement jumps past a company’s firewalls to compromise their network, namely because it’s too time-consuming and expensive. From the hacker’s perspective, it’s far easier to send a phishing email to your employees and let them do all the hard work for me (i.e. clicking on that link).
3. Have cybersecurity tools in place to help prevent the potential for compromise.
Cybersecurity protection doesn’t just come from making sure your end-users don’t click on the link or visit a site they shouldn’t. We’re human after all, and as humans, we can always make mistakes. To mitigate that, it’s vitally important to make sure that you’ve got the tools in place (like, for example, Advanced Threat Protection) for when your end-users do slip up.
Not educating your #EndUsers in #Cybersecurity initiatives is like trying to keep a flood at bay using a screen door.
The Importance of Continuous Cybersecurity Training
Have you ever taken a course on something, but then you don’t practice what you’ve learned, so you forget most (if not all) of it? We’ve all heard the old adage, ‘practice makes perfect’, right? It’s true. One-time education is just not enough. Just like with fire drills, everyone needs to practice what they’ve learned, on a regular basis, so they can be ready for when something happens. Continuous cybersecurity training, therefore, is vitally important to be able to make your end-users into that first line of defense for your organization.
So, if you’ve done your educating on how your end-users can detect the most common attacks, and you’ve done your practicing, now it’s time to ensure that your efforts are fruitful. Here are two options that you can use:
1. Use a tool that creates a fake phishing email and see how many of your end-users open it.
As our case study above proves, Office 365 can really help in determining which end-users in your organization could fall for phishing attacks and other malicious activities. This type of reporting becomes critical to understanding how effective your cybersecurity program is – if you see a lot of your end-users failing the test, perhaps you need to put more into their training.
2. Deploy a cybersecurity awareness certification program as a part of your continuing education process.
This certification process could be implemented in many different ways, depending on how you want to build it out. The idea behind it, however, would be that every person should be tested at regular intervals to ensure that they are reading and understanding the training they’ve been given. For example, you could create multiple choice evaluation questions to understand how your end-users are absorbing the lessons. They’ll also help you identify what additional training might be required based on the frequency of wrong answers. When they pass the tests given, they are re-certified for that set period of time.
Continuous #Cybersecurity training is vitally important to be able to make your end-users into that first line of defense for your organization. Think of why you perform #FireDrills - it's the same premise.
Implement a Cybersecurity Education Strategy Today
No protection system is 100% effective. After all, consider that old saying that no battle plan survives first contact with the enemy – same thing applies in cybersecurity. But with a plan in place, various tools implemented, and extensive training for your end-users, you are much more likely to be able to protect yourself from phishing attacks and the like.
At ProServeIT, we have the ability to assist in the development of a comprehensive cybersecurity strategy. Our Cybersecurity 101 Assessment is all about the first steps you can take in protecting your organization from cyberattacks, and understanding whether or not your organization is prepared to face potential cybersecurity incidents that may arise. Let us help you get started on this path – contact us about our Cybersecurity 101 Engagement today!