Employees are considered the weakest link in information security. Matt Lindley, COO and CISO at NINJIO, shares why employees need to make vigilance a habit and how a proactive workforce can prevent sophisticated social engineering attacks.
Because cyberattacks frequently rely on deceiving and coercing human beings, one of the most powerful tools cybercriminals have is employee inattention. It’s much easier to target a company when employees have a habit of carelessly clicking on phishing emails, providing sensitive information to requesters who haven’t been properly vetted, and leaving other attack vectors wide open for cybercriminals to exploit.Â
These are the reasons why employees have to be proactive about protecting their companies from cyber threats. They should always be on the lookout for potential threats: an email that seems a little too demanding, a request for information that comes from an unknown or suspicious source, the cybercriminals who lurk on public Wi-Fi or insecure websites. And when employees suspect an attack or a breach, they have to report it immediately so the company can take action and inform other employees.Â
Cybersecurity should never be reactive. Employees have to remember that cybercriminals are constantly devising new ways to infiltrate their organizations, and it’s their responsibility to identify and prevent these attacks.Â
Make Vigilance a Habit
One of the most pressing priorities for any cybersecurity platform is to address the bad digital habits most employees have developed. As an MIT article explains, “Employees are considered the weakest link in information security; their compliance with security policies has been a major area of research.†A 2020 report found that 20% of employees were “quick to click on phishing links,†while 67.5% of those victims went on to submit their passwords on the phishing website. These proportions actually increased from 2019 to 2020 – a year when COVID-related cyber scams exploded.Â
To counteract all these bad habits, employees have to cultivate good ones. For example, there are several ways to identify phishing emails:Â
- Making sure links go to their intended destinations (by hovering the cursor over them);Â
- Checking email headers for misspellings, incorrect capitalizations, unknown recipients, and other suspicious elements
- Paying close attention to the tone of the message and the nature of the request
Employees should be on their guard if an email asks them to take immediate action, threatens them in some way, or requires them to click on a link or attachment.Â
Employees have to get to a point where this sort of analysis is second nature. Proactive cybersecurity means recognizing that the threats out there will only continue to multiply and become more sophisticated, so your defenses can never drop for a second.Â
See More: How to Stop Spear Phishing Attacks No Matter Where You Work
Report Suspicious Digital ActivityÂ
When employees suspect that a cyberattack may be in progress or if a breach has already occurred, there should never be a moment’s hesitation in reporting it. According to IBM’s 2021 cost of a data breach report, the average data breach costs $4.24 million the highest in the 17-year history of the report. It takes organizations an average of 287 days to identify and contain a data breach, which drives the cost up even higher.Â
These are all reasons why employees have to be willing to report a cyberattack the second they believe it’s underway, even if they might be responsible for the security breach. One of the biggest inhibitors to establishing a culture of cybersecurity is the anxiety employees feel when they make a mistake. Instead of informing a manager, they try to fix the problem on their own or hope it will just disappear (by deleting the fraudulent email, for instance). This wastes crucial time as malware makes its way onto the network or cybercriminals use the information they stole to force their way into other secure systems and accounts.Â
Even when employees don’t think they’ve done anything that could put the company at risk, they should report any digital activity they regard as suspicious, from software malfunctions to potential phishing emails. The worst-case scenario is that the company investigates and doesn’t find anything, while the best-case is thwarting a cyberattack that could cost millions of dollars.Â
See More: Physical Device Security Is Vital in the Remote Work Era
Building a Proactive Workforce
According to IBM, the two top attack vectors in 2021 are compromised credentials and phishing. These findings are consistent with the most recent FBI data, which reports that phishing (an attack that often leads to stolen credentials) is by far the most common type of cybercrime. There’s no greater cyber threat to companies than social engineering- a broad category of a cyberattack that encompasses any attempt to deceive or manipulate employees.Â
There’s no better way to prevent social engineering attacks than by developing a culture of proactive cybersecurity. But there are many impediments to doing so, such as the difficulty of maintaining employee engagement. Gallup reports that just one-third of employees are engaged at work, which is a reminder that the first step in developing an effective cybersecurity platform is seizing and holding their attention. Companies have to emphasize how destructive social engineering attacks can be by citing real-world examples, gauging employee awareness with simulated phishing tests and other exercises. Senior executives must ensure that everyone in the company is up to date on cybersecurity best practices, from the use of password managers and VPNs to keeping all software fully updated.Â
The most critical element, though, is the reinforcement of a proactive security mindset. Employees have to be alert to the ever-evolving cyberthreats out there. They should understand the latest tactics cybercriminals are deploying and how to counter them. They should be quick to report any suspicious activity, which means companies need to have clear channels for doing so (and taking action once a report is submitted). And finally, employees should understand that they’re the company’s most valuable cybersecurity assets.Â
Did you find this article helpful? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d be thrilled to hear from you.