Sep 24, 2020



Any cybersecurity strategy is sure to include the basics – deployment of robust firewalls, installation of security software, and continual monitoring your company’s digital environment through tools like anti-virus and anti-malware. While these best practices are all important when it comes to protecting your organization’s sensitive data, there’s a far more vulnerable security touchpoint that is often overlooked – your employees.

The reality is that the people that work for your company are its largest attack vector. It is often far easier to use phishing emails or social engineering to try to trick a human being than it is to hack into some of the hardened hardware and software platforms found on today’s corporate networks. This is why, if you want to have a robust cybersecurity plan in place, it must include a focus on your people and the vulnerabilities they bring to your business.

Tip #1 – Test Your Team’s Security Knowledge

The first step in any employee-facing security strategy is to understand where your team stands currently when it comes to security. Running regular, unannounced tests on your people will not only reveal critical gaps in cyber posture, but they will also allow you to get a baseline understanding of what your team knows and what they do not know.

Think your team is pretty knowledge about cybersecurity already? Well, do you think they understand to identify malware, phishing, man-in-the-middle attacks, denial-of-service attacks, SQL injections, and zero-day exploits, all of which are, according to Cisco, some of the more common types of cyberattacks? If your employees do not know how to identify each of these forms of attack, there is critical need for training there!

When it comes to testing for security posture, one of the more popular methods is to use simulated phishing attacks. These are basically emails and other attacks that look like real attack, but they do not have a criminal on the other end actually looking to steal data or compromise security. The Tech Republic recommends performing “live fire” training exercises, wherein users undergo a simulation attack specific to their job function or role.

Whatever method you use to test your team’s current security knowledge, the key is to be able to collect actionable metrics. Management should be able to identify problem areas or groups and work to develop specific solutions to improve cyber threat awareness. These results should also be used to help create customized security trainings for your team.

Tip #2 - Regular Training Sessions are a Must

Once you have an understanding of where your team is in regards to security, the next step is to train your people to help fill the gaps in there knowledge.

When it comes to security training, there are a number of platforms available on the market which include security videos that your team will watch, followed by short tests meant to assess their understanding of the content. While these videos and tests are a good solution for follow up and reinforcement of key concepts, they are not the most effective way to train your people. If you really want your cybersecurity training to be the best that it can be, we recommend creating a training curriculum specific to your company, based on the results of your baseline tests and the needs and goals of the company’s management. This customized training should be delivered by a live, in-person instructor. Even if that instructor’s lesson is delivered via video, we have unequivocally found that a live presenter engaging with your team in real time, where they can ask questions and directly interact with the presenter, is the best way to train them on these complex topics.

Not sure how to get started with Employee Security Posture Training? This is one of Envision’s specialties. Contact us today to start a discussion of what a training plan for your organization may look like.

Tip #3 - Encourage Open, Honest Communication

The longer a cyber problem goes ignored or undetected, the greater the risk of damage, both physical and reputational, to an organization. Since a cyber attack may only take seconds to infiltrate an organization’s network and begin inflicting damage, time is of the essence in reporting any suspicious activity. Matt Sheehan, one of Envision’s Ground Control experts, gave some advice on reporting cyber threats and/or attacks:

Mistakes happen! If you feel like you have accidentally fallen for a scam or that there is a chance that your account is compromised, don't hesitate to loop in your IT resources. They should never be upset if you are reporting something quickly. Hiding these kinds of issues can make matters worse!

Management should actively encourage employees to come forward if they sense something is wrong within their digital infrastructure. If an employee made a mistake and clicked on something he/she shouldn’t have, they may be hesitant to report the mistake to a supervisor/manager due to fear of retaliation. If you want your employees to be open and honest with your IT team, you need to eliminate that fear and instill a culture of open communication without repercussions.

Tip #4 – Ensure Everyone Knows Your Organization’s Cyber Plan

In the case of a cybersecurity breach, does your team know the first steps to take to minimize total losses incurred? Who are the key players involved in managing these kinds of threats? Who is the first person to be alerted in the case of a cyber breach? If you couldn’t immediately provide the answers to these questions, it may be time to step back and look at your strategy.

When you run your cybersecurity training, a crucial part of that session is spreading organization-wide awareness about the key players who will put out the fire in the case of an emergency. All employees should not only know what kinds of activity to report, but who(m) exactly to report that activity to. Again – the more quickly and efficiently your team can detect and manage a threat, the less costly the incident will be, both in terms of time and impact to bottom line.

Tip #5 – Stay Up-To-Date on the Latest Cyber Threats

Holding training sessions, encouraging open communication, and reiterating your cyber plan are all crucial parts of creating a strong cyber posture for your organization. However, these key actions can fall short if your team is unaware of the current cyber threat landscape and new threats they should be on the lookout for.

The National Cyber Security Centre is a great resource for your team to use so they can stay up-to-date on the latest threats. The Centre publishes weekly threat reports, drawn from recent open source reporting, that provide updates on data exposures, hacking attacks, phishing scams, authentication vulnerabilities, and a host of other cyber topics. The website also has an Alerts & Advisories section, which reports on national threats and gives helpful mitigation tips if you or your organization has been impacted.

Additionally, if you look back to Tips #1 and #2 in this article, that process of testing and training should be continuous. You should be conducting regular tests using the latest kinds of attacks, and then you should follow up on those test with additional trainings to ensure your entire team understands the threats that are out there and how they should respond.

In Closing

While installing and managing the proper hardware and software are crucial to safeguarding your digital ecosystem, your employee base will always remain the most vulnerable part of your cyber plan. It only takes one honest mistake to inflict heavy organizational disruption and damage. By taking the following preventative measures, company risk may be significantly lowered:

1. Test your employees to regularly assess their cyber security posture.

2. Train your employees in cyber best-practices regularly.

3. Foster a culture of open communication by eliminating the fear of retaliation from management.

4. Reiterate your cyber plan to all staff members.

5. Encourage your team to stay up-to-date on the latest cyber threats and suggest resources for them to view with regularity.

Need more information on how to get started with cyber security measurement or training in your company? The security experts at Envision are happy to help. Connect with us today to learn how we can help you protect your people and your company.

Explore our cybersecurity services to find out how you can further protect your organization and its people.