Phishing is one of the main cybersecurity risks that organizations of any size face, and it’s a major way in which an organization can become compromised. However, many organizations still don’t have a cybersecurity plan despite the growing threats that they are facing every day.
Many organizations’ corporate cultures truly lack the security basics of working in this digital age. For example, do your employees know not to click on links that people send to them unless they’re sure the links are coming from trusted sources? Your cybersecurity starts with your employees/end-users. Majority of cybersecurity attacks target end-users and thus, end-user education is critical when it comes to cybersecurity.
To help with the end-user education, Office 365 comes with a cool feature that allows you to send fake phishing emails to your employees/end-users to test whether or not they’d click on a malicious link, or engage in other unsafe behaviour. These emails are a fully-customizable. You can send a customized, fake phishing email and get a reporting on the end-users that failed the test.
In an effort to make sure that ProServeIT’s end-users were practicing what they preached, so to speak, the management team decided to send these fake emails to various members of our team to see what would happen. They sent an innocuous, “here is the minutes from today’s meeting” email, with a fake phishing link. This email was sent from our VP of Sales and Marketing to the entire sales team. Some of the team members clicked the link and received the message, “You’ve been phished!”
So, why did this happen? The fake phishing email was sent from the VP of Sales and Marketing. Our sales team, who reports to the VP, usually doesn’t think twice before opening his email and clicking the links within it.
In their defense, ProServeIT has implemented some great security tools, like Microsoft’s Office 365 Advanced Threat Protection (ATP), to keep our organization safe. So, our team did not see the need to be constantly reviewing malicious content. But it’s a cautionary tale that shows that even the most experienced people having an off-day can click on a link that seems to be so banal. That’s why end-user education plays such an important role in keeping your organization safe.
Not educating your end-users in cybersecurity initiatives is like trying to keep a flood at bay using a screen door. Your end-users are the first line of against cybersecurity attacks (like phishing scams). Here are three steps you can take to make cybersecurity top of mind in your organization:
- Implement a cybersecurity policy and procedure document.
It doesn’t matter if you’re a one-person organization or a 10,000-person organization – you need to detail your action items long before a threat is identified, or else you won’t be able to cover all your bases when you’re under pressure. Therefore, if you don’t already have a cybersecurity policy and procedure document in place, you need one. This document should contain a section that details action items, in case your end-users encounter perceived or real compromises.
- Build your cybersecurity strategy around educating your end-users.
Very rarely do we see the “Hollywood version”, where someone in a basement jumps past a company’s firewalls to compromise their network, namely because it’s too time-consuming and expensive. From the hacker’s perspective, it’s far easier to send a phishing email to your employees and let them do all the hard work for them (i.e. clicking on that link). This is why education is paramount to building a successful strategy. Almost every employee has an email address and access to the Internet. These simple services that you provide to your employees, unfortunately, account for about 90% of the breaches that are seen today.
- Have cybersecurity tools in place to help prevent the potential for compromise.
Cybersecurity protection doesn’t just come from making sure your end-users don’t click on the link or visit a site they shouldn’t. We’re human after all, and as humans, we can always make mistakes. To mitigate that, it’s vitally important to make sure that you’ve got the tools in place (like, for example, Advanced Threat Protection) for when your end-users do inevitably slip up.
The Importance of Continuous Cybersecurity Training
One-time education is just not enough. Just like with fire drills, everyone needs to practice what they’ve learned, on a regular basis, so they can be ready for when something happens. Continuous cybersecurity training, therefore, is vitally important to be able to make your end-users into that first line of defense for your organization. After you are done educating on how your end-users can detect the most common attacks and practicing, here are two options to ensure that your efforts are fruitful:
- Use a tool that creates a fake phishing email and see how many of your end-users open it.
As our case study above proves, Office 365 can really help in determining which end-users in your organization could fall victim to phishing attacks and other malicious activities. This type of reporting becomes critical to understanding how effective your cybersecurity program is – if you see a lot of your end-users failing the test, perhaps you need to put more into their training.
- Deploy a cybersecurity awareness certification program as a part of your continuing education process.
This certification process could be implemented in many different ways, depending on how you want to build it out. The idea behind it, however, would be that every person should be tested at regular intervals to ensure that they are understanding the training they’ve been given. For example, you could create multiple choice evaluation questions to understand how your end-users are absorbing what lessons you set up for them. They’ll also help you identify what additional training might be required based on the frequency of wrong answers. When your employees pass the tests given, they are re-certified for that set period of time.
As a multi-award-winning Microsoft Gold Partner, ProServeIT has been helping organizations of all sizes increase their efficiency, eliminate their “IT debt” and apply a security lens to everything they do. ProServeIT understands that every organization has different needs and challenges, and will work with you to understand your organization’s culture, your customers, and what’s most important to you as a company. Providing customized solutions that help you simplify your IT infrastructure, increase your team’s productivity, and grow your business, ProServeIT can use their expertise and experience to digitally transform your business.