Fortify Your Defenses with Employee Cyber Safety Training
The number of cyber attacks is growing. Here’s what employers can do to prevent getting attacked.
Remember the massive cybercrimes that hit big-name companies like Yahoo, LinkedIn, American Express, Microsoft Exchange, and T-Mobile? The millions — even billions — of people impacted by these breaches were at risk for having their names, addresses, financial data, Social Security numbers, and other personal information exposed. And what’s worse is that the number of cyber attacks is growing.
The FBI, the top federal agency for investigating cyber attacks and intrusions, received 791,790 complaints or suspicions of Internet crime in 2020. In the 2020 Internet Crime Report, the agency described this number as 300,000 more than the previous year’s complaints. Actual breaches cost $4.7 billion in losses.
Technologent, an IT solutions and services firm for Fortune 100 companies, also weighed in on the growing threat of cyber attacks. In a media release recognizing October as Cybersecurity Awareness Month, the firm reported that a cybercrime occurred every 11 seconds around the world and that assaults on companies increased 600% since the coronavirus took hold in 2020. Also, among the IT experts cited in the release, 80% view the increase in employees working from home due to the pandemic as a “ticking time bomb” for more cybercrimes.
Small businesses targeted
Cyber attacks are a growing threat to small companies because they harbor information that hackers and other Internet criminals generally want and also lack many of the safeguards that large businesses have.
Cyber attacks against high-profile companies often gain the most public attention, but small and medium-sized businesses are just as vulnerable as the corporate giants. According to the Small Business Administration, cyber attacks are a growing threat to small companies because they harbor information that hackers and other Internet criminals generally want and also lack many of the safeguards that large businesses have.
SMBs can guard against Internet crime by adopting a series of cybersecurity best practices. However, since workers are often a company’s first line of defense against cybercrime, one of the most critical preventive measures to take is training employees to identify and prevent attempted breaches.
The case for employee training
Mercer, a global business consulting firm, named employee training — along with governance and policies and network security — as a 3-prong approach companies should use to assess their vulnerability to, and protection against, cyber attacks.
In an online video titled Key Steps n Risk Mitigation, Mercer partner Gregg Sommer warned that business leaders who aren’t transparent about their cybersecurity strategies can’t expect employees who are left “in the dark” to take the necessary precautions to prevent cybercrimes.
Technologent’s media release made the case for employee training in cybercrime prevention through this statement: “Addressing the human factor is critical and must focus on training and raising security awareness. Too many companies have fallen short in these areas despite having spent a lot of money on technology and security controls. However, they have not paid enough attention to how the end user is being trained.”
Cybersecurity experts attribute the growth and success of cybercrime to human error, which some sources say accounts for 91% of all breaches. Given this statistic, experts also agree that employees — not technology — are the greatest risk to a business’s security because they’re often easily tricked by hackers, unaware of cybercrime-prevention tactics or generating breaches through their own negligence.
Common cyber attacks
The SBA identifies 4 major threats targeting SMBs, which, in turn, make workers more vulnerable to attacks. The threats include:
Viruses. These harmful programs spread between computers and connected devices, giving cybercriminals access to computer systems in the process.
Malware. As its name implies, this malicious software damages a server, client, personal computers, or networks.
Phishing. This type of cyber attack uses malicious websites or email to infect a device with malware or gather sensitive information. Phishing emails look as though they came from a familiar person or legitimate website, which tricks employees into clicking on a link or opening an attachment that contains a malicious code. Once the code activates, it infects a computer with malware.
Ransomware. This type of malware infects computers and restricts access to them until the user pays the cybercriminal a ransom. Phishing emails usually are the conduit for ransomware, which attacks unpatched or vulnerable areas in software.
Employee training basics
SMBs can offer cybersecurity training for employees in a variety of formats, but the SBA recommends that the content teach employees across formats how to:
- Spot phishing email
- Use good browsing practices
- Avoid suspicious downloads
- Create strong passwords
- Protect sensitive, company, customer, and vendor information
- Maintain good “cyber hygiene,” or the practice of maintaining the health and security of software and hardware
Training standards for avoiding attacks
In an email interview for Workest, Ken Dort, a partner in the Faegre Drinker law firm, noted that employee cybersecurity training doesn’t have its own set of standards, but that training usually falls under certification protocols, such as the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST) and Communications Information Software (CIS).
Dort added that, based on these protocols, employee cybersecurity training typically addresses:
- The general reasons why cybersecurity systems and procedures are necessary and important
- The importance of data security to the employer’s business and its customers/clients
- Email handling, including how to recognize and address phishing attempts
- Protecting proprietary and/or sensitive personal information (e.g., financial, health, religious beliefs, etc.).
- Protecting mobile devices (e.g., laptops, cell phones, external drives, etc.) that are transported outside employer facilities, particularly when employees are traveling.
- Understanding the importance of cyber security (e.g., discussing ransomware, data breaches, etc.).
- Understanding the employer’s cyber security system and procedures for responding to data incidents (e.g., whom to contact when incidents occur).
- Knowing the role of third-party vendors and how to provide data safely to them.
- The need for regular employee training sessions to address new developments.
- The need to limit data access to only authorized personnel.
- How to protect information when working remotely from the employer’s facilities, a critical issue during the last 20 months of the pandemic.
“The overall goal here is to make the employees sensitive to the employer’s data security obligations and considerations, thereby, increasing the employer’s ability to fend off hacking attacks and other wrongful conduct, and minimizing the risks of data loss,” Dort said.
“The overall goal here is to make the employees sensitive to the employer’s data security obligations and considerations, thereby, increasing the employer’s ability to fend off hacking attacks and other wrongful conduct.”
Free training options
There’s no shortage of platforms for employee cybersecurity training, some of which are free. Here’s a partial list of free training courses and resources:
SBA. The agency offers a free 30-minute online audio course that employees can take anytime and at their own pace. Employees who finish the course receive a completion confirmation from the SBA.
Department of Health and Human Services (HHS). As the regulatory agency charged with enforcing the Health Insurance Portability and Accountability Act (HIPAA), one of the most stringent mandates for data protection, the HHS offers cybersecurity awareness training and resources.
Department of Defense (DoD) Cyber Exchange. The DoD provides the public with free but limited access to cybersecurity awareness training. Although the program is designed largely for cybersecurity professionals, businesses may benefit from training on phishing awareness, online identity and social media, and protecting personally identifiable information (PII).
Stop, Think, Connect. This campaign by the U.S. Department of Homeland Security offers training, advice, blogs, surveys, and other resources on online safety and security in multiple languages.
Federal Virtual Training Environment (FedVTE). Created by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), FedVTE offers the public 15 one-to-two-hour courses and downloadable files.
CompTIA. This technology trade association has a webpage offering videos on such cybersecurity awareness topics as password protection, spotting phishing emails and bogus websites, and cybersecurity advice for executives and financial employees.
The Federal Trade Commission (FTC) has an extensive section on its website called “Cybersecurity for Small Businesses.” This section has links to such titles as Cybersecurity Basics, Understanding the NIST Framework, Physical Security, Tech Support, Vendor Security and Cyber Insurance.
The FBI’s website has information on how businesses can protect themselves against cybercrimes and work with the agency to prevent and report incidents.
It pays for SMBs to consider the penalties for not training employees in cybersecurity awareness and prevention. The damage that hacks and breaches can do to computers, systems, and networks can seriously cripple business operations, as well as the public’s trust in affected entities. The losses in time and money can be astronomical for companies on a tight budget.
Also, when businesses promise to protect their customers’ personal information or privacy rights but a cyber attack exposes this data, the FTC can step in to enforce Section 5 of the Federal Trade Commission Act. This means that the agency can take legal action against companies that violated customers’ privacy rights or engaged in what the agency considers unfair or deceptive practices that negatively impact commerce. The resulting legal fees and penalties could leave an SBA financially devastated.