[BreachExchange] Security Awareness Training Can Prevent Disaster
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Oct 21 14:29:03 EDT 2016
http://www.business.com/technology/robert-siciliano-security-breach/
According to numerous studies, employees are responsible for about 80
percent of all data leaks. It only takes one worker who is a bit careless
to mess everything up. Let’s look at this example:
Your employee, Mary, receives an email on her personal account with the
subject line, “Lose 10 Pounds in One Weekend.” She clicks on the link in
the email to get more information, and unknowingly unleashes a virus onto
her work computer. This virus is not only infecting her computer, it is now
working through infiltrating the network, and accessing data that the
company has stored in these devices.
As you can see, this could happen to anyone. It could also happen to a
member of your staff, which is why it is so important for small business
owners to educate their teams about the tricks that cyber criminals employ
to get their victims. How do you know that they have gotten the message?
Try the following:
Phishing simulation. After giving employees information about not clicking
any email links, you can test their knowledge and resolve by setting up a
situation where they have the opportunity to click on an email link. Of
course, the link will take the worker to a page that is safe, and these
pages should have a message indicating they had engaged with phishing,
followed by education and awareness to show them what they did wrong or
could have done right. If you are going to give this test, make sure that
these emails contain a clue that they are actually a phishing email, such
as a misspelling or two. Or when hovering over the link, the URL is sketchy.
Pop quiz. Those who fall for these emails should be given a test later,
too. This way, you will know if they have or have not learned anything.Make
sure when you give these tests that they are unpredictable. For instance,
don’t always send them in the morning. Also, make sure that the nature of
the test changes. You also might consider hiring a person to attempt to
lure your staff over the phone or in person to fork over sensitive
information about your business. This could be invaluable, as you will know
who would fall for these tricks.
Don't quiz the staff once, give your staff quizzes throughout the year,
which will allow you to see who is on the ball. Remember, this is about
educating your employees, not disciplining them or making them feel bad
about themselves for failing the test.
Properly educate. Do what you can to make employees aware that a breach of
data could result in potential financial, criminal, or legal repercussions.
Schedule unpredictable workstation checks to see if any employee is doing
anything that might be compromising your company’s data, such as leaving a
computer logged into a sensitive program. Explain to your staff that
security is important for them, and the future of the company. You should
encourage your staff to report suspicious actions of the right person. In
this case, they should all be snitches.
When you have given the tests and trained your staff, create a full list of
all that they should have learned. Examine this list and re-evaluate it to
see if it requires any revisions.
Remember, there is no such thing as too much security awareness training,
as long as it’s fun and interesting. Take these tips, post them around the
office, and do things such as brief security seminars or workshops to keep
the information fresh. Also, recognize those staff members who are
repeatedly committed to network security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161021/33936a41/attachment.html>
More information about the BreachExchange
mailing list