Cyber Security Awareness Reminders Promoting Good Employee Behavior
“The only way to stop employees from clicking phishing links is to not let them use the internet. This idea will never work. I would never buy this from you.”
That’s how a friend responded when I told him my ideas for building a cyber security awareness program to help employees make better decisions.
I was excited to get his opinion because he was an IT Director for a decent sized organization. Even if he wasn’t interested in being a customer, I still wanted his opinion.
He wasn’t a fan, to say the least. In fact, he was sure we would fail because employee internet access is being restricted in most companies (eye roll).
That was 6 years ago. We’ve since built the company and the product focused on cyber security awareness, and helped employees around the world to recognize cyber threats.
Over the years, and the many employees trained, we’ve learned a lot about why employees click on phishing links, and more importantly how to stop them from doing so.
Cyber Security Awareness is Not an Event
At the beginning, our service included a single cyber security awareness module that covered all of the most important topics. At the time, this was ‘enough.’
But what we’ve learned over time is that security awareness is not an event. Rather, it’s a process. Improving and changing employee behavior is a process, and it takes time.
Employees aren’t dumb, and they aren’t always the weakest link. But they are really busy which means it’s easy to forget something that they’ve learned from a one time training. When we help organizations to build a culture of cyber security awareness we focus on building cyber security into the organization.
For some that might mean daily or weekly micro learning modules, posters and screensavers around the office, or reminders from management in weekly meetings.
What I always harp on is that it doesn’t have to be hard, and it doesn’t have to be expensive. In fact, you can have a conversation on cyber security awareness with employees…for free.
Remember — Employees Are Busy, and Cyber Security is Not First On Their List
This is what we need to remember as business leaders, IT, and security professionals — employees are busy. Cyber security is not first on their list. Say it again.
We forget this, and think, “How could you click that link? “ “How could you give your password over the phone?” “How could you make that wire transfer?”
In reality, sales people are focused on selling. HR is focused on hiring and culture. Support is focused on customers. Security isn’t 1, 2, 3…or even 20th on their list.
That’s why it’s so important to think about cyber awareness as a process, and not an event.
Here’s a few reminders that you can incorporate throughout the year to build a culture of cyber awareness — share them in weekly meetings (it takes 15 seconds to share one reminder), share them in your emails, and share them in your 1-on-1s.
Reminder 1 — Phishing Emails Aren’t Always Easy To Spot
I used to wonder how many people fell for the Nigerian Prince scam and actually believed that he wants to pay you a few million dollars to hold his money. It must be working if they keep doing it.
When I talk to employees in small and medium sized companies about phishing some people still think I’m talking about these scams from a foreign prince. In reality, phishing scams are much more sophisticated, and harder to spot.
Some phishing scams mimic emails you receive every day from Amazon, Microsoft, or other well known companies. Some mimic a trusted internal resource like your IT department or CEO. They may have a lookalike email, or a lookalike email address.
It’s easy to do, and requires no expertise. Simply find a domain for sale that’s similar to something your target will trust like Anazon.com. I bet some of you didn’t even notice the ‘m’ was an ‘n.’
Remember when I said employees aren’t stupid? This is what I mean. They aren’t stupid, but they are busy. And if you’re busy, multitasking, it’s easy to miss a sophisticated attack like the one above.
Keep this fact in front of mind for your employees so they actively look for red flags.
Reminder 2 — This Is Important To The Company, and To Your Role in the Company
Let’s face it — for someone to care about something they have to know that it impacts them. While that’s not true for every employee, it’s true for a lot. This is especially true for cybersecurity. Most employees don’t think it matters to them personally.
Here’s a scenario to think about — your sales manager needs a report from his sales team for a meeting in 5 minutes. The file is too big to email. He could use your secure transfer service which requires logging in and waiting, or borrow a flash drive from someone near him even though your Acceptable Use Policy prevents removable storage devices.
What will he do? I’ll bet that 9 out of 10 times he’ll borrow a flash drive from a stranger before logging into a transfer service, uploading documents, sending them, and waiting for the file.
Why is that? One of the reasons is that he doesn’t understand what the removable storage device policy is, why it’s important, and how it impacts him. So, in his mind, the best way to solve his problem is the easiest way.
There are endless scenarios in which employees make secure decisions because they don’t think it matters to them.
Remind employees that it does matter. Remind the sales team that a cyber breach will lead to a loss in customers, leads, and commission. Remind the finance team that cyber breach will cost a lot, and the bottom line will never be the same.
This is an extremely important topic when you’re building a culture of cybersecurity awareness. We go in depth on how cybersecurity impacts various job titles in every part of the organization and how to show that cybersecurity impacts each department/person in a way that they care about. Check it out at Developing a Leadership Team That Embraces Cybersecurity Awareness.
Reminder 3 — Hover Over Links
We tend to forget that not everyone knows this technique, not everyone thinks about it, and not everyone knows what to look for if they do hover over a link.
If you don’t know — you can mask a hyperlink in an email with words (highlight the words and click the button that looks like a chain link). This is a great feature if you want to mail someone a link that’s long and ugly, but it also allows a cyber criminal to mask a malicious link.
For most of us in the technology space this is common sense. You might roll your eyes at this advice, the same way you’d roll your eyes if I walked in and told you to walk by putting your left foot in front of your right foot, and then your right foot in front of your left foot.
But not everyone is in technology. Go talk to your sales team, your office managers, or anyone that’s not ‘techy.’ Ask them how to identify a phishing email…and ask them if they know how to check the source of a link. You’ll be amazed…I know I am when I do this for our clients.
Cyber security is often about being aware of the basics — so remind your employees to hover over links and check their source.
Reminder 4 — Trust No One, Check the Sender, and Don’t Open Attachments that You Don’t Trust
In a similar way, if you’re familiar with technology it seems obvious to check the sender of an email, and not just the masked name. That’s not common knowledge for less savvy people, or even young people just coming into the workforce.
I’ve hired tremendously smart young folks, that had never used email as a professional before. I’ve had to teach things that I never would have thought to — like typing you instead of u in an email.
It’s not that they are stupid, it’s just that a majority of their writing has been via text message, and it’s perfectly OK to type that way in a text.
Remember, that employees might just not know where to look, or what to look for so it’s important to remind them. Do not overlook the ‘easy’ reminders because often that’s what employees need the most.
Reminder 5 — Be Cautious and Always Verify
Trust no one might sound harsh at first.
Employees would say, “Yeah sure I know who not to trust, but I always trust my boss. And I trust my client that I’ve been working with for 10 years.”
That logic is sound if you don’t understand how easy it is to impersonate an email. Real estate and settlement companies have been hit really hard with this truth.
There’s been a huge rise in cyber criminals targeting the closing process of a real estate transaction by impersonating an agent, and asking the buyer to send their downpayment to the criminal’s bank account.
This is extremely successful because it’s really easy to impersonate an email address, and even easier to make a look alike email with a free service like firstname.lastname@example.org.
Employees must be reminded not to trust anyone. Not because their trusted friend might one day decided to hack them, but because a cyber criminal might be impersonating their trusted friend.
Reminder 6 — Reporting Potential Phishing Emails
Do you know what your employees should do after they receive a phishing email? I’m sure you do it, and it’s probably in your Acceptable Use Policy.
But…do your employees know what they should do? Are you sure?
Some companies have a ‘Report Phishing’ button, and some ask their employees to forward phishing emails to ‘email@example.com.’
It doesn’t really matter how. What does matter is that your employees know what to do, so that you can help them make the best decisions, catch attacks early, and build a culture of cybersecurity awareness.
Remind employees to follow company policy and guidelines when it comes to reporting because it’s important to keeping them safe and protecting the company.
Reminder 7 — Let IT Know Immediately If You Might Have Made a Mistake
People will click on phishing links. They will open attachments that they shouldn’t. They will lose their laptop/phone.
You need to remind them of all the ways that they can prevent these actions, and you need to prepare them for what happens if they do.
What’s something that every employee can control after an incident? Time. By quickly reporting an incident you can coach them through proper management. By not reporting an incident, a virus can spread across the network quickly…and furiously.
Remind your employees to report suspicious emails, and to report every potential incident fast. This can be the difference between putting out a match, and putting out a 5th alarm fire.
Here’s a pro-tip — incidents often go unreported because employees know they did something wrong, but they are afraid they’ll get in trouble. So they prefer to do nothing, and hope A) no one notices, B) it goes away, or C) they can’t find the root cause.
As part of your reminder, let employees know that there are 0 consequences if they make a mistake and report it, but there are potential consequences of not reporting.
Employees Need Reminded, and So Do you
Your reminders a little different, but it should come as no surprise.
Cyber security awareness is not an event, it is a process. So build cyber security awareness into your culture by reminding employees how to recognize red flags and mitigate risk.
Oh…and remember that cyber security awareness isn’t just about phishing links. It’s important that employees understand guest access policies, how to lock their device, and to never leave their computer in the car overnight.
You can build your company cyber security awareness program, and we provide some guidelines on what topics to cover and how to manage it here.
Cyber Awareness Training and Phishing Made Easy
Wuvavi provides the world’s only cyber security awareness platform developed for small and medium sized businesses.
Wuvavi allows SMBs to deploy enterprise grade awareness training and simulated phishing campaigns to their employees, track progress, and receive completion certifications.
Sign up for a free trial to simulate phishing attacks on your employees and start training today.
Originally published at wuvavi.com on December 10, 2018.