That, in turn, means that the biggest cybersecurity risk could well be sitting in the office at this moment.
How Can Human Error be the Worst Risk?
Modern anti-malware programs are highly effective. As long as they’re kept up to date, they are an excellent first line of defense. They’ll pick up traces of known viruses and other forms of malware. They’re highly effective thanks to the AI built into them.
What they can’t do, however, is to stop your employees from falling for a phishing email, or uploading a dodgy program.
It can also be problematic if they access your systems on their own devices. Your system may be very secure, but are their laptops or phones?
Minimizing the Risk
Automate Security Where Possible
Phishing is a serious issue. According to the 2018 Microsoft Security Intelligence Report, phishing attacks increased by 250% between January and December of 2018. According to the same report, phishers are improving their strategies to make these emails harder to detect.
Would you recognize a phishing attack? You’d think so, but you’re probably wrong. I’ve been in this business for a long time, and even I admit that they’re harder to spot than you might realize.
In my case, it was a simple notification from Netflix that someone had tried to access my account. As a security precaution, Netflix had reset my password. I was even given a handy link to click on to reset my password.
Fortunately for me, I never click on the links in an email. I navigate to the site concerned on my own. To be clear, it didn’t even occur to me that this was a phishing email. That is until I signed onto my Netflix account without any problems.
When I went back to look a little closer at the email, everything still looked fine. That is, until it came to the sender’s email address. Instead of Netflix, the email address said, Netfix. It would have easily gone unnoticed if I wasn’t looking directly for it.
How would you have reacted? What about your employees? What if they got an email purporting to be from a trusted client, or even you? Scammers are launching sophisticated spoofing attacks. They’ll study a company to identify prime targets. They then work out the best line of attack.
This could be in the form of a link to a malicious site designed to look exactly like a legitimate one. If you try to log in, they’ll have your username and password. It could also be a link to a site that contains malware to infect your computer system. There are many different attack vectors to consider here.
Or it could be a scam to get you to transfer money. All of these look perfectly legitimate on the surface. All it takes is for your employees to let their guard down for a second. And, that’s something that can easily happen in a busy office environment.
Your best defense is to take as much of the guesswork out of things as possible. Start by using a good email scanner. These scanners use artificial intelligence to identify patterns that could indicate that an email is spam or potentially malicious.
They won’t catch every single phishing email, but they’ll catch most of them. They’ll certainly sniff out more of these than you will. Besides the phishing emails, they can be a useful productivity tool because they’ll guarantee spammy emails as well.
Conduct Security Awareness Training
Your next line of defense is to train your employees to recognize potential risks. Security awareness training will make them aware of the types of attacks they might be subjected to. Better yet, they’ll learn about best practices to minimize the risks of being a victim.It also gives them a chance to brainstorm ideas.
As I mentioned earlier, I never click on a link in any email. With this training, your staff will be taught cybersecurity best practices. These go beyond the basic “set a strong password” to practical advice that’s going to make a real difference.
Implement Set Policies
Don’t we all just love that employee manual? I’m sure that someone in history has read one end to end. I’m not that person, though. That said, laid down procedures perform a very important function.
They give your employees a strict set of guidelines to follow. These will be based on best practices and takes more of the guesswork out of how they respond in different situations.
These days, social media can provide some useful leads and help staff nurture those leads. It’s not practical to say that you’ll ban all social media sites. That said, does Sue in accounting need access to Facebook?
Limit online access to those employees that need it for their day to day work. Make it the policy for emails over a certain size to go to quarantine automatically. Those funny meme emails are often large files and should get caught in the net.
What you’re doing is to reduce the amount of temptation that each staff member faces on a daily basis. It’s not going to prevent attacks on its own, but it will reduce the number of potential attack vectors.
Test Your Employees
To be fair here, there are some phishing emails that look perfect. A good way to see whether or not employees are able to identify dodgy emails is to test them. There are several companies that will provide random phishing testing at reasonable rates.
This entails the company sending out a series of questionable emails to your staff at random. They’ll change up the format in the same way that a real phisher would. How the staff member reacts tells you if they need more training or not.
It’s important to view this as a training exercise and not as an opportunity to embarrass the staff member. If an employee falls for one of these emails, you need to take them aside and explain what happened in a nice way.
Have a Recovery Plan
Finally, it’s essential to have a recovery plan. It’s safer to assume that an attack will be successful. That way, you’re more likely to stay vigilant. In the recovery plan, you’ll lay out the steps you’ll take if a breach occurs.
In the plan you’ll detail:
- Your backup schedule. You should back up your data regularly, so it’s still accessible if your system is infected. Keep two separate backups. The second one must be stored offsite in case the office is gutted in a fire or something similar.
- Who’s to take charge of the recovery plan.
- What steps you’ll take to recover your system security.
- Who you’ll have to notify in the event of a breach – clients included.
Each step detailed above can help you to minimize the security risk posed by your employees. These precautions may seem something like overkill, but they could save your company an embarrassing and expensive breach.
As a smaller business, recovering from a breach can be very difficult. That’s why it makes sense to take precautions upfront instead.
If you’re not sure whether or not your systems are secure, it might also pay you to hire a security specialist to give them the once-over.