Employees can be the biggest cybersecurity risk to businesses. If you train them with the right tools, however, you can make them into your best security asset.
Employees have been identified as the single greatest cyber-threat for small businesses. However, these same employees can be trained to become a cyber-strength rather than a weakness.
Your small business can have the most solid security framework, but it’s useless if your employees are the ones being targeted.
As an experienced security analyst and long-time security and privacy enthusiast, I can tell you that it’s way easier to exploit the human factor than to try and get through professionally backed security software.
An independent survey by Ponemon Institute reports that out of the small businesses that suffered data breaches, 54% found negligent employees to be the root cause.
This is why educating employees on cybersecurity can go a long way toward turning them into cybersecurity strengths instead of weaknesses.
The human mind is simply easier to trick than a machine. However, this doesn’t have to be the case.
In this article, I’ll talk about how you can improve your small business cybersecurity by educating employees on essential cybersecurity knowledge as well as the most common cyberattacks on small businesses and how to best avoid them.
Essential Cybersecurity Knowledge for Every Employee
“The basics are the real innovation,” said Bob Lord, Head of Security for the Democratic National Convention during his speech in RSAC 2019.
I couldn’t agree more as the basic tips he included during that speech are actually some of the most common advice I give when people ask me about security.
So, what essential cybersecurity knowledge does every employee need to know?
Be Mindful When Handling Company Information
Employees have to always keep in mind that they possess company information which should never be shared. Losing a company device, sharing company information with friends and loved ones, or even just a simple selfie with a whiteboard or computer screen in the background can already reveal a lot to an astute hacker.
Be Careful When Sharing Information
Going hand-in-hand with being mindful is being careful with information which they can share. Employees should be careful about the information they share, even while outside of company premises.
Using unsecured messaging, connecting to public WiFi to do some work, or even sharing personal information on social networking sites can lead to this information getting stolen and utilized in attacks.
Update Software Regularly
Manufacturers release application updates when they discover a security vulnerability in their products. These updates sometimes bring changes to application user interfaces which may instead confuse employees. This may eventually lead them to forego installing updates.
Employees must be taught to never ignore updates to avoid hacking attempts.
Strengthen Your Passwords
Employees have to be educated regarding the formulation and use of strong unique passwords. A strong password consists of random upper and lower-case letters, numbers, and symbols. You can have employees test their password strength by going to HowSecureIsMyPassword.
A unique password means having different passwords for different accounts. Using only unique passwords will reduce the risk of compromising several accounts in case the login credentials for one account gets stolen.
To ensure that only strong unique passwords are used, employees can be required to use a password manager to generate and keep these strong unique passwords.
Lastly, employees should be instructed to always use two-factor authentication where applicable. 2FA ensures that even if a hacker gets a hold of an employee's login credentials, that hacker will have to provide the authorization code before they can access the account.
The pieces of advice in this section only covers the most essential cybersecurity knowledge. However, having your employees follow them can already improve your small business’s cybersecurity by a considerable degree.
Common Small Business Cyberattacks and How Best to Avoid or Mitigate Them
While educating employees on basic cybersecurity knowledge is a step in the right direction, it’s only the first step.
A more detailed explanation of the most common small business cyberattacks is required to help employees understand, identify, and avoid or mitigate the possible threats they may encounter.
Phishing and Social Engineering
Phishing and social engineering attacks both employ psychological tactics to get targets to perform a specific action, which benefits the attacker like clicking on a malicious link or provide information.
These attacks are more commonly done through seemingly convincing emails. ZDNet reports that phishing emails are on the rise with one in 61 emails containing malicious links.
Phishing and social engineering attacks are platforms for viruses, worms, trojans, crypto jackers, and identity theft.
Employees must be instructed to never panic when faced with an unsolicited yet seemingly urgent email from your IT department or software provider. Instruct them to instead view the message with skepticism and to check the facts behind the message first.
Here’s an example of a phishing email from Phishing.org:
Employees can hover over the links provided in emails like this to see if they’re what they seem to be.
Have your employees check the message for misspelled words or wrong grammar, this is usually the mark of foreign hackers. After all, this is done and the employee is convinced it’s a real message, instruct them to contact your IT department just to be sure.
An insider attack is a malicious attack on a computer network or system committed by a person with authorized system access.
Insider attacks can affect all aspects of computer and network security. They can do anything from spreading malware, stealing sensitive company information, and even crashing whole systems.
The problem is that these attacks are harder to both prevent and detect. They're committed by persons who already have access to your small business's computer systems and may already be familiar with your organization’s policies.
Another reason is that most cybersecurity defenses often focus on external threats and not internal ones.
Many insider attacks are caused by outside recruitment of employees. Employees have to be trained to resist these recruitment attempts.
If you audit data access, broadcast this fact to inform employees that any attack attempts will have evidence pointing to them. They can also be instructed to report any signs of data exfiltration such as when an employee has been found copying and emailing company data to outsiders.
Malware is one of the oldest types of cyberattacks. The most common types of malware can do anything from damaging your small business’s computer systems to helping hackers enter and steal information via a backdoor, and even hold your small business’s data for ransom.
Employees should be instructed to beware of unsecured sites. You can tell if a site is secure by simply looking at its URL.
A padlock and “HTTPS” before a site’s URL means that it’s secured with a secure sockets layer (SSL). SSL encrypts data traveling to and from that site.
Malware can also be spread via phishing emails so it’s doubly important to avoid the latter. If your policy allows BYOD, all devices have to be thoroughly scanned for malware. Lastly, employees must be required to install security software like VPNs and Antivirus programs.
Account hijacking is a type of identity theft. In this attack, a hacker gains access to an employee’s email, computer, or any other account associated with a computing device or service by using stolen login credentials.
These login credentials are usually stolen through phishing, spoofed emails, or brute force and dictionary attempts.
Once a hacker gains access to an employee’s account, that hacker can then launch malicious or unauthorized activity.
This attack can be prevented by having employees follow the essential rules for passwords that I’ve mentioned above. Another way is to make sure employees avoid phishing emails that require them to type in personal information.
Employees should also be instructed to use a company-trusted VPN when working outside the premises to avoid getting their information stolen via MitM attacks. Stay away from these leaky VPNs if your small business is looking to get one.
Equipping employees with specific knowledge of the most common small business cyberattacks helps them identify and prepare for them. Making sure that employees who know how to react to a hacking attempt allows your IT department to more efficiently tackle possible threats.
The Human Factor Does Not Have to Be the Weakest Link
Your small business can have the most solid security framework you can afford but it won’t be any help if your employees are the ones being targeted.
Through my years as a security analyst, I’ve found that employees can become part of your small business’s strengths rather than its weakness if they receive proper training.
- Equip employees with essential cybersecurity knowledge.
- Keep them mindful of the company information they hold.
- Let them practice care when sharing their personal information.
- Show them why software updates are not to be feared.
- Teach them how to strengthen their passwords.
The most common cyberattacks on small businesses can be avoided if employees are taught how to identify and react to them. Consult with an experienced cybersecurity company to learn more about how to best implement security practices.