“The easiest way into an organization is by tricking an employee to let you in”, says Tessian CEO Tim Sadler in a SHRM article.
He’s 100 percent correct. With sophisticated email phishing schemes, cyber criminals seek to exploit employees who may have let their guard down. If an employee falls victim to a phishing attack, they could provide access to the entire system via password and credentials or cost the organization a significant amount of money if they were to send payment through the requested portals.
If you think that would be far too obvious for anyone to fall victim to, you’d be wrong. Criminals have become extremely effective at a concept known as social engineering. As an example provided in the phishing article: suppose you check your email and happen to see a message from the bank saying that you have an urgent matter regarding your account that you need to reply to immediately or else your account is going to be closed. What do you do?
Social engineering preys on the urgency and panic felt and seeks to get someone to forego the normal “checks” they would perform in examining such an inquiry and just get them to act.
In another example: You get an email that seems to be from your company’s CEO saying that they are traveling and their credit card is currently frozen – they need you to send them $1000 via this link onto another card so they can conduct business for the day on their trip until they can resolve the card issue.
These are just two examples of how phishing schemes work with social engineering and can convince people to act immediately.
If those targets happen to look closer they would see that the actual reply email address or email address of the sender is slightly off by a letter in the domain – a clear sign of a phishing attempt.
The Importance of Awareness and Training in Cybersecurity
When it’s all said and done, you can have the most sophisticated cybersecurity solutions in the world, the weakest link in your defenses still ends up being the human element.
As noted in our popular 7 Layers of Cybersecurity post, the human element of cybersecurity is strengthened by employee training and regular threat tests.
What Does Cybersecurity Training for Employees Look Like?
It can often be conducted in a variety of methods:
- In-person training for your entire staff
- Live training via remote meetings
- A series of videos or slides followed by quizzes to ensure user participation and comprehension
In recent years, remote training and videos with numerous quizzes have been the most popular options as it enables remote work forces to participate and doesn’t require the cybersecurity partner to travel to the corporate office, which can be an added expense.
Regardless of the method, training programs should be customized to meet the needs of your organization. Some entities may approve of a 30 minute session while others may desire a full day of training for their employees.
Diamond IT Is Here To Help
When exploring a partner for your cybersecurity needs, their ability to conduct employee training and follow up to regularly test your team are just a couple areas to look at. With Diamond IT’s SecureCentric, we’re able to take a comprehensive approach to your cybersecurity needs, including the development and implementation of policies for your employees – click here to learn more.