The landscape of business tech, no matter the industry, is growing. That's not news to anyone. Currently, it is estimated that by 2020 that 4 billion people will be online. That means that the human attack surface is growing exponentially. This, in turn, means that hackers are more likely to target humans, not machines. Why? It simply is easier to fool a human than it is a machine.
With so many people jumping online, it makes more sense for cyber criminals to exploit end users rather than the machines they're using. For years, there's been an effort to secure machines, with little effort to teach the average user how to spot risks. This is something that's not going to bode well for many organizations.
When you consider that cybercrime damages are estimated to cost $6 trillion by 2021, it makes sense that it's time for any organization to start paying attention.
This means more than just having a firewall in place. This means more than having one training session during new employee onboarding.
This means that it is now necessary to continuously train each employee of the dangers of cybercrime. Every employee needs to be a cyber security expert.
Easier said than done, right? Yes, but not impossible.
Room for (continuous) improvement
Many organizations take steps to implement a "continuous improvement" cycle in various operations. Sales teams constantly train their reps to consistently get better at selling. Customer service teams constantly train their employees to better serve customers. IT departments are constantly working to improve the functionality of their infrastructure.
The fact is that most SMBs just don't have a cybersecurity team. The task of ensuring cybersecurity is often left to a few people in the organization, usually none of whom are experts. When running a small business, you've got to wear many hats.
Here are a few ideas that can help you continuously improve employee awareness of cybersecurity:
Have a clear cybersecurity plan
Like anything, having a clear plan of action is integral to ensuring that your employees understand the risks of doing business online. For some, cybersecurity may come naturally. Others might find it less obvious. Having a clear strategy will help keep everyone on the same page. Come up with a series of best practices and enforce them across the board.
Train employees of the dangers of social engineering
Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. These days the hacker will typically use email to target unsuspecting users. If you've never seen social engineering, or a phishing attack, in play, odds are you'll eventually fall victim to one. Get your employees together and go over what they look like and what to do when you suspect you've been targeted.
KnowBe4 published a good resource to help train your staff on what to look for:
Perform spot checks
Due to the high volume of phishing attacks being delivered via email, it's a good idea to do more than teach your staff what to look out for. Try to catch them. In early May, there was an ultra-sophisticated phishing scam that sent targets an emailed invitation from someone they may know, took them to a real Google sign-in screen, then asked them to “continue to Google Docs.” Except this granted permissions to a malicious third-party web app that was simply been named “Google Docs,” which gives phishers access to your email and address book. It took days for Google to shut this application down. While it's unknown how many users were affected, it's likely in the hundreds of thousands.
This attack was good enough to trick savvy users. The point is that everyone lets their guard down. Performing routine spot checks, simulating a phishing attack like this, can help. Create a nice looking email, make it look like it's coming from a trusted source, put a tracked link inside and then see who falls victim. Do this once a month. Emphasize the importance of truly knowing what you're clicking on before you click. Then be sure to retrain anyone who fails.
As long as cyber criminals can make money off of exploiting you and your employees, the threat of a cyber attack will remain real. They will be relentless. This means that you and your staff needs to be relentless when it comes to safeguarding your organization against attacks.
It's unfortunate that this is the reality of the world in which we live. But doing something about it isn't as daunting of a task as it may seem. We're always here to lend a hand. Subscribe to our newsletter for more information about how to safeguard your organization against cyber attacks.