Use Your Discretion: Cyber Awareness Education for Employees

Employees are usually left to use their discretion with corporate-owned technology on your networks pretty much all the time. As such, a lot of power is in their hands when it comes to what emails to open, what files to download, what portable media to plug in and what sites to visit.

There is an assumption that you can always monitor employees with technology. But, you can’t—or don’t – want to always do that. The fact is, that if security controls stand in the way of them doing what they want, they often find a way to bypass those controls.

Your organization needs a plan for educating employees on what can happen if they don’t take use their discretion

Get articles like this delivered to your inbox every week. Subscribe to Cyber Resilience Insights today.

In the recent Cyber Resilience Think Tank E-book “Employees Behaving Badly? Why Awareness Training Matters,” Gary Hayslip, Chief Information Security Officer at Webroot, said the following regarding how employees are most likely to behave with technology:

“As a CISO, I would hope that employees would be somewhat educated on good practices for being on a computer and using the internet. With that said, time and again, I’ve found that this isn’t the norm. I believe it’s the responsibility of the organization to provide security awareness education and resources, continuously over time, to remind employees that security and threats are dynamic and continuously changing.”

He continued, “When you have employees who don’t trust or understand your security program, they ignore proper security controls and work around them. This begins a whole lifecycle of the organization’s security program having to put out self-induced fires because they haven’t done a good enough job evangelizing the value of their program.”

Gary is completely correct about the CISO point of view on this. You can hope your employees are prepared for the correct ways to handle technology today, but you can’t assume anything. Because it’s impossible to keep tabs on your employees at all times, it’s on you to ensure they’re well-educated on what can happen if they don’t use due care.

Bad Habits Have Consequences

In general, employees are not doing bad things on purpose or out of malice, but their actions can greatly impact the security of your organization and data. According to the 2018 State of Email Security Report, 61% of organizations suffered an attack where malicious activity was spread from one infected user to other employees via email. How?

Here are common ‘bad habits’ your employees may not know can be dangerous, without awareness training:

Opening Email From People They Don't Know

They might think: It’s just email after all, right? What’s the harm in opening it? The truth is, the act of opening the email itself might not cause a tremendous amount of harm. It’s what comes next once an email is opened that causes problems, and we’ll get to some of those in a moment.

When an email comes in from an unfamiliar address, your employees are best advised to just ignore it. It’s the easiest way to avoid many issues, such as…

Opening Attachments Without Care

Cyberattackers love to use malicious attachments to spread malware on unsuspecting victims. A classic example of this is when hackers send fake resumes riddled with malware to HR professionals. Opening such attachments can wreak havoc on corporate networks.

Your employees need to proceed with caution when opening attachments from unknown sources. You never know what might be lurking inside, no matter how innocuous they may look.

Clicking Links Without Validating Them First

The key here is validation. If an email has malicious links, the attackers have likely tried to socially engineer the email to entice the recipient to click on them. Those clicks can lead to a whole host of problems that employees may not be aware of.

Those links could, like with attachments, spring malware on an unsuspecting victim’s computer and infect an entire network. Or those links could lead to prompts where victims put in their personal information or are asked to transfer funds.

It’s critical to provide employees with the cyber awareness training to know that they shouldn’t click on suspicious links in emails. It’s best to validate with the sender, either over the phone or in person, that they actually sent it.

Using Work Devices For Personal Use

In late 2018, Mimecast commissioned a Google Consumer Survey of 1,000 participants to examine the behavioral trends of employees using work devices for personal use. Within that survey, about a quarter of respondents weren’t aware of even the most basic threats to their organizations—including phishing and ransomware.

This lack of cyber awareness could put your organization at risk. If employees don’t know what can hurt them—and their organization—they’re more likely to engage in the kind of risky behaviors that could take down your network and leave you with a mess to clean up.

So, how do you change the tide at your organization? Taking proactive steps to ingrain cybersecurity awareness into your organization and encourage good habits for your employees is where to start. Training has to be engaging, fun, conducted consistently and in short bursts. It’s imperative to get buy-in from your senior leadership, too, so they see the value in these exercises.

Learn more about how Mimecast can help your organization with a cybersecurity awareness training program here.