Are Your Employees a Security Liability or a Security Asset?

While many companies realize they should provide IT security training, they often do not know where to begin. If your business is one of them, here are some suggestions to get you started.

The actions of careless and uninformed employees are a leading cause of serious IT security breaches, second only to malware attacks, according to a study by Kaspersky Lab and B2B International. Even when a security incident is caused by malware, employees’ actions are often a contributing factor.

These study findings point to the need for IT security training. This training can mean the difference between employees being a security liability or a security asset. While many businesses know they should be training their employees, they often do not know how often to provide the training, what to cover, and how to make it effective.

How Often

When it comes to IT security training, taking a “one and done” approach is not advisable. Instead, companies need to provide ongoing training because cybercriminals are constantly changing their tactics and devising new cyberthreats. The organization that oversees the United States’ Health Insurance Portability and Accountability Act (HIPAA) recommends monthly security updates in addition to bi-annual training. Yet, only a quarter of employees receive cybersecurity training at least once a month, according to a Finn Partners survey.

Although there are expenses associated with providing ongoing training, the costs incurred from a serious IT security incident would be much higher. In 2017 alone, phishing and business email compromise (BEC) scams set US companies back $705 million.

What to Include

Your training program should be tailored to meet your company’s needs. It should cover the specific types of IT security risks that your employees might face on the job. The program also needs to address the security requirements employees are expected to meet. This is particularly important if your business must comply with any industry or government regulations such as HIPAA or the European Union’s General Data Protection Regulation (GDPR).

Topics commonly covered in IT security training include:

  • The need for strong, unique passwords and how to create them
  • The different types of malware (e.g., ransomware, spyware) and how they are spread
  • Email security, including how to spot phishing emails and BEC scams
  • What employees should do if they receive a suspicious email or encounter another type of IT security problem
  • How to safely use the Internet
  • Social engineering threats
  • How to use mobile devices securely
  • Physical IT security measures being used
  • Your company’s IT security policies

All employees — including managers and executives — should receive basic security training. Some employees might need additional instruction that is specific to their particular jobs.

How to Make the Training More Effective

The IT security training will be pointless if your employees do not remember any of it. Fortunately, there are several ways to help make your IT security training more memorable and effective. For starters, you should hold short training sessions rather than marathon meetings. Bombarding employees with information for many hours will result in information overload, which means they will likely forget most of it. Providing ongoing training in small chunks is a more effective way to get employees to retain information. Plus, it will be easier for them to fit shorter training sessions into their work schedules.

Including hands-on activities in the training sessions will also help employees remember the information presented. For example, in addition to discussing on how to spot phishing scams, you could place the employees into small groups, give them copies of emails, and have them pick out the ones they think are phishing scams.

Another way to increase the effectiveness of your training is to make the information relevant to employees on a personal level. For example, a good way to get employees interested how to use company-owned mobile devices securely is to start by discussing how they can protect their personal smartphones (e.g., only use hotspots known to be safe and reliable). Once they learn good security habits in their personal lives, they will be more likely to practice them at work.

Finally, after employees have completed their training on a particular topic, you might consider testing what they have learned. For instance, after covering how to spot phishing emails, you could send out a fake phishing email with a suspicious link. If clicked, the link could lead to a safe web page that states the phishing email was an IT security training exercise. This type of testing can reinforce what employees have learned. It can also help determine the effectiveness of the training.

It is important to follow up with employees after the test, especially with the individuals who clicked the suspicious link. However, you should never embarrass or scold these employees during this discussion. Instead, you should offer them additional training and resources.

Your Employees Are an Important Part of Your Line of Defense

Educating employees about IT security is important. With training, they can bolster your line of defense against cyberattacks rather than be a weak link in it. To make this happen, you need to develop an effective IT training program that will teach your employees what they need to know to help keep your business secure. If you are uncertain of what to include, contact us. We can suggest topics based on your business’s IT environment.


1 Out of Every 101 Emails Is Sent by a Hacker

Does your business receive hundreds of emails each day? If so, there is a good chance some of them have been sent by hackers. Find out how to protect your business from malicious emails.

Most businesses receive hundreds of emails each day — and there is a good chance some of them have been sent by hackers. After analyzing more than 500 million emails sent in the first half of 2018, FireEye researchers found that 1 out of every 101 emails sent is malicious. Spam is not included in this count. It includes only those emails sent by cybercriminals with the express purpose of pilfering money, stealing data, or compromising systems.

The vast majority (90%) of the malicious emails do not contain any malware, but they are far from being benign. They can be just as dangerous as those containing malware.

Hackers Are Using Both Old and New Tricks in Malware-Less Emails

Not surprisingly, around 80% of the malware-less emails were phishing attacks. In this type of attack, cybercriminals try to trick recipients into performing an action, such as clicking a link that leads to a malicious website. Phishing emails are generic so that they can be sent to a large number of targets, which is why the researchers found so many of them.

The remaining 20% of the malware-less emails were impersonation scams. These highly personalized emails try to con recipients into transferring money or revealing sensitive information. Cybercriminals spend a lot of time researching their targets in order to create legitimate-looking emails. Because these emails appear to be normal traffic, it is harder for email security solutions to detect them.

One of the cybercriminals’ favorite type of impersonation email is the business email compromise (BEC) scam. In this type of attack, cybercriminals masquerade as executives, supplier representatives, and other business professionals to con companies out of money. In 2017, hackers stole more than $675 million from US businesses using BEC scams.

While the researchers found that hackers were still using old favorites like the BEC scam, they also discovered a new type of impersonation scam: impersonation emails that led to phishing sites, where login credentials were harvested or malware was uploaded to victims’ computers. By including phishing links, hackers can send out vaguer emails to a larger number of targets. Because these emails still include some personalization, the recipients are more likely to think the emails are from trusted sources and click the link compared to generic phishing attacks. As a result, the email open rate for this new type of impersonation email is similar to that for highly personalized impersonation emails, according to the researchers.

Common Ways in Which Hackers Try to Deceive Recipients

In both the new and old types of impersonation emails, the cybercriminals typically manipulate the entry in the “From” field to trick recipients into believing the messages are from legitimate senders. The techniques include:

  • Spoofing the display name of an email address (e.g., Jane Doe)
  • Spoofing the username (the portion before the @ sign) of an email address (e.g., JaneDoe@)
  • Creating and using a domain (the portion after the @ sign) that is similar to a legitimate one (e.g., @paypa1.com, @secure-paypal.com)

How to Protect Your Business from Malicious Emails

To protect your business from impersonation and phishing attacks as well as emails containing malware, you can use the stop, educate, and mitigate strategy:

Stop as many malicious emails as you can from reaching employees. To do so, you need to keep your company’s email filtering and anti-malware tools up-to-date. They can capture many phishing and malware-laden emails. You might even want to explore getting an email security solution that uses advanced technologies to catch malicious emails. In addition, make sure that employees’ email addresses and other potentially sensitive information (e.g., job titles) are not publicly available.

Educate employees so they can spot any malicious emails that reach their inboxes. While email filters often snag phishing attacks, they are not as good at stopping impersonation emails. Plus, most anti-malware software is only effective against known malware strains. Thus, it is important to educate employees about the types of malicious emails they might encounter and how to spot them (e.g., check for spoofed names in an email’s “From” field). As part of this training, be sure to inform them about the risks associated with clicking email links and opening email attachments. Plus, let them know how hackers find the information they need to personalize impersonation emails (e.g., social engineering).

Mitigate the effects of successful email attacks. Cybercriminals keep coming up with new ways to pilfer money, steal data, and compromise systems using email, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful email attack. For example, since obtaining login credentials is the goal of many phishing emails, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link in an impersonation email.

The Individual Steps

The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against malicious emails.