Six Steps to Improve Staff Security Awareness
Most of us would like to think we could easily spot a scam email. That we’d smugly press ‘delete’ when a fake antivirus software alert, or another heart-wrenching foreign scam story, lands in our inbox.
Increasing numbers of U.S. workers are being drawn into the digital devil’s lair. Average annual losses caused by cyber criminal activities now exceed $7.7 million per organization. And in the past three years, cybercrime costs have quadrupled: by 2019, it’s projected to reach an astounding $2 trillion.
With digital services at the heart of almost every business function nowadays – think marketing automation, customer relationship management and system logistics - the responsibility no longer rests with the IT team alone.
Every employee has a duty to know the risks and exercise caution when working online.
But how can you get staff to play their part? How can you teach them about the latest scams? And how can you prove your efforts have actually prevented a ‘scam-tastrophe’ for your organization?
Getting your message through to employees and developing a security-aware culture will only work if there’s a solid, ongoing communications plan in place
There’s no better time to rethink your internal communications approach and go beyond the out-dated “all staff” email.
1. Know what you’re up against.
Phishing emails (that contain a link or attachment to launch malicious code into a network) continue to be the worst offenders, accountable for more than 90 percent of attacks. Keep up to date with the latest scams by checking the FBI’s list of Common Fraud Schemes. Decide which ones are most relevant to your organization then develop a timeline for communicating each topic, ideally allowing 4 – 6 weeks for each one.
2. Tailor content to different audiences.
Nobody is immune from a phishing attack. This means that awareness learning must be as relevant to the C-Suite as it is to the most junior member of staff. Once you’ve prioritized your topics, tailor content according to roles using hypothetical scenarios. For example, the C-Suite is at an increased risk of being targeted with what appears to be a genuine email from the Finance team. This email is requesting authorization to pay into a known supplier’s account – although the bank details are different. Other staff are at risk of receiving email scams that impersonate senior executives. For instance, if the CEO’s email is firstname.lastname@example.org, the spoof email’s address could replace the letter ‘l’ in example with a capital “i” so that it looks the same i.e. john@exampIe.com. Recreate what this email could look like (see next point) to demonstrate just how sophisticated these scams have become.
3. Simulate a phishing attack.
An effective way to ascertain how phish-prone your employees are is to simulate a phishing attack. These test emails should be designed to look legitimate, but with some subtle tell-tale signs (i.e., an unfamiliar URL address in hover state or presenting with grammatical errors).
Those individuals who take the bait and click on suspicious links are candidates for further security awareness training (and follow up simulated emails). Note: if you do not have resources in house to set this up, there are third party suppliers who specialize in simulated phishing.
4. Take a campaign approach,
It’s unlikely that employees will fully grasp what’s required of them based on a single communication. Messages that stand a chance of getting through and understood are those that are highly visual, delivered in different formats and are repeated over time – the same way many of today’s biggest brands reach out to us with their advertising.
Follow this communication practice by creating a series of ‘drip’ messages which are released in short, sharp bursts. This bite-size approach makes it easier for employees to consume information and builds momentum quickly. By varying the channels – such as video, screensavers, tickers, alerts – you’ll be covering all bases, appealing to all ages and learning styles.
5. Engage using modern communication tools.
Employees have become accustomed to consuming rich media content in their private lives, and expect the same in their working lives.
Depending on your objectives, you may want to kick-start a campaign using high impact tools. To raise awareness and get security information noticed, on screen tickers and desktop pop-up alerts sent direct to employees’ screens are powerful formats that bypass email completely. These are also useful for urgent messages, warning employees about a new security threat, breach, or malicious email that’s just arrived in their inbox.
Links to further information, such as the company Intranet or a training video can be included in these channels.
Screensavers are the ‘surprising star’ for message reinforcement, acting as a silent but ubiquitous message reminder. Gamification tools, such as surveys and quizzes, are also effective at engaging employees, especially once a competitive element is included (i.e., “Which team/employee detected the most suspicious fake emails this week?”).
6. Validate training.
Towards the end of your campaign, get proof that staff are more aware of security issues by conducting a quiz. Their responses indicate whether they have understood the training, and reveal knowledge gaps for further coaching. For evidence of behavioral change, consider sending a validation message, asking the employee to comply, acknowledge and confirm their understanding.
Getting your message through to employees and developing a security-aware culture will only work if there’s a solid, ongoing communications plan in place. This critical part often gets overlooked, but it can actually deliver the most gains in preventing cybercrime. The bottom line is everyone has a responsibility to be aware of the cyber risks today.