...to destroy all the good that your company has done for months or even years. What am I talking about? Cybersecurity.
Picture this, all your systems are securely nested in the cloud, you have all the security alerts in place, your company is compliant with all security requirements, and you are feeling really good about your security posture. Then, it happens, the prince of an unknown country needs the help of one of your loyal and trustworthy employees and sends that famous email: “I’m the prince of such and such and I have 50 Million dollars in excess money that needs to be transferred out of the country but can’t get rid of it… provide me your bank account number to store the money and in return I will pay you a hefty sum” How can you say no to a prince?
This is just one of many examples that Information Security experts deal with on a daily basis. It’s a phishing scam. Phishing is a cyber attack in which the attacker sends email impersonating someone else to induce individuals into providing passwords, credit cards, bank information, money or other sensitive personal information often with malicious intent. The knee jerk reaction towards an email like this is to think it is a ridiculous attempt, it would never work. However, you would be surprised at the success rate of these attacks. It’s one of the longest-running scams out there.
There’s this case where an administrative assistant transferred 1,000 dollars to satisfy a phishing attack claiming that their CEO was caught without his corporate card in an executive conference. Even though the assistant knew he was really on vacation, the pressure of doing the job caused the lapse in judgement. It was already too late when the company realized it was a scam.
There was no tool or security system that would have prevented the administrative assistant from wiring that money to the allegedly stranded CEO. With the rising costs of cybersecurity services and security tools, sometimes more protection is not the right solution. Education and training, on the other hand, tackles the human aspect. Untrained employees pose a potential danger to your organization. It opens an intangible hole in your security, and that is what phishing attacks are counting on.
Involve your team and make sure that they understand the risks of acting without knowledge. With the right education they become part of the solution.
Cybersecurity guidance calls for yearly security awareness training but, is it really enough? It might be if you only need to be compliant with one of the many guidelines out there. If you really want to lower the security risk footprint, quarterly training might be more adequate. Furthermore, remedial and targeted training is starting to play a major role in helping victims of phishing (or other types of) attacks understand the importance of being secure and careful when using electronic communication. Involve your team and make sure that they understand the risks of acting without knowledge. With the right education they become part of the solution.
It's always smart to create a cybersecurity conscious workforce. Creating a yearly training plan is in your company’s best interest. If you need help with creating your training plan and implementing it, let us know!