Your workers can be the best defense against cyberattacks; but you need to teach them how.
It’s Monday morning; and one of your best employees sits at her desk. She just got back from a trip where she used her credit card more than usual, so she is alarmed when she sees an email from her card company with a subject line about suspicious charges. Without thinking, she opens the email and clicks on the link. Too late, she realizes she’s fallen prey to a phishing expedition. Your employees, even the best of them, are your organization’s biggest threat to cybersecurity; and you might be surprised how easy it is for hackers to fool them. However, you can teach your workers to defend your system when attacks come your way.
One study suggests that up to two-thirds of malicious software, or malware, can infiltrate computer systems through email attachments. These files often appear innocent enough, with messages and subject lines that look and sound legitimate. They seem to come from a familiar sender—a client, a co-worker, a friend, even the person’s bank or insurance company. However, there are some clues to suggest that the message is suspicious:
· While the email appears to come from City Bank or Mary Smith, the email address doesn’t match. For instance, instead of [email protected], the return address is [email protected].
· The attached file has a (.exe) or (.dmg) extension to its file name. These are programs that immediately launch when the file is clicked, enabling the malware to infiltrate your system. Other high-risk attachments may have (.js), (.scr), and (.zip) extensions as well.
· Some malware is protected by a password, which is provided in the message, and requires recipients to enter this information. Once the person does so, the malware comes into your system.
There is much you can do to prevent such cyberattacks from succeeding. However, you need to start by understanding that even the sharpest, most alert of employees can be tricked into opening a suspicious email. It is key to create a culture free of finger-pointing and blame. If employees are afraid to report a phishing attack, you are less likely to learn about it and be able to address the problem before it does considerable damage.
On the back end, you can take some of the burden off employees by monitoring email traffic carefully and tracking all files received in the company’s server—including where they originate and where they go. Set limits on who can access corporate and employee files and how these are stored and shared.
Of course, it also is important to educate and empower employees to recognize suspicious emails and alert management immediately. Encourage them to seek advice if they are unsure about an email, and teach them not to automatically open a message—even when it has an urgent or alarming subject line. When in doubt, they can call their bank or credit card company to determine the validity of the message.
Finally, consider a positive approach to cybersecurity. Offer employees rewards such as gift cards if they successfully thwart a hacker. If someone makes a mistake and opens a link, use this as an opportunity for additional training. You also can send out “fake” emails to test employees’ abilities in a safe space.
