In this episode of The Power Up Project, we cover:
>Part 4 of our five-part cyber security series – Cyber Security Awareness
>Why cyber security is a very hot topic in business today.
>Everything you need to know about Cyber Security and why your organisation should be aware.
In this episode we’ll be talking about cyber security awareness.
Welcome back to the Power Up Project. It’s great to have you here for the next in our five part series on our five most effective cyber security defences for your business. So far in this series we’ve spoken about having an advanced intelligent firewall, we’ve spoken about the importance of cyber insurance, and we’ve also spoken again about the multi-factor authentication.
Today what we’re going to talk about is something that brings it back to what is usually the weakest link in any of our cyber security defences and that is our people. When we look at cyber security breaches, in the majority of cases it comes down to people, it comes down to humans who have essentially taken some action which has bypassed or compromised security and has allowed the malicious actors to gain a foothold in the business network.
We can put all of the best technology in place, we can put fancy firewalls, we can put multi-factor authentication, we can do all of this but at the end of the day what we really need to be addressing is our people. Now our people and our staff, they want to do the best thing. None of them are out there looking to get breached by a malicious actor, so what we need to help them with then is recognising these threats and training them on how to respond when they do detect or recognise one of these threats.
The most common form of threat that we see coming through is a malicious e-mail. So these e-mails, phishing e-mails, are definitely the most common at the moment. We’re seeing a rapidly increasing number of whaling and spear phishing and more targeted phishing attacks but the e-mail vector really is still probably the biggest one that we see out there in the wild. So this is when a staff member in your business will receive an e-mail that looks legit, it looks like it’s coming from legitimately from one of your suppliers or from a business that they do business with personally, maybe not even part of the fact that they’re a staff member with your organisation, and they click on a link in that e-mail and that link let’s the bad actors in. From there bad actors have access to your network and then it’s just a case of how quickly can we respond and lock things down and protect your digital assets.
What we need to do is provide that training for our staff on how to recognise these malicious e-mails, dodgy websites they shouldn’t be going to, and so on. There’s a number of ways we can do it. This doesn’t need to be a big expensive exercise, it doesn’t need to be super intrusive either. One of the most common ways that we see people going about this training at the moment is what we kind of consider to be called a friendly phishing campaign. This is when we actually send these pretend malicious e-mails to our own staff and we see who reads them and we see who clicks on them, and of course, if they do click on them that’s okay because it’s not truly a malicious e-mail, it’s just a pretend one and it will log the fact for us that this happened so we can gather some statistics on how well our people are actually avoiding these threats or how maybe unwell they’re actually clicking through to them. But we can then also lead that staff member onto a little bit of training.
We can take them to a webpage, for example, which is not a malicious webpage but it’s a friendly webpage that says, “Hey, you know what? Gotcha! That was a malicious e-mail. Here’s why you should have recognised that that was not a legitimate e-mail. Here’s what you should do with it next time you see something that matches these particular criteria.” So it’s a very friendly non-intrusive way of helping to train our staff and keep it a little bit front of mind that they do need to be on the lookout for these particular attacks.
Now you can take that training up a little notch and you can send your staff away on training courses that could be disruptive obviously, because you’re without a staff maybe for a period of time. The other option too of course is to bring a trainer into your business and run some lunch and learn type training sessions, which can be very effective. They can be short, sweet, 20 to 30 minutes, people can sit around and have a sandwich and you can deliver some training to your people to raise their level of awareness about these cyber security threats. You could even deliver that training in a webinar style if you do have people working from multiple locations.
My homework for you today: have a think about your staff’s cyber security awareness. I can probably guarantee that it is not as high as you would like to think that it is and consider whether it may be worthwhile investing in some awareness training for your staff.
Thanks for listening to this episode of the Power Up Project brought to you by Grassroots IT and Digit IT. Please leave us a review wherever you get your podcasts and until next time, keep powering up.