To reduce the chances of your company falling victim to ransomware or another cyber-attack, your employees should know the red flags of a cyber-attack – and you should be regularly testing them on their knowledge.
No, we don’t mean giving your team a written pop quiz on data security theories. When we say test your employees, we mean things like sending a fake phishing email to everyone in your organization and see who clicks on the bad link (PTG customers – we can help you with this!). This tests how they will respond to a real attack.
Here’s why you should be testing:
More and more companies are taking data security seriously, but many don’t feel adequately prepared for an attack. Where do you stand? If your employees are targeted in a phishing or ransomware attack, would they be able to identify it as malicious?
If your answer is “Of course they would!” (and you don’t already have data security training in place), is there a chance you’re operating under an “It’ll never happen to me” mentality? Regularly testing your employees can help you get a gut check on the reality of your employees' ability to spot an attack.
Testing shouldn’t be a one-time thing, though. Data security threats are constantly evolving and changing. Just because your employees pass the test one day, doesn’t mean they will pass three months from now – or even tomorrow. Business owners shouldn’t exclude themselves (and other high-level employees) from testing either – if anything, you’re more likely to be a target.
Testing your employees can help you identify weak areas. Is there a particular type of attack your employees having trouble spotting as an attack? They may be great at spotting a phishing attack, but if they can’t tell an email with a malicious link from a legitimate email, that’s just as dangerous.
Most every company has at least one employee who will click on anything (usually more). Testing can help you identify who these people in your company are, so you can direct training to the employees who need it the most.
Identifying your weak topic areas and your risky employees are especially important since many attacks target people based on their job role or department. One common social engineering email attack is for an attacker to pose as a high-level employee and ask HR employees for personnel files or asks financial employees to wire a large sum of money out of the company.
Most companies already have a firewall and an anti-spam filter (if you don’t have either of those – you should!), and many people have at least heard of encrypted email. But there are many additional add-ons available to help you cut down on the number of malicious emails that get into your organization in the first place.
You can use the information gathered in your tests to figure out what kind of add-ons would be most beneficial. For example, if one of your weak areas is employees opening unsafe attachments, you could add on something like Advanced Threat Protection for Office 365. It scans attachments and links for malicious content before allowing the email to get to your employees’ inboxes.
While the right tools can significantly limit the number of malicious emails coming in, they won’t catch everything. Most tools also can’t spot social engineer attacks that don’t involve a malicious link (like a cyber criminal impersonating a high-level employee and requesting a wire transfer).
You still need to train your employees. Use the weak areas you identify to craft a data security training plan that includes a focus on the areas and the employees who need it most (PTG customers – we can help with this part, too). Giving your employees the knowledge to spot an attack and take the appropriate actions is the best thing you can do for data security as a whole.
The key to success when testing your employees’ data security knowledge is acting on it by empowering your employees with the tools and knowledge needed to do their job and stay safe. The worst thing you can do is to test your employees and not do anything with the results - or use the results to punish your employees.
We’re going to repeat that last part: Don’t shame or punish your employee for not passing a data security test (or for falling victim to a real attack). Rather than getting them to take data security more seriously, you’ll make them less likely to report a real data breach in the future for fear of being punished again.
You also need to set realistic expectations for improvements. Your employees aren’t all going to become data security masters overnight. Realistically, good data security training programs result in small, incremental changes that add up over time.