Training is essential to build cybersecurity awareness
Article by Fortinet A/NZ and Pacific Islands regional director Jon McGettigan.
The sharp increase in people working from home has created a number of security issues for organisations. Their perimeter is no longer well-defined, and includes the laptops and smart devices of all of their workers, scattered around the country. At the same time, cybercriminals are on the hunt for new victims and know that COVID-19 has created a new raft of vulnerabilities. More than ever, businesses need to ensure that all their workers have the right skills and training to protect the business from cybercrime.
The fact that cybercriminals are constantly on the lookout for lucrative targets isn’t news to anyone at this point. The threat is growing even more complex with the addition of COVID-19 related scams that frighten people into clicking on malicious links and providing their personal information to cybercriminals.
Most office workers have been largely protected from cybercrime in the past because they work behind a secure corporate firewall with inbuilt security features such as anti-malware and intrusion detection systems. The onset of COVID-19 meant entire workforces needed to work from home with little notice. In many organisations, workers are using a combination of corporate and personal devices to access corporate data and systems. This creates new levels of complexity for IT and security teams who need to gain visibility into all the devices that are accessing corporate networks and ensure they’re not introducing cyber threats.
While IT and security teams work to put the right security tools and solutions in place, it’s important for every member of the organisation to be aware of their responsibility when it comes to keeping the organisation safe from cyber attacks.
Cybersecurity is the responsibility of every single person in the organisation. This means cybersecurity awareness is just as important for end users as it is for the IT team. This awareness doesn’t just happen; every business must take responsibility for educating its users to reduce the risk of a social engineering or phishing attack being successful.
Organisations need to take the time to educate all users regarding the types of threats and scams they may be exposed to, and provide advice on what users need to do when confronted by a possible attack.
This can be as basic as reminding users not to click on links in text messages or emails but, rather, to enter the URL of a website directly into their browser. This can help avoid attacks where users are directed to spoof websites that capture their login details and other sensitive information.
Furthermore, users should be reminded to update all applications as those updates become available, as this helps protect against known vulnerabilities and threats. They should be warned not to open attachments they weren’t expecting to receive and to treat with suspicion any text message or email that includes an offer or discount that seems too good to be true.
It’s important to note that it isn’t generally sufficient to provide employees with a one-time information session regarding cybersecurity. Instead, organisations should communicate consistently and frequently regarding the threats that are being faced and how to avoid them. Some organisations incorporate gamification and other methods to keep cybersecurity training fun and interesting. This can be an effective way to ensure that people are understanding and heeding the message regarding their role in keeping the organisation cyber secure.
Cybercriminals often leverage ignorance or innocence to launch their attacks. When everyone in the organisation is cybersavvy, these types of attacks just won’t succeed. Cybercriminals must then move onto new approaches or new targets, and they typically choose new targets because it’s easier and more cost-effective for them. By enlisting everyone in the fight against cyber attacks, organisations can dramatically improve their security posture without spending a cent.