IBM recently announced the results of research worldwide data breaches and reports the average cost of a data breach is $3.86 million. The average cost for each stolen record containing sensitive and confidential information is $148.00.
In my previous blog we discussed the variety of ways that business cyber systems are attacked and compromised, and in these discussions, we emphasize the use of e-mails to penetrate the cyber defenses by our adversaries. In general, the actors will compromise cyber defenses by using social media and/or computer intrusions. Most of the cyber defense recommendations I have read will recommend “Training the Employees”, but how do we train our employees to protect the businesses? So here are some suggestions for training employees to spot suspicious e-mails, attachments, or apps.
First, I would recommend briefing your employees on the current trends in cyber crime in businesses. We discuss those trends in the previous blog – but the current trends are Business Email Compromise and Email Account Compromise scams, Ransomware, Theft of Personally Identifiable Information (PII), and Theft of Data by outside actors and/or by corrupt insiders. One common denominator running through each of these attack vectors is the careless use of emails that allow penetration by the bad actors. The cyber criminals are always looking for weaknesses in your IT system such as outdated software, outdated or absence of anti-virus and anti-malware software, weak passwords, and any other wormhole into your system. But one common denominator running through the threat vectors is the use of Phishing and Spear Phishing attacks to convince someone to respond to a spoofed email or open an attachment containing malicious code to infect your system.
From my experience, the best scenario to training your employees is a small group setting led by someone with actual experience in working cyber fraud cases. You don’t want the discussion leaders to just regurgitate what they find on the internet. Have everyone in the room silence their phones. The meeting should be in a quiet setting so that everyone can speak and be heard in a normal conversational manner. PowerPoint presentations are not required but acceptable if people are comfortable enough to interact and ask questions. Early or mid-morning times are great, as is lunchtime, but not while people are eating lunch while the discussions are ongoing. The training should be in the range of 45 minutes to 1.5 hours with cushion for additional time for questions and answers if needed. The afternoon hours can work but people tend to lose interest after lunch or close to quitting time. I would also recommend ongoing training to stay up-to-date on emerging threats or employee turnover.
Prior to training session:
1. Discuss date, time, location
2. Discuss Media Requirements
3. Discuss length of time
4. Evaluate any prior training to minimize duplication
5. Discuss nature of the business to tailor presentation to actual needs
Here is a suggested outline for a training session:
II. Case Examples relating to your business environment.
III. Current Threat Vectors
a. BEC and EAC Scams
c. Theft of PII
d. Theft of Data (outside actors and corrupt insiders)
IV. Methods used by Adversaries
V. What is an E-mail
VI. What is Phishing and Spear-Phishing
VII. What is Malware
VIII. What is Spoofing
IX. How to Identify possible Spoofing
X. Recommended Protective Measures
a. Discuss several options and suggestions from list
a. Be aware of organization’s footprint facing the internet
b. Have a response plan
c. Consider cyber-crime insurance
d. Encourage Employees to suggest protective measures
Conclusion: Cyber defense is often considered a technological problem however, it is also a human problem. Creating effective defenses in your business will be dependent on the buy-in by employees. Can you motivate your employees to practice good cyber hygiene? Will they comply with rules and regulations in place to prevent cyber intrusions? The answers to these questions may be the difference between an expensive attack or effective prevention of the attack in the first place.