With Cyber Attacks Targeting Employees, These are the Best Practices to Keep Your Company Safe
September 16, 2022
Cyber safety for employees
When it comes to cyber security for small and medium-sized businesses (SMBs), employees can be a significant source of risk.
No matter how well companies keep their systems up-to-date and follow cyber security best practices, every single employee has the potential to become an entry point for cyber criminals, who will go to extreme lengths to exploit workers and enter companies’ servers. A cyber attack on just one employee can wreak havoc on an entire organization, and human error remains a primary cause of cyber attacks.
That’s why ongoing employee trainings and company-wide cyber security protocols are critical. In the same way that you should commit resources to patching tech vulnerabilities and implementing layers of security, you should also invest in cyber security education for employees if you want your business to be as secure as possible.
Here’s everything that SMBs should consider when training employees on cyber safety.
Biggest cyber threats that target employees
First things first: know your enemy.
If you want to prepare your employees to spot and avoid cyber attacks, then you need to understand the most common cyber threats leveraged against employees of SMBs. While scammers typically operate at a level of sophistication that can make fraud challenging to spot, there are some common tactics that employees can look out for when they’re equipped with the proper training.
Phishing and social engineering
Social engineering is the most common type of cyber attack targeting individuals, so it’s no surprise that this is a form of fraud frequently leveraged against employees of SMBs.
Phishing is the most common type of social engineering faced by employees. This refers to when criminals send fraudulent emails, pretending to be a legitimate person or enterprise, in order to trick the recipient into revealing sensitive personal or company information, sending funds, or installing malware onto their device. Social engineering is an umbrella term that includes fraudulent communication of any kind, including via emails as well as phone calls, chat servers, and SMS messages.
While this type of scam may sound easy enough to spot, perpetrators of phishing and social engineering will do their research and go to great lengths to trick employees. Anyone can fall prey to social engineering scams — including both junior and senior employees — if they don’t know what to look out for.
Malware is software, typically installed without a user’s knowledge or intent, that is designed to allow an attacker to gain unauthorized access to a device or server. It can also be used to disrupt or damage a computer system.
Malware can be installed on a device through a few different methods. One frequent method that affects SMB employees is delivery via phishing emails in which the sender adds a link that appears legitimate, but that actually installs malware onto the user’s device when clicked.
Even if just one employee at a business installs malware onto their device, it can compromise a company’s network, granting an attacker access to sensitive information or disrupting business operations.
Unfortunately, employees themselves can commit cyber crime. The Cybersecurity & Infrastructure Security Agency defines an insider threat as “the potential for an insider to use their authorized access or understanding of an organization to harm that organization.”
The possibility of insider threats is a significant reason why companies should limit access to documents and accounts — especially those with sensitive company information — to only those employees who actually need access. It’s also one reason why it’s important to have cyber security company protocols, and why it’s important to immediately revoke all account access when an employee leaves the company.
Best cyber security protocols to put in place
Establishing and enforcing company cyber security protocols can help prevent cyber criminals from taking advantage of your employees. This is like putting up safety rails — it won’t totally prevent employees from being duped by scammers, but it will give them a safer environment in which to operate, thus reducing the likelihood of fraud.
Here are some of the best strategies for SMBs to consider putting in place:
A cyber security policy
When it comes to cyber security, you should make your expectations of your employees clear. When you onboard new hires, have them sign a company policy agreeing to follow certain cyber practices and protocols. This helps everyone stay on the same page with regard to company cyber safety.
A company’s cyber security policy will vary based on industry and company, but it can involve protocols for the transfer of money or goods, device rules, password guidelines, and other protocols along those lines.
Multiple layers of authentication
Although authentication can feel like a hassle, it’s absolutely worth it. Adding steps to account logins makes it more difficult for bad actors to gain access. It’s critical to impress the importance of authentication upon your employees and to incorporate authentication protocols into your company accounts and policies.
Companies need to have clearly communicated incident reporting pathways and protocols in place so that employees can report issues or potential cyber threats as soon as they appear.
Even with plenty of precautions and trainings, bad things can happen. Empower employees to report suspicious activity whenever they notice it, because the sooner you know about a threat, the sooner you can address it and minimize damage.
How to train employees in cyber security
Cyber awareness training should be a continuous process for businesses. The cyber security landscape is constantly evolving, which is why ongoing trainings can help employees stay up-to-date with cyber safety best practices and protect the company’s data.
Following are some of the top cyber protection tips to train your employees on.
Scammers often exploit employees who are in a rush to get things done or meet deadlines, because this leaves less room for those targeted to spot the red flags of social engineering attacks. For that reason, employees should be trained to pay very close attention to all inbound messages to make sure they’re actually from legitimate, trusted individuals and businesses.
Social engineering has become very sophisticated, and bad actors are adept at spoofing emails and mimicking legitimate organizations. These are some of the most common social engineering tricks that employees should keep an eye out for:
Spoofed emails: This is when cyber criminals mimic the email address of a known person or business, typically just altering one letter, number, or symbol in hopes that the recipient won't be paying enough attention to notice.
Unusual requests: Even if the request appears to be coming from a coworker or trusted client or partner, if it's something out of the ordinary - especially involving the transfer of money or goods - this is a red flag.
Messages with elements missing: If a message looks strange in any way, it could be fraud. Employees should pay close attention to email signatures, punctuation, and headers in emails to make sure everything looks normal. And if the email sender doesn't address them by name or doesn't sign their own name, for example, this should cue the employee to double-check the sender's legitimacy.
Spotting scammers involves constant attention to detail, which is why employees should receive ongoing trainings. You can also give them opportunities to prepare by sending out “practice” phishing messages so they can get used to spotting the warning signs.
Train employees to make a habit of double-checking people’s identities, especially before they make a financial transaction, provide sensitive information, or approve a transfer of goods.
Whenever employees receive a message that involves sending money, personal or company info, or goods, they should use external means to confirm the legitimacy of the person or entity who contacted them — just to be on the safe side. This might include reaching out to a coworker on a different messaging platform, finding a business’s website or email address online, or using saved contact information to make a call (rather than the contact info provided in an email signature).
Although this added step may seem like overkill, it’s worth the effort. Preventing a cyber attack is always easier than recovering from one.
Avoiding suspicious links and websites
All employees should follow this golden rule: If a link looks at all suspicious or unusual, don’t click on it.
Individuals should keep a careful eye out for spoofed websites, which are similar to spoofed email addresses in that they’ll appear almost identical to a legitimate URL but with one character changed or swapped with another.
One employee clicking on one malicious link can have devastating effects on the company as a whole. It can lead to malware or can serve as an access point for cyber criminals to enter company accounts or servers.
All employees should be trained on the importance of strong and varied passwords, and they should update their passwords on all business accounts regularly. They should never store passwords where they can easily be found, either physically or virtually, and companies should set specific protocols for password management and storage.
Beyond that, all business accounts should have at least one level of authentication beyond just passwords — preferably biometric and/or app-based authentication.
Updating OS, browsers, and apps
Keep all systems on work devices up-to-date, including operating systems, browsers, and other apps, as tech companies often use updates to patch vulnerabilities.
SMBs should alert employees about tech updates when they become available, but employees should also get in the habit of updating as soon as they see the option on any of their systems or accounts. This can go a long way toward warding off data breaches and preventing weak points in a company’s cyber defenses.
In addition to adopting cyber security practices online, employees should also take care to safeguard their actual devices. If a work laptop or phone gets into the wrong hands, a criminal may be able to access sensitive or financial information and commit fraud against a company.
Employees should understand a company’s expectations for how they secure and transport their company technology, and there should be protocols in place in the event that a company device is stolen.
Recognizing an attack
While the primary goal is to prevent fraud from happening in the first place, SMBs should also train employees on how to identify a cyber attack.
There are some warning signs to be aware of that can indicate a hacked device, including suspicious activity (such as strange messages or calls), slower than normal load times, a deteriorating battery life, or an unexplained increase in data usage. Not only should employees take note of these potential signs of a cyber attack, but they should also have a clear understanding of company reporting protocols so they can alert the business to any suspicious activity immediately.