A question that we hear often from organizations is “how can we help our employees protect themselves against cyberattacks?” It's a good question, and one that's surprisingly easy to gloss over. Many organizations are focused on the big picture of prevention, detection and response across their environment and rely on measures such as multifactor authentication and a Zero-Trust model for handling employee access. But with the rise in business email compromise, your employees are truly your first line of defense. How can you help them to create a culture of smart cybersecurity practices that bolsters and enhances your organization's security efforts?
To help your team understand how they can help defend your organization against cyberattacks, we recommend giving employees the POWER:
- Prepare
- Open Culture
- What?
- Examine
- Report
Let's unpack each of these areas.
Prepare – Employees can't identify an attack if they don't understand the threats they may face and why they may be a target. Be sure that your cybersecurity training is both informative and engaging, not just a “tick-off-the-box” exercise. Many employees assume they aren't worth targeting by threat actors, but stolen credentials are a sought-after prize for cyberattacks, and employees need to know what signs to look for and how to stay vigilant.
Open Culture – For employees to identify and thwart attacks, they need to feel comfortable openly questioning what they see and hear during their day. There's a lot to be said for trusting your gut, and if something seems off or suspicious, employees should feel comfortable voicing concerns. An open culture that promotes transparency and candid conversations is an important element in your cybersecurity plan. Your culture should make it clear to everyone that when it comes to security, trust is earned.
What? – One of the primary levers of a social engineering attack is to create a sense of urgency. For example, an email that appears to be from the CEO, and she needs a money transfer now or a big deal is going to fall through. Many employees' instincts will be to ask how they can help instead of a simple, more obvious question: “What?” Many social engineering attacks hinge on taking away our time as a human to think and question why something is being asked of us. Related to the open culture discussed above, if employees are faced with an abnormal, urgent request, they should always take the time to stop and ask what is happening and what the potential impact would be in fulfilling the request. That alone will often be enough to sniff out a threat.
Examine – Train your employees to look closely at everything — does the email address match the sender on a suspicious email? When they hover over a link does the URL look legitimate? A sharp eye can catch a lot of potential attacks, especially as deepfakes become more of a threat. New questions will need to be asked: Is the person speaking naturally? Are they taking long pauses? Do they know the secret passphrase – yes, really. We recommend you have one.
Report – Your security team shares what it learns with each other and the wider cybersecurity community when appropriate. It's crucial that we knowledge-share in cybersecurity if we want to outpace the adversary. Collective defense is the best defense. This is also true for employees. With an open culture, organizations can make it easy for teammates to report potential attacks when they aren't sure if it's malicious or not. Furthermore, as humans, we all make mistakes. When an employee does click on a malicious link, the best course of action is to report what happened immediately to the security team so that they can mitigate it quickly and prevent further damage.
Your people are the cornerstone of your cybersecurity strategy.
It is up to you to provide them with the POWER to identify threats and respond in turn. When everyone takes their responsibility for security seriously, we achieve true holistic cybersecurity.