6 Tips for Reducing Employee Cybersecurity Risk
People are wonderful, but not when it comes to enterprise security.
While there are many attack vectors for cyber thieves, the biggest target usually is employees. There’s good reason for this. Unpatched software and security holes are useful for finding backdoors, but nothing beats human error. Humans are the weakest link, and thus they are the starting point for many enterprise security breaches.
“Phishing attacks continue to be a huge threat, and with all the new messaging apps and access to everything from everywhere and from any device, employee vigilance is worsening,” says Inbal Voitiz, vice president of marketing for password security vendor Secret Double Octopus. “Attacks are becoming more creative, and users simply can’t tell the good from the bad.”
The bad news is that employees always will be the weakest link, and there’s no way that businesses can completely eliminate the threat of phishing and employee error. There are ways that businesses can reduce the risk, however — and that’s what the following six tips are all about.
Tip #1: Host Cybersecurity War Games
One-off security training for new employees is not enough. Consider regular, interactive cybersecurity war games instead, events that feel like games and a break from work but really are all about building awareness of the security risks and poor employee behavior that creates them. One example is an ongoing corporate-sponsored game to identify and report phishing attempts in addition to the office fantasy football league.
The key is making it fun, not dry.
“Undertake regular awareness exercises, including security awareness training. But make sure it’s engaging content,” says Edward Whittingham, managing director of security awareness training firm The Defense Works. “So many organizations adopt dry, dull or tired security awareness training which has the opposite of the intended effect. Capture your employee’s attention with training they find engaging.”
Tip #2: Simulated Phishing Attacks
A second way that you can build awareness and reduce employee cybersecurity risk is by simulating phishing attacks.
“These are not to test or trick users, but as a transparent way of helping employees become more adept at dealing with the ever-more complex phishing emails they are likely to be receiving,” notes Whittingham.
Just like those fire drills back when you were in school, simulated phishing attacks create awareness and some semblance of preparedness at minimum, and educate employees at best. This also can be a fun game for the IT department tasked with coming up with mock phishing attempts, or you could even open the simulated phishing attack creation to employees.
Be sure you don’t turn employees into back hat hackers in the process, though.
Tip #3: Deploy a Single Sign-on Password System
Weak employee passwords are a significant risk for businesses, especially in the age of cloud computing. So another way that businesses can minimize employee cybersecurity risk is through the adoption of a single sign-on (SSO) platform that strengthens passwords by not forcing employees to create a host of easy ones that are easily hacked.
“SSO tools manage security for all web applications across the company, and ensure each app has high-quality unique passwords,” says Kayla Gesek, product manager for cloud-based identity and access management provider OneLogin. “It simplifies authentication for employees because they only have to remember one login.”
Tip #4: Use Two-Factor Authentication
Another defense against weak passwords and phishing is two-factor authentication.
“If credentials are breached and a hacker tries to login, MFA will send a second code to the user’s phone to ensure it is them requesting access,” explains Gesek. “This second hurdle thwarts most hacking attempts.”
MFA is being adopted widely by cloud services because having a second layer of security significantly cuts down on unauthorized access. Businesses can deploy MFA internally and set a policy that requires MFA for external apps where available.
Tip #5: Go Passwordless
Even better than an SSO or two-factor authentication is using biometric data for login security. Iris- or fingerprint-based login systems such as those used by smartphones dramatically help with employee cybersecurity issues because there’s no login data that can be passed to a third party (barring the untimely removal of someone’s fingers, of course).
“Taking passwords out of the equation helps reduce the attack surface and eliminates the need to secure highly sensitive data,” notes Voitiz.
It also helps with the security user experience, making security less of a chore for employees.
“Passwords are hated by users and slow them down,” he says. “Replacing passwords with a high-quality fingerprint sensor or an ‘approve’ tap on a mobile app results in faster logons and happier users.”
Tip #6: Teach Employees About Baiting
While employee training is a given for minimizing the cybersecurity threat from human error, there’s one particular tactic that should get extra attention during security training sessions: baiting.
“Employees need to be mindful of the baiting trend, which is where hackers use data they already have about an employee to trick them into sharing sensitive data,” says Whittingham. “An example of this is the info listed publicity on LinkedIn to target a junior employee by posing as the CEO to request something.”
This may sound cloak-and-dagger to the average employee, something out of a spy movie. But with so much information publicly available on the public and dark web, it is a reality that employees should know about.
Nothing will eliminate the cybersecurity risk posed by employees. But reducing risk is possible, and these six tips will help.
