According to numerous studies, employees are responsible for about 80 percent of all data leaks. It only takes one worker who is a bit careless to mess everything up. Let’s look at this example:
Your employee, Mary, receives an email on her personal account with the subject line, “Lose 10 Pounds in One Weekend.” She clicks on the link in the email to get more information, and unknowingly unleashes a virus onto her work computer. This virus is not only infecting her computer, it is now working through infiltrating the network, and accessing data that the company has stored in these devices.
As you can see, this could happen to anyone. It could also happen to a member of your staff, which is why it is so important for small business owners to educate their teams about the tricks that cyber criminals employ to get their victims. How do you know that they have gotten the message? Try the following:
Phishing simulation. After giving employees information about not clicking any email links, you can test their knowledge and resolve by setting up a situation where they have the opportunity to click on an email link. Of course, the link will take the worker to a page that is safe, and these pages should have a message indicating they had engaged with phishing, followed by education and awareness to show them what they did wrong or could have done right. If you are going to give this test, make sure that these emails contain a clue that they are actually a phishing email, such as a misspelling or two. Or when hovering over the link, the URL is sketchy.
Pop quiz. Those who fall for these emails should be given a test later, too. This way, you will know if they have or have not learned anything.Make sure when you give these tests that they are unpredictable. For instance, don’t always send them in the morning. Also, make sure that the nature of the test changes. You also might consider hiring a person to attempt to lure your staff over the phone or in person to fork over sensitive information about your business. This could be invaluable, as you will know who would fall for these tricks.
Don't quiz the staff once, give your staff quizzes throughout the year, which will allow you to see who is on the ball. Remember, this is about educating your employees, not disciplining them or making them feel bad about themselves for failing the test.
Properly educate. Do what you can to make employees aware that a breach of data could result in potential financial, criminal, or legal repercussions. Schedule unpredictable workstation checks to see if any employee is doing anything that might be compromising your company’s data, such as leaving a computer logged into a sensitive program. Explain to your staff that security is important for them, and the future of the company. You should encourage your staff to report suspicious actions of the right person. In this case, they should all be snitches.
When you have given the tests and trained your staff, create a full list of all that they should have learned. Examine this list and re-evaluate it to see if it requires any revisions.
Remember, there is no such thing as too much security awareness training, as long as it’s fun and interesting. Take these tips, post them around the office, and do things such as brief security seminars or workshops to keep the information fresh. Also, recognize those staff members who are repeatedly committed to network security.
Photo credit: Rawpixel.com/Shutterstock