The 5 Most Important Things to Teach Employees in Cybersecurity Training

The 5 Most Important Things to Teach Employees in Cybersecurity Training

One of the vital layers of IT security safeguards is your employees. Your users are on the front line of cyberattacks that come in via phishing emails in their inboxes every day.

Approximately 1 in every 99 emails is a phishing attack, and all it takes is one wrong click to infect a company network with malware or cause a major costly data breach.

To ensure that a network security strategy is going to keep your business fully protected, it needs to incorporate ongoing employee security awareness training. This keeps teams up to date on the newest threats to watch out for and helps them sharpen their phishing detection skills.

A single phishing email can cost a company as much as $100,000.

Employee cybersecurity training also improves compliance efforts, reducing the risk of a compliance penalty. When employees are trained regularly on proper data handling, they not only get important reminders of best practices, it also reinforces the importance of data security to their organization. 

When conducting employee security awareness training, there are several key things that you should include.

The Dangers of URLs Used in Phishing Attacks

A full 43% of employees aren’t aware that clicking on a suspicious link or opening a file attachment in an email is likely to cause a malware infection. 

It’s important to train employees on the dangers of phishing emails and that links can be just as dangerous as file attachments. In fact, phishing scammers use links much more than file attachments because they can often get by antivirus mail filters.

Why Are URLs dangerous?

  • They can lead to sites that do an automatic download of malware as soon as the page is loaded.
  • They can lead to sites that look identical to a legitimate company’s website, and have forms designed to steal login credentials and credit card numbers.
  • They can be hidden behind images and fake links that look like they’re going to a legitimate site.

How to Spot a Phishing Email

Phishing is getting more sophisticated and harder to tell from the real thing, but there are certain tactics that employees can use to identify a phishing email in their inbox.

This phishing email is made to mimic that of AT&T, hovering over the link reveals it’s a fake.

One of the best ways to identify a phishing email is by hovering your cursor over any links in the email (text and image links). This will pop up a window that reveals the true URL, which is usually not one owned by the company that the phishing is trying to mimic.

Other ways to detect a phishing email are to ask these questions:

  • Is this email expected or not? (If not, it’s possibly phishing)
  • Is there anything that doesn’t make sense? 
  • Are there any grammar or spelling mistakes?
  • Is it trying to scare you into doing something?
  • Is it vague, with just a link and something like “check this out!”?

The Importance of Login Security

Password security is becoming a bigger problem that it already was because of the move to the cloud. The stealing of passwords is now the number one objective of phishing attacks because it’s much easier for hackers to get to company resources using a legitimate login than to try to hack the security of someone like Google, Amazon, or Microsoft.

Yet, many users still have bad password habits. These include:

  • 51% of employees reuse the same passwords for work and personal accounts.
  • 57% of people scammed in phishing attacks still haven’t changed their passwords.
  • 53% of people rely on memory for password management, which results in weak passwords.

Employees need to understand that their login is all that’s keeping a hacker from multiple vital company resources and that the use of things like multi-factor authentication and password managers can significantly increase account protection. 

What To Do If They’ve Downloaded/Clicked on a Phishing Email

When cybersecurity incidents are caught right away, damage can often be mitigated. For example, if you realize right away that you’ve just put your credit card number into a fake phishing site, you can immediately contact your bank to block the card.

Cybersecurity mistakes can often get worse because an employee didn’t know what to do or kept quiet about a suspected download of malware because they were afraid to get in trouble.

It’s important to instruct employees of the immediate things to do if they even just suspect they may have encountered phishing or malware and possibly infected their device. You should also stress that it’s to mitigate damages and that they won’t get into trouble for reporting a cybersecurity incident when it happens, they’re actually doing their part to protect the company from a potential breach.

Scammers Can Use Fake “From” Addresses

Many users, even those that are more computer savvy, get fooled by email spoofing. This is when a hacker uses a legitimate company’s domain name in the “From” email address.

A user might look up and see their own company’s domain or that of a vendor and be fooled into thinking the email is legitimate and taking a requested action.

Employees need to know that they can’t trust the address in the sender line and that these are often fakes. Looking at the raw message source (if they know how to do that) can reveal the true email address originating an email.

Need Help Keeping Your Employees Cyber Aware?

Haxxess can help your Northern Ontario company plan and implement an effective and ongoing employee security awareness training as part of a strong cybersecurity strategy.

Contact us today to schedule a free consultation! Call 705-222-8324 or reach out online.

stay in touch

Subscribe to our newsletter and we'll keep you informed about latest IT news.