The biggest gap in corporate security is usually between the desk and the keyboard. And most people go for convenience and not for safety. “A lot of people are absolutely unaware of the risks of links and attachments in emails” states an IT specialist on an online forum. “Recently we had a phishing test carried out at our office. And no less than 25% of all employees casually entered their login details on the phishing site.”
There have been many studies trying to understand what does and does not work in the area of awareness to cyber security. Posters with warnings about cyber security hardly seem to have any effect. Interactive lectures score very high, but as a small company you can’t just invite a speaker for six people. And with the large companies you can’t reach everyone with presentations. So let’s list a few alternatives:
Organise a cyber treasure hunt
You hide at least 10 cyber security threats and let everyone search. A USB stick with a possible virus, a mobile phone with security code 0000, a file with personal data lying around on a desk, a forgotten document in the printer, a non-locked computer screen, etc. The result is that usually employees find more dangers than the ones that you have originally hidden.
Explain the cyber risks in normal human language
IT specialists often forget that ordinary employees do not have enough digital knowledge. Employees don’t understand the scope of clicking on a phishing email or using a weak password. Research by the British internet provider Beaming showed that 31% don’t want to work with a supplier who has become a victim of cyber crime due to negligence.
Hackers are increasingly trying to get into small companies as a handy stepping stone to attack large companies. The use of specially developed software for information security can do a lot against this, but employees have to cooperate.
Reward reporting data breaches
Should you reward an employee that has caused a data breach? A director decided to do that because she knew that many employees withheld data breaches, such as sending an email with personal data to the wrong person.
When a few people received a small gift because they had quickly reported a data breach, suddenly everyone was talking about how important it is not to withhold data breaches and that you will not be punished if it happens to you. In fact, you even received a gift because you tried to limit the consequences. Sometimes companies discover after six months that they have been hacked, because an employee has clicked on a phishing email and didn’t find it necessary to point it out to the IT department.
Abuse computers that are not locked (for a good cause)
From all computers that employees leave unattended, send an email to a non-existent email address: “I hereby offer my resignation.” When they return, they are shocked by the email that they have sent from their computer.
Explain clearly to employees what the dangers of not locking your computer are, how they can recognise phishing emails and how they can remember hundreds of complicated passwords. This is possible through a presentation or an e-learning course. Even a cyber quiz can greatly increase their level of knowledge.
Choose practical and easier solutions
Many employees forget to change their password very often. Studies show that this primarily results in false safety. University College London (UCL) wanted to encourage staff and students to choose stronger passwords. Longer passwords had to be replaced less often than short and weak passwords. For words from the dictionary the employees received penalty points (these are cracked very quickly by automatic hacking programs).
The new policy proved to be a success. In the long run most employees opted for stronger passwords in exchange for a longer lifespan. Show employees how simple is to come up with hackable passwords, just a new sentence every time. For example, in January the sentence: Ik_wil_3_kilo_afvallen! And in February the sentence: Ik_ga_op_wintersport02! Or even easier: enter a password manager as a solution against all password frustrations.
Think of playful ways to raise awareness
Spending money on expensive IT tools is throwing money away if employees don’t understand how hackers work. An example is someone who happened to be on vacation during a phishing email test. The holiday maker saw the phishing email too late and emailed back: “I was not present last week, you can send the link again, because it no longer works.”
Use simple ways to train the less alert employees. When a colleague has not touched his computer for a while, a screen saver with prevention tips pops up automatically. The company app also occasionally shows a prevention tip about opening suspicious emails, sharing confidential information or making fake payments. Create engaging educational videos about privacy and cyber crime on the intranet.
About the author:
Maria Genova (1973) is a journalist and writer. She received the Looijer Debutantenprijs for her debut in 2007 for her book The Idea for Communism, Sex and Lies . After her debut, she wrote many other books including several bestsellers such as Will a woman come to the h @ cker , an eye-opener about digital dangers. In 2014 she was named Writer of the Year. Maria works for various newspapers and magazines. She develops e-learning courses and quizzes and is one of the most requested speakers in the Netherlands in the field of identity fraud, privacy and information security. More about Maria Genova on her website or on Twitter: @ genova2