Spearphishing, ransomware, downloading malicious software… These cybersecurity threats affect employees in all businesses, particularly those working from home. Raising awareness of cyber security is now essential.
Economic and political risks
Cyber attacks on businesses and public authorities are driven by economic and sometimes political interests, depending on the sector targeted.
The hackers’ objectives may be :
- To steal money from an individual or a company
- Capture a company’s customers
- Damage the reputation of a company or a political player/party
- Set up industrial, political or military espionage
An organisation’s employees are on the front line when it comes to these ever-increasing cybersecurity risks. Raising awareness of cybersecurity is therefore essential if they are to become aware of them and react accordingly.
Cybersecurity awareness campaigns :
Schedule regular training sessions
Cybersecurity training involves all the company’s employees and should be offered on a regular basis. It is preferable to organise them in small groups to encourage discussion and, if possible, to adapt them to the profiles of the various professions.
Training accountants or human resources professionals in cybersecurity is different from training developers or salespeople. Segmenting training courses by profession also enables specific, concrete subjects to be addressed for each professional issue (wi-fi networks when travelling, fraudulent e-mails, etc.). Ideally, training modules should be short, no longer than 1 hour. Beyond that, there is a risk of generating fatigue and impairing understanding of the message.
It may be a good idea to conclude each training session with a practical summary document. This will serve as a memo for the employee. On the fun side, offering quizzes after training courses, with rewards at the end, encourages employees to take an interest in the subject.
Still aiming for a more entertaining approach, gamification as part of a cyber-security awareness campaign is proving effective. Various organisations offer escape games or cyber games on the theme of IT security, during which employees put themselves in the shoes of a hacker, for example. These role-playing games and interactive training courses raise awareness of the risks, while reducing the anxiety associated with the subject.
Calling on key players
For larger-scale training courses, bringing in a recognised cybersecurity expert is a good way of grabbing the audience’s attention. In this way, employees benefit from in-depth expertise. These may be organisations specialising in IT security, university researchers or cyber defence experts, depending on the company’s sector of activity and the issues at stake.
Strengthening internal communication
Employees need to be regularly informed about news relating to cybersecurity, whether it concerns their company directly or not. Giving concrete examples of incidents and their consequences is a good way of raising awareness.
For example, spearphishing attacks are currently on the increase and are affecting more and more organisations. This type of cyber attack specifically targets a company employee with access to sensitive information. It is generally based on identity theft and strong social engineering. The hacker’s aim is to send an e-mail that is consistent with the activity of the targeted person or company, by encouraging them to click on a malicious link or open an infected attachment. In this way, the employee’s data can be understood. The success rate of spearphishing is high and worrying. It is necessary to communicate this type of information to employees by e-mail, via a corporate social network or in an internal repository. These communications can be accompanied by a number of practical steps that can be taken to avoid being caught out.
Furthermore, in the event of an incident, employees need to react quickly, especially if their workstation is infected and therefore unusable. To help them do this, it is useful to distribute “SOS sheets” covering a range of issues (e.g. “I clicked on the wrong link, what should I do?”). Employees will find the contact details of the support service and a few simple actions to take while they wait for help. These sheets are particularly recommended for teleworkers, who are more on their own when it comes to security issues.
Carry out test campaigns
Finally, there’s nothing like a (fake) cyber attack to raise awareness of cybersecurity. Cyber security test campaigns involve the whole company and have a dual objective. They show employees that attacks can affect them, and so measure their level of vigilance. Generally, phishing campaigns are organised, since this type of email attack is still the most common. At the end of these test campaigns, and depending on the results, additional training modules will have to be offered to employees.
3 essential precautions for raising awareness of cyber security
Leveraging the diversity of our actions
Freeing up time for training is not always easy, and most employees drag their feet when it comes to cybersecurity training. So the key is to diversify your training courses, so that you can tackle the subject from different angles, providing concrete, practical information. Not forgetting the educational and fun aspects!
Tailoring awareness-raising campaigns to specific professions
It is important for employees to learn techniques to protect themselves, but also and above all to realise that everyone is a target in their own right for hackers today. The overall awareness of the workforce must be raised at the same time as the awareness of the different business profiles.
Stepping up training for teleworkers
While all employees need to be trained in IT security, this is even more the case for teleworkers. Since the advent of teleworking, cyber-attacks have soared, and so has the cost to the company. It is in companies’ interests to maximise training for teleworkers, as well as their remote support in the event of an incident.