Employees account for 95% of security breaches within organizations. Effectively, employees are the weakest link in the security of corporate information, and cyber attackers know this. This is why it is important to ensure cybersecurity is a concerted effort in an organization. This is what ultimately creates a secure culture throughout an organization or team – regardless of where employees are located.
2020 was a year of disruption beyond the level of constant change businesses are normally used to. COVID-19 has impacted the world in ways none of us would have ever anticipated. As a result, many businesses were forced to pivot and re-strategize so as to stay afloat.
For businesses, cybercrime has been on the rise ever since. With more and more employees in 2020 working remotely than ever before, cyberattackers have had more weak links to attack. This may have been through public Wi-Fi or the less stringent work-from-home security practices. Therefore, focusing on cyber security in 2021 will play a significant role in businesses gaining strategic advantage.
Since the onset of the coronavirus pandemic, more and more employees are working remotely. This means they are likely more exposed to cybersecurity threats as their home networks may not be as secure as the corporate environments in which they were previously stationed.
It is no surprise that cybersecurity training and awareness are taking center stage in many corporate leaders’ minds in 2021. Information security threats cannot be mitigated or prevented if they are not recognized. Therefore, employees need to be empowered on how to avoid being victims of these threats.
Looking for a reliable email hosting solution that will help you strengthen your cyber security and much more?
Security Awareness Training Topics to Cover with Employees in 2021
Employees can be a huge asset to an organization in fighting cybercrime.
That said, it’s not just about what employees should know, but what they should do.
Below are some fundamental topics that must be taught and absorbed by employees, not just for office use but also for remote working.
1. Secure Virtual Meetings and Video Conferencing
The year 2020 saw exponential growth in use of video/audio conferencing and virtual meeting tools such as MailSafi Talk, Zoom, Google Meets, Microsoft Teams, Blue Jeans, Cisco Webex, and so on. This was not just by the usual corporate users. It included new entrants such as school-going children, entire governments as well as a host of new remote workers.
Virtual meetings have however introduced a new set of risks to entities, particularly those new to the space. Virtual meetings are prone to eavesdropping, corporate espionage, real-time harassment, and even sabotage and data theft. It, therefore, becomes an important area to focus on in 2021 for businesses as the crisis continues.
2. Public Wi-Fi Risks
Another cyber security threat to concentrate more on in 2021 is public Wi-Fi. Though Wi-Fi can seem safe and convenient, Wi-Fi, particularly public networks, can pose a substantial risk to information security and information confidentiality.
Even with less sophisticated software, attackers can easily intercept data transferred to public networks using ‘man-in-the-middle’ attacks. If a network is not secure (i.e. not password protected), the chances of it being safe to use are very low.
If your employees absolutely have to make use of public Wi-Fi networks when working remotely, ensure that your organization has a VPN solution in place. This will allow users to transfer data securely through an ‘encryption tunnel’.
3. Password security best practices
Judging from the Worst Passwords of 2020, it is safe to say that this topic is crucial remains crucial. The need to create strong passwords still needs to be emphasized in 2021. There remains big room for improvement even in 2021.
Just about every system, network, and device that we now value requires passwords. Undoubtedly, there are plenty among us that struggle to remember all of these credentials. Consequently, this propagates one of the main practices that weaken our information and password security.
Using one password across multiple accounts (email, laptops, office desktops, tablets, applications, and databases) weakens your password security. As password databases are continuously being attacked using more and more sophisticated algorithms in bruteforce or dictionary attacks and password spraying, it is advisable to use a unique password for each device or account. Consider using application-specific passwords when accessing your email accounts across multiple devices.
Use two-factor authentication where possible for your accounts. MailSafi supports the use of two-factor authentication as well as app-specific password use on its platform.
Use these principles for other office applications whenever it is possible to do so.
Already have a business email service that works for you but would like to enhance your business email security (spam filtering)?
4. Social Engineering Threats
Another important topic for 2021 is social engineering. Social engineering threats must be considered for any cyber security awareness training as this tactic is the foundation of many cyberattacks that lead to loss of thousands or millions of dollars.
These attacks are premised on deceiving individuals to extract information or actions that allow the attacker to profit. This can include phishing emails that contain malware, business email compromise (BEC) attacks, or spear-phishing attacks.
Therefore, training every member of an organization to understand social engineering threats is an important focus area in 2021. Train employees on how they are potential victims of social engineering attacks as well as the role they can play to prevent losses to the company. For example, train them on business email compromise, malware, and spear phishing.
a. Malware
A common byproduct of social engineering is malware contained in phishing emails. Malicious software can make its way onto our computer systems or devices (phones, tablets, laptops) and into our networks via phishing emails. This has been a common trend in 2020 and is predicted to continue in 2021. By clicking on suspicious links, users can be directed to insecure websites. Opening malicious files and attachments can do untold damage to your systems and data.
Malware can come in many forms, including spyware (collects sensitive information), adware (clogs your device up with advertisements), and ransomware (taking your data hostage in exchange for ransom usually received in the form of cryptocurrency such as bitcoin).
Investing in a good antispam or spam filtering solution for your business will offer defense against malware coming into your organization via email. Read why you should consider a third party for your spam filtering.
b. Spear Phishing
Secondly, spear phising. Bringing your employees up to speed with this threat and recognizing it will help your organization build a more secure culture in 2021.
Spear phishing is a much more sophisticated phishing attack. Rather than targeting a large number of people by sending out thousands of emails, spear-phishing attacks will target a small number of people using carefully crafted and specially created malicious emails.
Spear phishers will intercept invoices, payment requests, and extremely sensitive communications to achieve their goal. Because they are so well-crafted, spear phishing attacks can fool even the most seasoned users into making a very costly mistake.
c. Business Email Compromise/Email Account Compromise
Thirdly, is business email compromise or email account compromise. While the number of phishing sites reportedly declined in 2020 during the pandemic, losses associated with more sophisticated attacks like Business Email Compromise (BEC) scams continue to rise.
BEC attacks can take a variety of forms but essentially involve an attacker tricking an executive into making a financial transaction or sending along sensitive data. Attackers may request for funds gift cards, direct bank transfers or through payroll diversions.
Especially because it has the potential to cause significant financial loss to companies, it is important that businesses focus on empowering employees with knowledge of this cyberattack and how they can avoid becoming victims.
5. Secure Access to Mobile Devices and Remote Wiping Features
Simply by virtue of being mobile, smart devices often represent such significant security risks to organizations. Many employees are able to access their business email or other office applications via their smart devices (phones, tablets, iPads). With so much sensitive and confidential information held in these devices, the potential for unauthorized access can be a big cyber security threat, inside and outside the office.
Ensure that users and employees have their passwords protected and adequately encrypted. This is an important step in ensuring that any sensitive information cannot be passed onto the hands of malicious actors.
Where employees are dealing with highly confidential company or client information, consider using remote wiping features in the unfortunate (but plausible) case of a lost or stolen device.
6. Encryption of all confidential data in storage or transit
With the advent of the General Data Protection Regulation (GDPR), organizations are increasingly accountable for the security of personal information that they hold on customers and individuals; the main method of doing so being encryption.
Encryption is an important tool in the protection of sensitive company information or data, whether it’s the data in transit across networks, company information on websites or apps, or the contents of our phones and devices. For employees to be cyber security aware, the fundamental approaches of encryption must be understood.
Encryption hides information from unauthorized parties, allowing only you and your employees to view this data through confidential channels.
7. Data Backup
In promoting cyber security awareness, employees should be trained to understand their individual responsibilities in securing company data through backup and what options are available for them to use.
Backing up data gives assurance that your data will remain available, even after a cyberattack. Cybersecurity awareness is also about safeguarding information in the event a threat or attack materializes.
Threats range from accidental deletion of critical business emails to server crashes or servers being hacked. They can also be because of natural disasters such as fire or floods leading to damage to business-critical systems. Loss of data after any of these eventualities can be catastrophic to a business.
8. Sensitive or Confidential Information
It is important to identify the kinds of sensitive information your organization handles and each employee’s responsibility in their protection.
Sensitive information may include emails or documents with client or employee medical data, bank details, etc. Or it may be trade secrets, salary information held in payroll or payslips, or intellectual property. Also, securing identifying data such as name, address, DOB, next of kin details, etc., will help in the fight against social engineering attacks.
Employees handling confidential data should be trained in implementing access controls to restrict such information to only authorized persons. This will ensure that classified information does not fall into the hands of cybercriminals who may use it to defraud the organization and its employees.
9. Endpoint Protection
Endpoint protection is the process of securing the various endpoints on a network, often defined as end-user devices. These devices include servers in a data center, mobile devices, laptops, and desktop PCs.
Endpoint security addresses the risks presented by devices connecting to an enterprise network, including remote workers. Managing endpoints is important as these endpoints can be the entry point to corporate networks for cybercriminals.
Remote workers using dispersed devices must ensure they have basic endpoint solutions on the devices they use to access corporate networks. These include firewalls and antivirus solutions on their devices.
10. Reporting
Finally, make it clear to employees to whom they should report any suspicious activities that could threaten your organization’s information security. Where possible, provide an email/chat and phone contact.
Summary
In conclusion, prioritizing cyber security training and awareness (even for remote workers) is a fundamental step in preventing losses resulting from cyberattacks. These include damages resulting from ransomware, password security breaches, business email compromise/email account compromise, loss of data, spoofing and phishing attacks, spam, viruses, and malware.
MailSafi offers cybersecurity awareness training that can be tailored to your organization’s needs. Get in touch with us for more information.
Looking for email hosting or email security services? Visit our website and sign up for MailSafi Email & Collaboration or MailSafi Email Security services. We offer a 30-day free trial for these services.
Related resources
The Role of Employees in Your Fight Against Spam
How to Recover from a Compromised or Hacked Email Account
Pingback: Cracking the Code: How to Protect Your Emails from Sneaky Security Threats » The MailSafi Blog