Importance of Employee Cyber-security Training

Recent reports from Trust-wave reveal that despite companies spending $96 billion on cyber security initiatives this year, 100 percent of all web applications continue to be vulnerable to attacks. To protect your company’s data from threats, it’s increasingly critical that employee cyber security training takes place in the workplace.

Tips for Employee Cyber-security Training

Cyber security for your company starts with your employees. Utilize the following tips to secure your data and conduct employee cyber security training.

1. Include All Staff Members

No one is immune to hackers and cybersecurity attacks, so ensure all team members complete training. Don’t forget to include upper management, as well as IT department staff.

2. Review Signs of an Attack

One of the most important lessons in cybersecurity is recognizing signs of an attack. Review common signs that a device or network is under attack such as:

  • Systems running slowly
  • Abnormal activity on the corporate firewall
  • Access logs showing unusual login times and locations
  • Frequent pop-ups
  • Device freezing or crashing

These are just a few ways that attacks may be happening in your office. Encourage employees to alert you if they notice any of the above, or other unusual autonomous activity.

NOTE: Ensure employees that there’s no such thing as a silly question. It’s better to report a problem and it be a false alarm, than to go without reporting a problem and compromise your entire company network.

3. Explain Password Policies

One simple way that employees can safeguard their information, as well as company data, is using secure passwords. An employee’s password should contain a combination of various letters, symbols, numbers and capitalizations. No two programs or websites should have the same login credentials.

As you can imagine, remembering all of these long, unique passwords can be difficult. Consider investing in password management software like Last Pass for your business to help employees keep track of their secure passwords.

4. Go Over Preventative Measures

In addition to explaining the importance of password management, your employee cybersecurity training should include information on measures to prevent attacks and security breaches altogether. Provide your employees with the following tips to prevent attacks:

  • When accessing company data remotely, implement multifactor authentication.
  • Keep your operating systems, browsers, and antivirus and security software up-to-date.
  • Regularly update your passwords.
  • Never open attachments or click on links from an unknown sender.
  • Never share sensitive information via email.
  • Back up critical business files and data using cloud services

For more tips on preventing cyber attacks, utilize the Department of Homeland Security’s Stop.Think.Connect. for small and mid-size business resources. Stop.Think.Connect. is a public awareness campaign with the goal of educating users on cyber threats.

By helping employees understand the threat landscape and how to prevent network vulnerabilities, you are able to make cyber security a part of your company culture. For more information on how to protect your business from cyber attacks and to conduct employee cyber security training, contact your nearest Computer Troubleshooters office.

About Phishing

About Phishing

Most types of threats to computer users usually involve direct attacks on a computer, targeting physical vulnerabilities of a computer’s operating system and other software. Phishing, on the other hand, relies solely on the computer user’s own vulnerabilities, namely the same emotions and ignorance that allows people to be taken in by non-electronic confidence schemes.

In the digital world, phishing is any attempt to defraud a computer user by pretending to be a reputable source. This can be done through e-mails, on a fake Web site, or a combination of the two. The end result of phishing can range from a person giving away their login and password information, or giving out their credit card information, or in the most severe cases, kidnapping or murder.

Unlike malware such as virusesworms, and rootkits, which may look to either damage computers or open a back door for identity thieves, phishing attempts always seek to commit identity theft and nothing else.

The term “phishing,” by most accounts, is a combination of “fishing” (as in baiting a hook with a fraudulent e-mail) and “phreaking,” a form of phone-based fraud.


Social Engineering

Phishing is a form of social engineering. Social engineering is the act of manipulating a person into giving out sensitive information, rather than by outright stealing the information.

One way to look at the difference is to compare phishing to another computer attack: keylogging. With keylogging, a cybercriminal physically breaks into a computer to implant a program that can record the text that the unsuspecting user types, especially information such as passwords and credit card numbers. On the other hand, a phishing e-mail may try to trick the computer user into thinking that their bank needs to verify their account login and password.


Examples of Phishing

Some of the earliest wide-spread phishing attacks occurred via AOL. Phishers would pretend to be AOL staff, and using the in-house instant messaging system, ask AOL members to verify their login and password. This would allow the phisher to log in under this account, having access to other account information (such as a credit card number), or to set up a base to send spam e-mails. Even after AOL inserted text warning that AOL staff would never ask for account information, some people still fell for the phishing. What made matters worse was when AOL opened up their instant messaging program to non-AOL account users. This allowed phishers to attempt the same scam to AOL subscribers while being outside of the bounds of the company’s Terms Of Service agreement.

The success of the AOL phishing led to the prolific use of phishing geared toward customers of reputable banks, online businesses, and payment services. Companies such as TD Ameritrade, eBay, and the U.S. Internal Revenue Service have all been targets for phishers. Usually perpetrated by e-mails, phishers will design e-mails that look remarkably like they came from the actual business, except for a few details, such as a letter addressed to “Dear Client” instead of a person’s name, or the sender’s e-mail address does not come from the business’ domain.

Phishers also use Web site forgeries to commit crimes. Through this method, phishers redirect a Web site’s patrons onto a reasonable copy of a reputable site in order to record their personal information.


419 Scams

Many people associate 419 Scams (also known as Nigerian bank scams) with phishing. However, most of these types of e-mail scams do not involve an attempt to fool the target into thinking the sender is from a business the recipient uses. Most of these types of scams generally just involve social engineering, preying on people’s greed and empathy, usually culminating a wire transfer of money with the expectation of being rewarded by more money in the future (which, of course, never comes). Most of these are created with Web-based e-mail programs and are generally poorly worded and full of factual and grammatical errors.


Preventing Phishing

By its very nature, there are few things that a person can do to their computer to prevent being a victim of phishing. As mentioned before, phishing targets a person’s vulnerabilities rather than a computer’s.

Buying subscription-based antivirus software that specifically targets phishing is one way to help prevent being scammed. Keeping antivirus software up to date can help keep a computer protected against ever-evolving threats. The antivirus software can block offending e-mails that come from a suspect source or contain phrases common to many phishing attempts. Antivirus software like  Norton SecurityKaspersky Security, Mcafee Security, AVG Security can also warn subscribers when they’ve stumbled upon a unreliable Web site.

However, even with antivirus software in place, computer users can still ignore the warning signs. They can disable certain functions of antivirus software. And, some phishers have begun sending e-mail text in an image in order to circumvent antivirus trackers.

When it comes down to it, the most important way to prevent phishing is to be informed. No reputable company will ever ask their customers for account numbers, credit card numbers, logins, or passwords. Never enter sensitive information on a Web site that isn’t on a secure connection. And if any e-mail or Web request just doesn’t feel right, disregard it. And make sure all users of a computer are familiar with phishing and how to recognize it.