Cybersecurity Training for Employees: 6 Points To Cover

Each organization has its own approach to cybersecurity—some of them better than others. While many small businesses take a proactive role by working with third-party managed security service providers, others are content to employ “security through obscurity,” hoping that there will always be a bigger, more appealing target. Unfortunately, every business is a potential target for cyber criminals.

Although larger companies are more likely to have a dedicated IT security team, the practices of that team may vary in quality. For example, the 2017 Equifax data breach, which exposed the personal data of 143 million people, was entirely preventable due to an unpatched software vulnerability.

With cyber threats looming larger than ever before, now is the time for every organization to implement a comprehensive cybersecurity training plan for employees to follow. In this article, we’ll discuss 6 of the most important topics that should be part of any cybersecurity curriculum.

1. Web Browsing

A secure web browsing experience is the responsibility of both the employer and the employee. Companies should install security measures such as firewalls, web filters, and antivirus software, while employees should understand which websites they should (and shouldn't) view during work hours.

There are several ways to make employees' web browsing experience more secure. Implementing DNS-based protection such as Cisco's Umbrella can stop malicious websites and ads before they even reach your employees' systems. In addition, pop-up blockers and ad blockers help prevent malicious software and cookies from being downloaded to users’ computers. Beyond that, training them to avoid high-risk websites and how to spot signs of spoofed websites can go a long way.

2. Phishing Emails

Because the barriers to entry are so low, nearly every beginner hacker experiments with phishing emails as a way to steal user credentials. One cybersecurity software firm said that it blocked 51 million phishing attempts in the first half of 2017 alone.

To identify phishing emails, first look at what the message is telling you to do: does it have a tone that is particularly urgent or threatening? Confirm that the sender’s actual email address is correct (not only the display name) and hover over any links in the message to see if they point to the right website.

3. Passwords

If you used a single key for each of your possessions, from your vehicles to your house, you'd be asking for trouble. By stealing or copying that single key, a malicious actor would be able to have access to nearly every aspect of your life.

Similarly, relying on one or two passwords for your IT security is highly dangerous if one of them is exposed in a data breach. In order to lessen the impact of any single password being leaked, businesses use password management software such as LastPass and RoboForm to generate and store secure passwords.

Even if your employees do use different passwords for every account and website, they should also protect themselves using two-factor authentication (2FA). This involves the use of both a password and another authentication method, such as a code sent by email or SMS, or even biometric data. Although 2FA isn’t foolproof—there are ways for hackers to intercept SMS messages—it still adds another layer of security to your online accounts.

4. Malicious Software

Very few employees actually set out to intentionally download malicious software. Instead, they often download innocuous-looking “free” software or plugins that come bundled with other nefarious applications.

Types of malware include:

• Adware and spyware that display unwanted advertisements and track users’ activity.
• Keyloggers that capture users’ individual keystrokes and mouse movements, giving hackers access to your passwords and other sensitive information.
• Cryptocurrency mining applications that run secretly in the background, often disguising themselves as legitimate software. These applications can slow down your machine and internet connection, significantly impacting performance.
• Ransomware that encrypts your files and locks you out of them until you pay a ransom in a cyptocurrency like Bitcoin to the cyber criminals that attacked you.

If your employees are experiencing issues with strange behaviors or performance issues, they should notify your IT department or another IT professional to have it examined for malware.

5. Wi-Fi Access

There’s a hidden downside to the free Wi-Fi networks offered by companies like Starbucks and McDonald’s. Savvy hackers can set up a digital intercept point between your device and the network, secretly surveilling the information that you send and receive while using the internet.

If your employees must connect using a public Wi-Fi network, they should use a VPN (virtual private network) to mask their traffic. This prevents malicious actors from listening in to their connections or hijacking their sessions.

6. Suspicious Activity

In general, your employees should be on the lookout for strange or suspicious activity—anything that’s unusual or abnormal, whether it’s virtual or physical. Companies often overlook the physical aspect of cybersecurity. For example, experienced hackers can use social engineering tactics to impersonate an employee, gaining access to your physical IT infrastructure and using it to cause outages or install malware.

Behaviors such as people sitting in a car outside for a long period of time should be reported to the right authorities. They may be monitoring your network traffic or engaging in passive reconnaissance, like observing the locations of security cameras. One study found that people inserted half of USB drives that they found lying on the ground into a computer, allowing an attacker to potentially spread malware onto the device.

If you’re looking for more ways to strengthen your businesses’ cybersecurity, check out our eBook for 10 simple things you can do to improve your company's cybersecurity posture.