Today, I’ll be starting things off with an analogy. I’d like you to picture two castles The first belongs to an incredibly rich duke who has spared no expense on his keep’s physical security – nigh-impenetrable walls, a wealth of traps to trip up attackers, and reinforced gates. Having spent so much on making his keep secure, he figures he needn’t bother with his guards.
His walls should be enough to keep his enemies out. The second belongs to a recently-promoted knight. Although he doesn’t have the money to build indestructible walls, what he does have is a cadre of loyal, well-trained soldiers to protect his home.
A rival sends thives to both castles, disguised as merchants. The duke’s men are immediately fooled, and allow the thugs into their lord’s castle. The knight’s men, on the other hand, deny them entry and warn their lord of the plot.
As you’ve probably surmised, this is an article about social engineering. See, modern-day businesses are sort of like digital fortresses. Sure, it’s possible to spend millions on highly-complex infrastructure – but if you don’t also train your employees, you’ll be like the duke in our story.
Because at the end of the day, no matter how much the digital world advances, humans will always be the greatest security risk to your business’s data.
The media loves stories of highly-complex, sophisticated attacks – state-sponsored black hats capable of breaking into any firewall, rival governments reportedly installing malicious backdoors into hardware manufactured in their country, advanced malware that can bring down entire swaths of the web. The reality is that these represent the minority of cyberattacks.
Certainly, advanced groups exist. But the vast majority of hackers will always seek the path of least resistance. A phishing email, an infected USB drive, a malicious download, a scam phone call…these are the tactics most often used to break into a business and compromise its data.
What that means is that if you don’t train your employees to recognize and avoid such attacks, you cannot claim to have even a halfway-decent security posture. Below are a few places you can start.
- Offer mindfulness training. You might not expect meditation to have anything to do with cybersecurity, but a lot of phishing attacks are successful precisely because people are incautious. By training people to be more careful, thoughtful, and aware of their surroundings, you can equip them to be more careful both with how they browse the web and deal with email.
- Establish strong security policies. Tell your users what constitutes acceptable use for mobile devices. Explain to staff why they shouldn’t allow people into the office they don’t recognize. Implement clear-cut processes for communication between employees and departments to stymie phone scammers.
- A culture of cybersecurity. Promote risk awareness and accountability at every level of the organization. Let your staff know that they’re important in keeping your organization safe, and why. And most importantly, show them that even at the highest level of your business, people are engaged with keeping data safe.
- Plan for the worst. Where security is concerned, it’s best to assume that in spite of your best efforts, someone will eventually get into your network.
People are your weakest link. But they don’t have to be. By training your employees to recognize the signs of a scam, implementing decent policies, and working in a top-down culture of cybersecurity, you can make them just a little bit stronger.