An unintentional click here. An innocent download there. Suddenly your entire network is crippled by a ransomware attack.
But did you know, 95 per cent of cyber security incidents are attributed to human error (according to IBM research)?
Logically, if staff were better trained on what to look out for, you could significantly reduce the risk of being hacked.
With that in mind, we recently reached out to the SnapComms customer community asking them to share their learnings and tips for educating staff on this critical topic.
Here’s a round-up of what they told us:
(Company names have been removed to maintain confidentiality).
- Training followed by simulated phishing attacks
“All our employees are required to take online training courses. We have a weekly phishing campaign that sends out monitored emails to staff. We can see which users are clicking links and opening attachments in these test phishing attacks. This helps us determine who requires additional training before any real attacks happen.
We have email moderation enabled to route emails with specific attachments – such as .zip, .rar – to IT who then review, approve or reject the email. We also have rules in place to immediately drop emails that contain specific attachments, i.e. .scr, .js, .exe etc.”
- Corporate customer
- Passive reminders with high visibility
“We regularly publish different screensavers which address a specific cyber security topic, for example: viruses, phishing, human error, or hi-jacked websites. These messages are displayed [on all desktops and large display screens] and are good for building awareness. Wherever possible, we try to make these screensavers entertaining!”
- Government Agency
- Online and Offline education
“A couple of years back, we had a machine hit with ransomware. The shock of that employee losing everything on their computer was quite a lesson for everyone else!
“We have an active cyber security awareness program which includes regular communications with flyers periodically posted around our facilities, emails when specific threats warrant, and an online security awareness course every employee must take.”
- Food Manufacturer
- Repurpose vendor content
“For ongoing employee education, we repurpose educational content from our virus-protection vendor, and tailor it for our audience.
During an attack/event - like Wanna-Cry - our information protection and security team executed our disaster communication plan. They kept key groups informed throughout the process with multiple updates.
For the mass audience (employees), this same team joined forces with our internal MarComm team to compose and publish messages using a variety of tools, including email and our Intranet.”
- Healthcare provider
- Drip feed content
“We call upon a variety of comms tools to drip feed IT security messages out to staff. For example, we use screensavers to broadcast reminders about the importance of regularly updating passwords. We run mini exams using our internal quiz tool. If there’s breaking news about a malicious attack, we’ll publish an urgent desktop alert notifying all staff to be extra cautious, with links to our Intranet for more information. We aim to send security awareness comms at least every 2 – 3 weeks."
- IT services provider
- Multi-touch security awareness campaigns
“When there’s an incident [like the recent Wanna-Cry example] we use a desktop alert - not email! - to send out an urgent message to staff. This includes an explanation about the malicious attack, along with clues on what to look out for. We have different ways to keep awareness top of mind for employees. This includes email, digital signage, desktop alerts and tickers. We create quizzes from time to time, and send links to pertinent articles. We also offer advice on how to protect home computers.”
- Corporate customer
- Progressive email testing
“All our employees attend cyber security awareness training sessions run by our IT Team. These sessions cover what to look out for online, and how to spot phishing emails. After training, every employee’s knowledge is tested via a series of phishing emails.
At first, these spoof emails are easy to spot, especially if the tips included in the training sessions are adhered to. But then the emails get progressively more difficult to detect that they are in fact a fake scam email.
Repeat offenders i.e. those employees who continue to fall for the trickery, are encouraged to undergo further training to help close their knowledge gaps."
- Construction Services Supplier
TOOLS TO GET YOUR CYBER SECURITY MESSAGES THROUGH
SnapComms tools can play an active role in educating staff about InfoSec. From building awareness through the use of passive tools – such as screensavers, digital internal newsletters, and wallpaper – to more intrusive tools – such as desktop alerts and tickers, the combined power of these formats can create an impactful internal campaign designed to get cyber security messages through.
To get you started, we’ve created two FREE screensavers ready to be used immediately.
For SnapComms customers (with a Screensaver licence), simply load these straight into your Content Manager and publish. If you don’t have a Screensaver licence, contact your Customer Success Manager for details.
For non-SnapComms customers, you can still use the screensaver, however each desktop will need to be manually loaded. To find out about our screensaver solution – and how easy it is to broadcast messages company wide using SnapComms simple Content Manager system - contact us.