When is the last time that you clicked on a link? It could be from your social media feed, an email that was sent to you, or even a text message. Was it within the last hour? Thirty-minutes? Five-minutes?
Personal and Professional Lives
Let’s face it, we are bombarded with opportunities to click on links. In our personal lives, in our professional lives and everywhere in between. And, it has become common practice to send links, or files, to others to support the conversation that we are having, especially in a professional setting. And, since the idea of clicking on a link has become a norm, it’s no wonder that hackers are using that same approach to try to embed malware, steal information or disable security software. Unfortunately, hackers are smart, and they are leveraging the norms of our everyday life to try to gain access to personal, and company information. And oftentimes they are using your employees to do the dirty work…click on a link or download an attachment!
But before we fault our employees, let’s go back to the original question – when was the last time that you clicked on a link? In all honesty, it probably wasn’t more than a few hours ago. We need to keep this in mind when we talk about training employees on how to help stop hackers from infiltrating your company. We need to consider the day-to-day of our employee’s professional world. Many of our employees are actually trained to click on links and download attachments. So why wouldn’t they click on a link sent to them by a hacker?
Training is a Must
That’s where training comes in. Now, often times when we thinking of training, we think of someone speaking at us, telling us what to do and not do. But when we talk about training employees not to click on something, that type of training will not work. In most cases, it is counter-intuitive to their everyday professional, and non-professional, life. This training needs to be a bit different. It needs to understand how the employee interacts with other employees, customers or clients, and vendors, and it is typically through email. This training needs to understand that we are asking employees to have a heightened sense of awareness for every single email that they receive. This training needs to understand that employees are human, and mistakes happen. That’s a tall order, but it is achievable.
And, part of that training begins at an organizational level. Organizations need to take a look at how they function first, before asking employees to change. Think about it. Is it common for company-wide emails to be sent with a link to download a presentation, or that links out to a company resource that requires login? If it is, a good place to start is revamping this process. Have a central location where important documents or websites can be located, for example, cloud-based storage. This enables employees to access important information quickly, without clicking on a link in an email.
Cloud-based storage also provides an opportunity for employees to collaborate without emailing attachments to each other. Reducing the need to attach documents takes away a bit of the normalcy of receiving attachments and the standard practice of opening those same attachments.
Communicating with employees beyond email is another way to break the email, link, attachment cycle. Employees have the opportunity to understand who they are working with better, and if they do receive an email with a questionable link or attachment, they may feel more comfortable raising a question about it. And, if someone does question an email, thank them for questioning it – they are trying to protect the company from potential downtime.
Security Breach Downtime
Speaking of downtime, this is a good topic to explain and discuss with employees, because it directly impacts them. On average, the downtime for small and mid-sized businesses, after a security breach, is eight hours or more. For employees, this could mean a loss of hours for hourly employees, and/or not being able to service customers. And not being able to service customers could lead to losing customers, which could lead to layoffs. It paints a pretty serious picture, but one that isn’t out of the question. It also demonstrates a scenario that directly relates to and impacts employees. One that can help you demonstrate the importance of heightened awareness of suspicious emails. This creates the opportunity to share examples of phishing emails, and the things that employees can do to safeguard the company, and themselves:
- Be on the lookout for typos. Many phishing emails include obvious typos.
- Hover over the links in an email to verify if the link, and the URL match. Better yet, type the website address directly into a web browser to access the website.
- When your computer indicates an update is needed, do not ignore it. These updates play an important role in protecting your computer and the company.
- If you weren’t expecting an attachment, do not open it. If it looks suspicious, let your IT department, or outsourced IT consultant company knows so they can take a look at it.
- Do not disable any of the web filters that the IT team installs.
- Do not click on connection requests from social media sites. Instead, go directly to that social media account, look for the request there, and if you know that person connect with them.
- Hackers like to grab personal information from social media accounts and use it to trick you.
- Above all, feel empowered to say something if you believe you’ve received a phishing email. It is a better use of time to check into potential phishing emails than it is to deal with the aftermath.
Approaching the topic of phishing emails and not clicking on every single link is an extremely important topic. But it doesn’t start with employees. It starts with how the company approaches emails, document sharing and communicating important information. Once the organization makes a shift, follow-up with an employee-specific conversation. This will act as a strong one, two punch towards combatting hackers.
And for added emphasis, let employees know how you stay informed of the latest in cybersecurity. For example the Intivix blog, Intivix Facebook page or Intivix LinkedIn account. All three share relevant articles and information that can keep organizations and people safe from hackers.