You know the parable about spreading rumors? The one in which the town gossip was tasked to gather the feathers she threw into the wind while standing in a church bell tower? This pretty much illustrates the way cybercriminals unleash their malware.
In fact, when a ransomware attack on a hospital resulted in a patient dying, the ransomware gang involved rescinded their ransom demands and gave the hospital the decryption keys. This apparently shows that the cybercriminals didn’t intend for their malware to reach the hospital and were conscientious enough to prevent further loss of life. However, they weren’t conscientious enough not to release the ransomware in the first place.
And, if the recent attack on a water treatment plant has taught us anything, it’s that there are also cybercriminals who would intentionally kill people. As of the moment, it appears that such life-or-death incidents are few — at least much fewer than theft-oriented cyberattacks. Still, such attacks cut down countless businesses and destroy people’s livelihoods. Therefore, it’s in everyone’s best interest to receive cybersecurity training. To make such training effective, follow these tips:
1. Train everyone
Send a company-wide message saying that everyone is on the same boat, which means that a cyberattack on one department can affect the well-being of the entire organization. Therefore, make no one exempt from cybersecurity training, not even those in the C-suite.
Among the topics everyone must learn about include:
- Account access best policies, whether you’re still using passwords or implementing passwordless methods
- Knowing how to spot and avoid most prevalent cyberthreats
- Safe implementation of bring your own device policies
- Remote work protocols
Naturally, members of your IT department ought to be trained at expert levels. Furthermore, you’ll also need to cover topics that are specific to your industry, such as HIPAA compliance for healthcare.
2. Assess team aptitude with simulation exercises
When a person’s immune system encounters a vicious virus for the first time, the system will take time to recognize the virus as something that did not belong in the body and must be eliminated. Before then, the virus would have multiplied exponentially, which would lead to severe symptoms. Thankfully, vaccines shorten the immune system’s response time by making your system preemptively familiar with the virus, thereby preventing life-threatening symptoms from manifesting.
If we liken live cyberattacks to viral infections, then simulation exercises serve a similar purpose to vaccines. Cybersecurity lectures and exams can’t completely capture the sly nature of phishing scams, nor replicate the feelings of anxiety and panic caused by a ransomware attack. So, when there’s a genuine cyberthreat, your team would be ill-prepared to deal with it. However, unannounced simulation exercises could reveal if people are absorbing their lessons or if cybersecurity lectures are just going over their heads. You could also use the exercises to check if your staff would follow cyberthreat response protocols and see what they could do better to resolve security breaches more quickly and effectively.
For greater effectiveness, have a third-party cybersecurity agency facilitate the simulation exercises for you.
3. Foster a culture of empathy
In a culture where failing cybersecurity assessment tests lead to shaming and unintentionally clicking on a bad link and letting malware into the company network is severely punished, staff members would keep mum about making mistakes. If, for instance, an employee has fallen for a phishing scam and sent their company account credentials to a hacker, they’ll keep it a secret and try to remedy the situation before it becomes a full-blown problem. If they’re able to access their account correctly and change their password, then they can breathe a sigh of relief. However, if the hacker already locked them out of their own account, that can mean huge trouble to your company, especially if there’s company money involved.
However, if the employee felt safe enough to come forward and report the incident at the get-go, then the sooner your company could minimize the damage the attacker could cause.
One way to create this sense of safety is by having cybersecurity training administrators and participants talk about their cybersecurity mishaps. Lead the discussion by showing that cybersecurity is a difficult subject to grasp — and that even the experts can get things wrong, too. Drive home the point that it’s how we address our mistakes that determines how quickly we recover and make things right again.
Don’t make running a business harder than it already is by tackling cyberthreat concerns on your own. Instead, trust [company_short] to help you take care of your cybersecurity requirements. Write to us or call 816-326-1143 today.