In the previous post, we discussed the significance of cybersecurity threats in the modern workplace and the importance of putting together a sound cybersecurity policy that includes training for employees. In that post, we looked at the first step in this process: educating employees on the importance of cybersecurity and the scale of the threat. Here we’ll look at the next step: building awareness among employees of the types of threats they and your organization face.
In an article for CSO, Roger A. Grimes covers five of the most common cyberattacks businesses are likely to face. It’s important to note that many of these attacks have a human—and not a piece of software or hardware—as the exploitable weak link. For example, “Approximately 60 to 70 percent of email is spam, and much of that is phishing attacks looking to trick users out of their logon credentials,” writes Grimes. “Fortunately, anti-spam vendors and services have made great strides,” he adds, “so most of us have reasonably clean inboxes.” Similarly, the use of socially engineered malware involves tricking a human user to install some software or run a fake antivirus program that installs malicious software on the user’s machine, which then attempts to infect more of the organization’s network.
This doesn’t mean that software can’t be the weak link, however. “Coming in close behind socially engineered malware and phishing [as a cybersecurity threat] is software with (available but) unpatched vulnerabilities,” says Grimes. “The most common unpatched and exploited programs are browser add-in programs like Adobe Reader and other programs people often use to make surfing the web easier.”
Being cognizant of the fact that cyberattacks are a real threat to your business is only a first step. Your employees need to know what specific types of threats are out there and how to identify them. Many employees are surprised that cyberattacks can start out in a very nontechnical manner, for example. In the next post, we’ll look at training employees on appropriate reporting methods when they recognize a potential cybersecurity risk.