Imagine a scenario in which an employee clicks a link in an e-mail and costs his or her employer $600,000. Unfortunately, this situation does not require one’s imagination. This is exactly what happened in Riviera Beach, Florida, when an employee clicked a link in an e-mail, and the government was crippled by a ransomware attack. The city had to pay all of that money just to gain access to its own files.
Who is to blame when these things happen? One cybersecurity expert believes that the onus of responsibility rests squarely on employers that fail to conduct adequate preventive training.
The Situation
Such incidents are on the rise. I spoke with cybersecurity expert Jess Coburn, President and Founder of Applied Innovations, who explained that “hackers are constantly changing their techniques and tactics”; he provided the following methods that contemporary hackers use to gain access to a computer or personal information:
- An e-mail from Amazon that says your new laptop couldn’t be delivered, except you didn’t order a laptop.
- An e-mail from Office 365 that says your password is expiring in 48 hours and you need to log in and change it immediately or lose access to e-mail.
- An e-mail from the Internal Revenue Service that says your tax refund was just deposited in your bank account at Washington Mutual, but you don’t have an account at Washington Mutual.
- An e-mail from a known contact, but the e-mail address is wrong. Always check the sender’s e-mail address, and when you click “reply,” look at the e-mail address it’s going to.
- Misspellings, typos, and grammatical errors in the e-mails and landing pages.
- Landing pages that are missing images or that don’t use “https” or the URL looks wrong—for example, www.microsoft.com.bobsblog.org or mail-rnicrosoft.com or microsoftt.org.
- Requests that are not the norm, such as a request to immediately send a wire, buy a gift card, or complete an action but not to reach out to the sender because he or she is getting on a plane, going into a meeting, etc.
Whose Fault Is It?
When a disaster happens, the blame game begins. Coburn gave an example that is similar to situations he has helped deal with. An employee named Bob gets swindled out of 15 $100 Amazon gift cards and sent them to a hacker in Ukraine.
In Coburn’s experience, the CEO’s response invariably sounds something like, “Oh my God. That guy is an idiot. How could he have done this? I can’t believe I have this fool working for me. Should we make him pay for this?” To this argument, Coburn responds, “Has the employer done the due diligence that was necessary to make sure Bob didn’t give the 15 gift cards to his boss thinking it was his boss?”
How could Bob’s boss have helped him avoid the situation? Coburn strongly believes that the solution comes down to the right kind of training delivered in the right way.
Coburn had a little more to say about poor Bob: “Bob needs the training. Shame on you for not spending the couple of dollars a user a month to give him the training he needs.”
Training, Training, Training.
Keeping your employees apprised of the latest types of cyberattacks, as well as the methods for avoiding them, comes down to training. It won’t be enough to do a single training. Coburn says that “it’s not like classic training where it’s one and done. The tactics are constantly changing.” He continues, “Hit employees with new training, little micro training lessons a couple of minutes—each of these lessons a couple of times a month—to make sure that they’re aware of what’s going on.”
The Divide Between HR and IT
You might be wondering how you, an HR manager, are going to get IT onboard with some of these solutions. Coburn recognizes that part of the problem here involves the way organizations separate HR and IT duties. He says, “I think that there is too much of a divide between IT and HR. People think, ‘Oh, that’s related to computers; go talk to IT.’”
While you can’t expect HR professionals to be IT managers and you can’t expect IT managers to be HR professionals, you can help encourage more communication between the two departments. Coburn states, “There needs to be that collaboration between IT and HR because it’s the business.” In other words, the issue of a cybersecurity breach is both a technology issue and a people issue. So tackle the problem from both angles in a coordinated effort.
What Else Can You Do?
Other than providing better training and encouraging more collaboration between HR and IT, Coburn provided the following list of preventive measures:
- Run phishing simulations whereby you send your employees actual phishing e-mails and use them as a way to teach them what to look for. Coburn says that when companies do phishing simulations, 50%–80% of employees fail.
- Ensure software is updated, from servers to desktops and even your mobile devices and smartphones.
- Invest in modern security solutions like time-of-click e-mail protection, attachment sandboxing, and detonation.
- Upgrade from traditional antivirus software to Endpoint Detection and Response solutions like Sentinel One, Microsoft Defender ATP, or Cylance.
- Provide training that’s tailored to current and modern threats.
- Leverage alternative training mediums like posters, animations, movies, and online classes, and provide them in microtraining nuggets throughout the year so the information remains fresh and current.
- Users, check the sender’s e-mail address against the message signatory. Do they match? If not, don’t touch it.
Ultimately, people make mistakes, and Coburn agrees: “People get busy, they get distracted, they click the wrong button. Just like they delete the wrong file or they send an email to the wrong Mary. It happens.” But with the right training and the right frame of mind, you can make it happen a lot less often and with far fewer consequences.