Cyber-attacks have become a common threat in recent years, yet many companies still aren't doing enough to defend against external threats. Most businesses will pin the responsibility for this area on the IT department, but that’s a short-sighted view. Whilst IT has a responsibility to ensure the latest software is being used to protect the company's data, it is the job of every employee to be alert to any threats facing the business.
Common mistakes and easy vulnerabilities
There are some simple practices that businesses can adopt to protect themselves from serious financial and reputational harm. Many of these processes are not that complicated, but are often overlooked. For example, something as simple as making sure that the software on all company devices is up to date will help improve the defences of the business, as flaws in previous versions can be undermined to breach the system.
Additionally, using the recognised industry accreditation ISO 27001 ensures the business understands the risks towards its data. This, combined with a simple classification process to identify more sensitive information, will help staff recognise which documents, reports or files should be handled with extra care.
However, a robust defence requires more than just technology. IT also needs to ensure that staff are aware of the current tactics that scammers are employing. If they are using a particular ruse to confuse staff or utilising a specific domain in their emails, , staff need to be informed. Otherwise, employees can unwittingly engage with a scammer, open a file which contains a virus or otherwise leave the company open to attack.
Keeping emails safe
Staff involvement is especially important when dealing with external emails, as this can be an easy way for individuals to breach the system. For this reason, employees need to understand the various methods that cyber-criminals have at their disposal and also know who they should alert if they identify any suspicious behaviour.
Employees should always be wary if the email’s tone is unusual – perhaps it is using odd phrases, has spelling mistakes or utilises out of place salutations – as this can often be a clue for staff. Many scammers will also lack the knowledge on how the company formats its emails. No signature or unusual spacing can be an easy giveaway to staff looking to identify a scammer.
Then there is the origin of the message. Scammers will often make emails appear as though they are coming from a reputable source. However, advising staff to take an extra five minutes to click on the sender’s name and checking the actual email address will immediately inform the user of the origin of the message. If the email address does not match up with the sender’s name, then the chances are that the email is a scam.
False attachments are another prime example, as they can contain some form of malware, and can therefore trick staff into accidently unleashing a virus or ransomware attack onto the business. Some malware, known as worms, will also spread throughout other computers connected to the same system, meaning that the entire business can be corrupted should an employee open a single fake attachment.
There are some easy ways that staff can recognise which attachments could pose this kind of risk, such as checking the program that is used to open the attachment. If the attachment contains an ‘.exe’, ‘.cmd’ or ‘.com’ suffix, for example, it can potentially be harmful. Staff should only proceed with saving and opening the attachment if they trust the source or have already consulted with their IT department.
Emails can be the first line of defence against a cyber-attack, but it is not the last. Staff need to be informed on how an attack can occur at every level of the business. Scammers can also gain vital information from the business simply by speaking with key employees. If they pose as a member of IT, a client or senior management, staff may willingly communicate private information on the business over the phone. Scammers can then use this information to do anything from blackmailing the business and stealing valuable intellectual property to withdrawing funds from the company account.
A holistic training programme
While staff can be given tips on spotting potential fraudsters, it is important that the business goes one step further. Providing formal training to every member of staff will ensure that each employee has a full understanding of the dangers facing the company, knows how to recognise an attack, and is aware of the procedure should the company be breached.
IT needs to clearly communicate the need for this kind of training along with the benefits it will have to the business. However, any initiatives in this area will need to be supported by senior management as well. This will not only allow every employee to know how to protect the company from a cyber-attack, but will also encourage staff to take the training more seriously.
One crucial factor that cannot be ignored when providing a training programme on digital security is the practical element. For staff to have a better understanding of the company’s cyber defences, the training needs to have actionable advice that staff can work into their daily routine. This way, the business will have every employee on hand to help recognise and defend against a malicious attack.
Company-wide initiatives like these are vital for keeping businesses safe from attack. While some things can be actioned by the IT department, such as updating software and meeting industry accreditations, it takes a much more holistic approach to defend against the numerous cyber threats out there. Although staff can benefit from a better understanding of the dangers facing the business, it is important to incorporate a full training programme that has the buy-in of senior management. With this approach, companies can be safe in the knowledge that the business is doing all it can to defend against an attack.
Robert Rutherford is Chief Executive Officer of QuoStar
Image Credit: Maksim Kabakou / Shutterstock