What’s the single most important thing you can do to protect your business from cybercrime? Have good firewalls and anti-malware? It’s actually more analog than that — it’s training your employees to spot and react to scams. All the advanced perimeter technology in the world won’t help if your employees inadvertently hand criminals the keys.
Here are seven reasons why security awareness training is more important than ever:
1. There’s more cybercrime out there
If you think last year had a lot of cybercrime, just wait. Next year looks to be even worse. Like sharks when they smell blood, more cybercriminals are piling on the feeding frenzy. The easier you make it for them to target your company, the more likely it is that you’ll get bit.
2. 91% of attacks start with a phishing email
Why is there so much phishing these days? Because it works! People open emails because they’re curious, fearful, or responding to the email’s sense of urgency, among other reasons. We’re also a click-happy culture and changing habits is hard. All of these things work together against your company’s security — and they all can be greatly improved through training.
3. Phishing is not spam — it’s real email
Spam filters don’t work on sophisticated phishing campaigns. These are not Nigerian princes or male enhancement scams we’re talking about. Phishing campaigns are so successful because they seem so real. And at our core we’re a trusting species so if something looks real, we think it probably is. Which helps explain why 30% of phishing emails are opened.
Spear phishing scams take it up a level by targeting specific individuals. Criminals learn about employees through the employees’ social media accounts and then use the information against them. They send fake LinkedIn requests, for example, or spoofed emails from business contacts — whatever they think the target is most likely to respond to.
Malware that holds your data hostage isn’t going away until it stops being profitable for criminals. And it’s very profitable. Companies pay up because the ransoms are usually cheaper than the alternative, despite the possibility the hostage-taker will leave a backdoor open to come back in later. (Note: if you work with Leapfrog, don’t pay! We have a backup and can get you back up and running quickly.)
5. They’re smarter than you when it comes to cybercrime (sorry)
All day long scammers think about how they can penetrate data centers like yours, especially if you operate in one of these five industries. They can also buy tools from the dark web that help them with every step — developing the list of targets, creating a website, getting emails through spam filters, and deploying the malware once the target is hooked. Only a handful of people need to fall for the scam for it to be profitable. And when it looks like their scam may have run its course, they shut it down and recycle it using a slightly different domain name. It’s how they make a living.
6. You can’t tell by looking
Criminals have now learned how to use graphic design software and spell check so spotting the fake stuff is a lot harder. They’re also great at looking innocent for in-person social engineering — if you’re looking for someone with neck tattoos or unusually beady eyes, that’s not going to cut it. Your employees need to overcome their fear of being rude by learning what to do and say in situations that might compromise access to your business.
7. Security awareness training is affordable
Training is not a big-budget item, it’s especially affordable when compared to what it costs to recover from a breach. Your company can subscribe to an annual subscription service such as KnowBe4 or SANS for less than $30 a month per employee. Pricing depends on the training package level and the number of subscribed employees. You will also need to budget for someone to run the program internally (most companies assign it to the HR department). Programs typically include self-directed training modules that employees complete on their own, plus test emails that are sent to employees company-wide to see who is falling for what type of scam.
Leapfrog recommends security awareness training as an organization’s first line of defense against intruders — it’s one of the most important things we discuss with our clients and help them obtain. And with the current climate, it’s really no longer an option. High-quality training with testing works, especially when it’s yearlong. By the time everyone on your team has completed training, they will have a much better understanding of what to do when confronted with the slickest new scams.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.