:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/DJTUAJBTY5E2DL6XRBIYIVQB7A.jpg)
Question:
Four of our employees fell for a cyberattack last week. They opened an email attachment they thought originated from our HR department, which regularly emails policy updates to all employees. This email had the subject line “Changes to Vacation Policies.”
Even though we’ve trained our employees not to click on suspicious emails, and certainly not ones with attachments, this one fooled them. We didn’t realize the breach until one employee called HR with a question related to the new policies. HR immediately contacted IT, but it was too late. We lost sensitive employee, customer and company information.
We’ve since upgraded our anti-phishing software. We’ve contacted our customers, letting them know the measures we’ve put in place to protect them, and outlined the precautions we’ve taken so this never happens again. We held another mandatory all-hands cybersecurity training. What else can we do to fix the “human factor”? All it takes is one curious employee clicking on the wrong attachment to cost us thousands of dollars.
Answer:
You’ve correctly targeted the area of your company’s greatest vulnerability, and getting your plan together is urgent. In 2023, the FBI’s Internet Crime Complaint Center reported a stunning surge in cybercrime incidents. The 880,418 complaints the FBI registered in 2023 cost employers more than $12.5 billion, a 22% increase over 2022.
As most employers use increasingly effective technical security control to protect their networks against hacking, cybercriminals have turned their focus on employees. Two-thirds — 68% — of data breaches involve “nonmalicious” human actions. With the increasing sophistication of cybercriminals targeting workplaces, employers need to provide employees with training to enable them to recognize and avoid mistakes that could destroy their company’s network.
Unfortunately, research shows employees forget an average of 90% of what they learn from lecture-oriented training within the first week. Although effective trainers combat this problem by using a hands-on approach, employees need regularly updated, clearly written protocols they can keep at their desks.
In addition to the guidelines security experts commonly offer employees, such as don’t open attachments coming from outside the company and evaluate domain names for misspellings, training needs to address emotional factors. Your company fell victim to one of these — subject lines such as “vacation policies” touch an emotional nerve that leads employees to drop their guard. Another common problem is the employees’ “but I want it and it won’t create a problem” delusion, which leads them to open an appealing site or app even when some part of their brain knows they’re taking a risk.
The answer: Provide employees with an individual or source that offers them help if they have a cybersecurity concern, receive a suspicious email or are about to make a mistake. Some employers now use real-time artificial intelligence coaching tools to deliver immediate responses to employee cybersecurity issues.
These AI tools can collect and analyze data about an employer’s areas of vulnerability and catch employees engaging in risky behavior. One tool, KnowBe4, intervenes when an employee visits a malicious website or clicks on links in a suspicious email or text.
When a risky employee behavior occurs, an alert is generated and analyzed. The tool then sends real-time security tips to the employee through email or other company channels. The message might say, “This is a security risk,” and provide guidance for handling the situation.
Employers also need to get their arms around the explosive growth of “shadow IT” in their companies — employees’ unauthorized use of apps or tools such as ChatGPT. As my last column noted, 78% of AI users bring their own AI tools to work. The shadow AI tools employees bring in, and their accompanying plug-ins, often lack needed security controls and elevate the risk that employees might leak sensitive company data.
In short, you’re on the right track in knowing you need to tackle the human factor.