8 Tips to Help Your Employees Avoid Social-Engineering Hacks
Phishing and other related forms of socially engineered hacking are among the biggest realistic threats to business data security. No matter how cutting-edge your firewall and virus scanning software may be, one employee checking their email or responding to a customer service ticket can still ‘invite’ ransomware and worse onto your internal business network by accident.
Social engineering hacks rely on causing the ‘human error’ factor of security breaches. They trick people using fake domain names, fake accounts that look like trusted contacts, and fake scenarios that fool or scare targets into clicking on an infected link or sharing sensitive information. This means that it is vital for every employee of every modern company to understand how social engineering hacks work and take steps to active avoid getting phished.
The Solution to ‘Slippery’ Cybersecurity Training
Unfortunately, cybersecurity training doesn’t always stick. In fact, the Ebbinghaus Forgetting Curve shows that scientifically, most people forget about 80% of what they learned in a class after 30 days have passed. Which is bad news for employers trying to keep their data secure in the face of hacker lies and social trickery. So today, we’re here to share ways that you, as an employer, can make it easier for your employees to avoid phishing and similar malware-riddled scams without them having to remember perfect security protocol 100% of the time.
1) Install Email Scam Detection Software
One of the greatest tools to combat phishing is simple email security software. Scam detection email software can recognize if an email comes from an address that is too similar to a current contact – and is not that contact. It can be used to red-flag any email with a link or attachment as potentially suspicious. And it does this in a really visually obvious and pushy way so that your employees have no chance of ‘missing’ a potentially hazardous email detected by the software. This will remind them to be careful and to use their cybersecurity training when proceeding.
2) Use a Cloud-Based Document Manager at All Times
Where does malware come from in a phishing or other socially engineered attack? From links and downloaded documents. So the key to never exposing your network to infection is to never allow links or documents to download. This can be done two-fold. First, you can install software that disallows any company computer or device to download without admin authorization.
Second is to manage all your business documents and files through a cloud-based document manager. This gives your team access to any document they need without ever downloading something to a local system. So if a client, business partner, or customer needs you to recieve and open a file, that’s fine. As long as it’s done in the document manager and never locally.
3) Prohibit Use of Personal Email Accounts
Use of personal email accounts for work purposes opens the door to a variety of problems. Mainly, that employees cannot be 100% sure that an email from ‘a coworker’ is legitimate. An email from an unknown domain could be legitimately from a coworker, or it could be a hacker with a fake email that looks like it’s from one’s boss or coworker.
The solution to this one is simple: Don’t allow employees to send or receive work emails through a non-work email account. If all inernal emails come from the company mail server, then they can be trusted. And if employees don’t check personal email at work, they are less likely to open a personally-targeted phishing email on a work computer.
4) Teach and Model Courteous Skepticism
The biggest problem with social engineering hacks is that hackers take advantage of the professional courtesy we all rely on to get through a work day. Hackers pretend to be coworkers, bosses, or even customers to make their targets cooperate with the scam. The key is to maintain something called courteous skepticism. In other words, your team needs to be prepared to politely ask for details while keeping in mind that they could be interacting with someone who genuinely needs help or someone trying to fool them. The more details they ask for, the harder it is for liars and hackers to fool them. And any genuine customer or contact should simply feel that their issue is being addressed in-detail.
5) Train Customer Service to Enact ‘Disengage Points’
For customer service employees, make sure your team knows when they are allowed to ‘disengage’ with a caller who has become difficult. There are known instances of hackers calling on the phone or using live chat support to trick their Customer Service associate into clicking an infected link or download a malware file. If the CS rep follows the rules and refuses to click the link (or redirects the hacker to use the document manager instead) and the ‘customer’ makes a scene or gets pushy, let your team know they can escalate to a manager or disengage the moment an encounter becomes phishy.
6) Blacklist Known Phishing Sources (IP, Domain, Phone)
There are many known IP addreses, domain names, and phone numbers that are already associated with hackers. And any direct experience your business has with hackers will only add to that list. Use these known black-hat source lists to blacklist every known source of phishing, hacking, spam mail, and malware attacks, and dangerous websites. Network security does, in fact, allow a business to block known harmful websites, block emails from suspicious sources, and to block phone numbers from known Vishers or spam callers. Use this ability to reduce the possible risk avenues for your business.
7) An Approved Method to Report Suspicious Emails, Chats, or Calls
Your team also needs an approved avenue for reporting anything they spot as suspicious. Ideally, you want a method that motivates employees to make suspicious reports and ultimately rewards employees for identifying infection risks rather than clicking on them. Offer a bounty for real phishing emails, or create a web portal that provides a satisfying hacker-defeat animation when a report is made. And, of course, use the reported message data to investigate, strengthen your defenses, and add another resident to your blacklist.
8) Provide Micro-Learning Training and Refresher Courses
Microlearning was designed to help employees overcome the forgetting curve by breaking lessons up into bite-sized interactive chunks. These can be used in sequence to create a more engaging complete lesson. They can be used as just-in-time learning where employees look up what they need to know in the moment. And microlearning units can be used as refresher courses that reinvigorate the knowledge and skills already learned in a class to keep it fresh and useful in the mind.
Microlearning has been found to be much more effective in teaching cybersecurity specifically, as this is a topic that many people struggle with because of the ‘high-tech’ content and many small important procedural details.
Training your team to be vigilant about social engineering hacks like phishing is where most businesses start. With these tips, you can not only prepare your team to stand guard against the hackers, you can also help them remain vigilant with software supports, reminders, and protocols they can use every day on the job. For more cybersecurity insights, contact us today!