How your staff can be the first line of defence against cyberattacks

Vigilant employees can help to minimise the risk of your organisation falling victim to phishing attacks and other cyber threats, but it requires clear policies and appropriate training to produce tangible results.

Enterprises have undergone enormous change in recent times, with the pandemic creating a fundamental shift in how workers connect to their company networks and use their company-issued devices. All of which creates new and enticing opportunities for the bad guys out there.

From a cybersecurity perspective, spear phishing and messaging -based threats tend to be the primary attack vectors that criminals use. Indeed, research indicates that around 90% of all cyberattacks start with a phishing email!

Traditionally, employees have been seen as the weak link, falling for phishing scams, misdelivering information or displaying poor password hygiene. These same employees can also be viewed as the first and most important line of defence against cyberattacks.

Essentially, you can transform your business’ biggest cybersecurity risk – your employees – into its primary defence against threats by developing a security culture. And at the core of this is effective training.

Properly trained employees know what to look for. When every employee in a company is fully trained and aware of the many ways attackers can infiltrate a company’s systems and data, they’ll be better placed to identify and repel potential hacks. The phrase “forewarned is forearmed” has never been truer.

However, it’s important to recognise that a new approach to cybersecurity awareness training is required. Too often, IT managers do little more than issue a handout with a few guidelines and leave it at that.

That’s simply not enough. Employees need consistent training on how to recognise phishing attempts, and this training needs to be reinforced frequently. Hackers are constantly changing tactics, so keeping your employees aware of trends requires ongoing education.

You should also consider customising your training in order to fit the needs of your firm, and consider any compliance requirements in your particular industry.

And of course, it is important to keep employees motivated, so you might think about rewarding teams or individuals for successfully identifying phishing scams.

In addition to training, it’s also essential to have effective policies in place so that employees clearly understand how to report any suspected security incident and can do so simply and quickly. Encouraging such reporting is vital – for example, the National Cyber Security Centre (NCSC) seeks to do this by using the phrase “if in doubt, call it out”.

By reporting suspicious emails to their cybersecurity teams, vigilant staff can help to minimise the potential risk of a breach. So, it should be made as easy as possible and, unsurprisingly, automation is now helping many organisations.

A new report from cybersecurity company F-Secure demonstrates the pivotal role that automation can play. Based on an analysis of emails reported by employees from organisations across the globe during the first half of 2021, the survey found that 33% of emails reported as phishing were indeed either malicious or highly suspect.

Of all the emails reported, the vast majority (99%) were automatically analysed, with the remaining 1% investigated by security professionals.

The upshot is that you can transform your business’ biggest cybersecurity risk – your employees – into its prime defence against threats by developing a security culture that is supported by effective training and seamless reporting processes.

F-Secure Director of Consulting Riaan Naude commented: “You often hear that people are security’s weak link. That’s very cynical and doesn’t consider the benefits of using a company’s workforce as a first line of defence. Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results”.