Don’t Sue Your Employees. Train Them
By Jeremy Louise | April 8th, 2019
As someone who handles a lot of IT and cyber security-related fixtures for small businesses every day, I spent a lot of my time on the phone talking to clients about all of the latest attacks. It happened again just the other day – one of my long-term clients called me up and wanted to discuss a story he’d read that was giving him concern.
The first was the case of Patricia Rielly, who was working for the UK Peebles Media Group. Not only did Mrs. Reilly ignore a number of very clear warnings about con artists tricking employees, but she fell into a trap she should have seen coming a mile away. She clicked on a check box on a webform that indicated she knew the risk she was about to take. She handed over about $250,000 of her employer’s money to an online attacker and now, she’s being sued for damages.
Lawyers indicated that not only did Mrs. Reilly act negligently by falling for such a scam, but she was never authorized to make payments on behalf of her company in the first place. She was considered “the office gossip” and was privy to next to no sensitive information. And yet, $250,000 in damages later, she’s now involved in a bitter lawsuit that is making business owners all over the world nervous.
Setting aside the fact that the owner of the company was more or less oblivious to her ability to access bank accounts to begin with (which is really something that should have been addressed earlier by all parties), it’s easy to see why this is such a big deal.
My client wanted to know more about why this happened and what he needed to do to make sure it didn’t happen to him. Today, I’d like to tell you exactly what I told him:
In this article, I’ll be discussing the need for employee training, the sophisticated threat landscape we all collectively face, and what steps you can take to make sure you don’t have a Patricia Rielly working for your business.
How on Earth Does This Happen?
The major reason why situations like those outlined above occur can largely be boiled down to a single word: inaction.
When a company doesn’t train its employees on all of the latest cyber threats and sophisticated types of attacks, how can you expect them to know how to avoid one? They’re not mind readers. They’re human beings like the rest of us, and human beings are known for making mistakes.
If the owner of Patricia Rielly’s company had documented policies in place that were reviewed on a regular basis, and had invested in awareness training to bring people up to speed on all the latest threats, there is a very excellent chance that none of this would have happened.
If you don’t properly vet your employees, how can you be certain that you’re not exposing yourself to one of the 75% of insider cyber attacks that involves malicious intent? That’s easy – you can’t be.
If you don’t have any types of proactive systems like log monitors and auditors to track anomalous behaviors, how do you spot when someone is engaged in digital activity that is outside their role or the purview of their position?
Ultimately, cases like those referenced above are symptomatic of a poor management structure that allowed these types of catastrophes to happen in the first place. Yes, cyber security is complicated and digital criminals are getting savvier all the time. But in the end, it really isn’t much more complicated than that.
How Phishing is Evolving
One of the reasons why employee training is so critical has to do with how quickly these types of attacks are evolving. Even if you limited the discussion purely to phishing scams, you’re still dealing with a cyber monster that sprouts three new heads for every one that you manage to cut off:
- Spear phishing, which is an attack designed to gather and use personal information typically geared towards one or only a few individuals at your company.
- Whaling, which is a similar type of attack that is targeted directly at senior executives and other high profile people.
- Vishing, or voice phishing, which is when the attack uses a telephone call pretending to be from someone you know to gain access to sensitive data.
- Search engine phishing, which allows hackers to get illegitimate websites to rank highly on engines like Google so you essentially “come across it” on your own.
- Email spoofing. The best example of this is an email designed to look like one from your bank that really comes from a rogue actor. You log into your bank account thinking nothing is wrong, and suddenly a hacker has your username and password.
- Snowshoeing, or hit-and-run phishing, is small-batch spam that is less targeted than something like spear phishing designed to avoid triggering the threshold for cloud-based email spam filters.
- Business email compromise, or BEC, which is when hackers lean heavily on social engineering tactics to trick unsuspecting people into giving over critical data. The most famous example of this is the “Nigerian Prince” email scam.
So How Are You Supposed to Avoid This?
Thankfully, the answer to that question is a simple one – it begins and ends with employee training. Don’t just distribute a pamphlet letting employees know that attacks are on the rise. They’re probably not going to read it. Invest in education and really let them know what they should be aware of. Show them screen shot examples of what to look for, and the sometimes subtle differences that separate a phishing email from something legitimate.
Likewise, you need to do this A) whenever you bring on a new employee, and B) at least a few times a year as new threats emerge. Make no mistake: this CANNOT be something you “do once and forget about.” This is something you have to actively work on moving forward.
During this time, you should also review all documented policies pertaining to device access and similar issues – if you’ve developed them, of course, which you should have. This, in conjunction with awareness training, are a core part of what needs to be done to educate employees and minimize these types of events as much as possible.
But then again, even the owner of the company that Patricia Rielly worked for would probably tell you that extra effort is very much worth it.
What Have We Learned?
Assuming that you can ever avoid becoming the target of a cyber attack is not the goal, here. You will be, period – that’s not something you can control. What you’re trying to do is make sure you don’t wind up becoming the victim of an attack, and you do this by getting your employees trained.
In addition to the legal reasons for this that the case above illustrates, there are practical reasons, too. You’re arming people with the knowledge they need to protect themselves instead of letting them assume your antivirus software will take care of it.
Overall, make security and personnel evaluations routine and accountable to all. If in doubt, implement the right types of security tools to help close up any gaps you’ve identified before they’re exploited.
If you’re still concerned about these types of cyber security-related issues and think that you can use a bit of additional assistance, great – we might be able to help.
It’s Your Move!
At this point, I would recommend that you contact either myself or one of my colleagues at TSI so we can make sure we're the best fit to handle these and other cyber security needs from here on out.