The company is spending a lot of resources trying to reduce the safety risks for its employees. They spend billions of dollars on training every year, but major data breaches continue to make headlines, and human error remains the main cause of breaches. Where is the disconnection?
One major problem is that companies have not adjusted their security training as quickly as cybercriminals have developed attack methods. Cybercriminals are increasingly targeting specific employees based on real-time factors such as tenure, department, and location to make their scams more credible. To prevent these threats, security training must be as tailored and complex as the attack method.
There are many factors and behaviors that affect the risk of a particular employee. Here are four of them, and how safety training should consider them.
Departments and job functions
Cybercriminals create convincing scams by customizing employees according to their departments and roles. They comb through platforms such as LinkedIn and company websites to find these details.
Safety training should be tailored to the job function and provide employees with real cases of fraud that are most likely to target them. For example, the CFO and finance department may become the target of more commercial email intrusion attacks such as wire fraud, and they should receive appropriate training.
Human error also varies from department to department. For example, sales teams often have access to large amounts of personal information. Train these teams on how to avoid the risk of data loss, such as sending documents or attachments to their personal emails.
Personalized training enables companies to prioritize training for employees who have access to sensitive data (such as customer social security numbers and financial information) and the departments that are most often targeted. Therefore, information about employee roles and access rights should be updated automatically.
New employees are usually targeted specifically by hackers, and social media makes this easy. Tessian found that 93% of American respondents posted a new job on social media.
Because new employees are not familiar with colleagues and company security protocols, they are usually not able to identify unusual requests. Cybercriminals know this and use it. For example, they will impersonate an IT team member or customer service representative and ask for login credentials to set up software or account permissions.
Security training and strategies should focus on the weaknesses of new employees so that they know what to look for. A careful review of safety guidelines and best practices should be incorporated into the onboarding process as early as possible.
Remote or office work
During the transition to remote work, security is a major challenge faced by many companies. Now, with the complex transition to mixed work, they will face new obstacles. Cybercriminals are likely to continue to target remote employees and take advantage of any uncertainty created by mixed workplaces.
Here, distraction is an important risk factor. More than half (57%) of employees said they feel more distracted when working from home, and 47% of employees believe that distraction is the number one reason for falling into a phishing scam. In these cases, people tend to make more mistakes, such as clicking a link without verifying the email sender. When you are not in the same location, it is also more difficult to verify the legitimate requests of colleagues.
Employees should be trained on the specific safety risks that are unique to working in a home, office, or mixed environment.
Risk of human error
Security training usually focuses on risks such as phishing scams designed to deceive employees. But simple human errors can also lead to data leakage—for example, when employees send sensitive information to the wrong email recipient. When an employee is about to make a wrong decision, the most effective tool will flag this behavior in real time. Humans learn best in context, so it’s better to train in the moment rather than a lengthy module every quarter.
Training is an important opportunity not only to make employees aware of general safety risks, but also to improve their personal behavior over time. Do they download large amounts of sensitive data when they only need to access a small part? Do they have a history of falling into phishing scams? Safety reminders should be tailored based on past behavior and provided consistently.
This is not to humiliate or punish individual employees. The goal is to provide them with specific and relevant knowledge based on their own work habits.
Better for employees, better for the organization
Tailored training is a win-win for the organization and its employees. Employees’ time can be spent only on the most relevant information, rather than attending lengthy and tedious training courses that disrupt productivity. The training becomes more attractive and more memorable. At the same time, the organization saves resources by making training more effective and efficient. The ultimate goal is to create a broader safety culture so that the organization can be better protected as a whole.
Cybercriminals have been improving their technology to deceive employees, and with the company’s digital transformation, employees are responsible for processing more and more data. Similarly, security technology should continuously incorporate new methods and technologies. By analyzing unique risk factors and personalizing and automating safety training, safety leaders can protect employees without interrupting their work.
Tim is the CEO and co-founder of Tessian, a human-level security company.After working in investment banking, Tim and his co-founders founded Tessian in 2013 to create a cyber security solution that uses machine learning to protect people from email risks… View full bio