Employees play a vital role in an organization’s overall security. According to Statistics Canada, the majority of large (91%), medium-sized (83%) and small (72%) businesses in Canada reported having employees primarily responsible for the overall cybersecurity of their business in 2017. To strengthen user security, organizations should supplement employee awareness training with cybersecurity testing. Testing is a great way for organizations to establish a baseline of user behaviour to determine how users respond to potential threats. Without evaluating employees, organizations won’t be able to make impactful changes on how to improve. Testing also helps organizations determine the effectiveness of their training.
Source: Statistics Canada
How to Test User Behaviour
Organizations can test employees through various means such as online quizzes on common cyber threats or through simulated phishing. Simulated phishing exposes employees to the latest phishing threats by sending mock phishing campaigns to employee inboxes and tracking who clicks on phishing links.
Our new security product Secure IT – User Defence features both of these elements. With Secure IT – User Defence, organizations can train and test employees, as well as monitor the dark web for stolen credentials. User Defence includes simulated phishing emails that can be customized and online training that includes quizzes to validate retention of content.
Reinforce Best Practices
Social engineering attacks are incredibly dangerous because they rely on user error or lax user behaviour in order to work. Testing can help users adhere to good security practices and help change their behaviour so that they remain more alert against these types of attacks.
Engaging employees with simulated phishing emails allows them to feel real consequences in a safe environment. Simulated phishing attacks give employees an idea of what phishing emails look like and help them spot common signs that indicate a potential phishing attack. Over time, this will help employees develop the habit of carefully inspecting emails before they respond or click on any links.
Improve Security Culture
Testing employees also helps develop an organization’s security culture. It gives organizations an opportunity to openly discuss issues of security and show employees how they play a role in keeping your company safe.
Testing is a good opportunity for organizations to create teachable moments for their employees. If more employees are responding to a specific type of threat, think about why. Is it because the threat appears to be from an executive? Does the word “urgent” in the subject line make them want to click? These are things you can look out for and talk to employees about.
It’s important to not shame or punish employees for failing a test as it can discourage employees from reporting security errors and make security feel more of a taboo topic. Testing is about making sure employees stay safe in the office and in their personal lives. It’s not about tricking them into falling for these threats. The purpose of testing is to them aware of current cyber threats and to empower employees to take action when they encounter them.