Tools and Techniques to Engage Employees in Cybersecurity

November 2, 2021

As we close the books on another Cybersecurity Awareness Month, it’s clear that cybersecurity should be a priority all twelve months—not just one. To do so, security teams should emphasize practical tools (the what) and techniques (the how) to keep the company and employees safe.

Many of these also have a downstream personal impact for employees, which enforces good behaviors that reduce risk in the workplace. Combined, they can provide the information necessary to keep organizations safe from ever-evolving threats.

The What: Practical Tools for Cybersecurity

Multi-factor authentication (MFA) is probably one of the best deterrents for account takeover, particularly when it comes to email and social media accounts. Enable MFA on everything, and require it when you can. If an account is accessible from the Internet and does not support MFA, it's best to assume compromise at some point. Furthermore, encourage employees not to rely on SMS (text) as a form of authentication if the MFA service will support an authenticator app like Google Authenticator or Duo. As engineering teams have become more aware of the need for security, nearly all popular social media sites, banking apps, and e-commerce sites support multi-factor authentication. Make sure to use it!

In addition to MFA, using long, random, and unique passwords on each individual website is a great way to protect against password spray attacks. Remembering all of those passwords would be a nightmare, (imagine trying to remember 50+ passwords full of random 20 digits) so using a password manager is another way to raise the bar on cybersecurity. Most password managers like 1Password or LastPass will check your passwords against a database of known password breaches to further reduce the risk of it being used by an attacker. Password managers are inexpensive to use personally and easily integrate with smartphones and web browsers to expand their coverage, wherever you log on to websites.

While these two tools alone will significantly reduce risk for organizations and employees alike, security professionals should consider advanced controls to stop the sophisticated attacks that MFA and strong passwords simply can't always thwart.

For email specifically, we recommend that all organizations employ security awareness training and encourage the use of a phish button. This will help employees understand the problem and report anything that may bypass native security controls or the secure email gateway. In addition, the Abnormal Security platform can be added to stop socially-engineered attacks that rarely contain traditional indicators of compromise and are thus harder to detect. When combined with the tools and platforms listed here, you can be confident that your employees are protected against account takeovers and other advanced attacks.

The How: Techniques to Keep Cybersecurity Top of Mind

Along with tools, several techniques will bolster awareness and create a cyber-savvy culture long after October is over. Continuing with bite-sized and frequent awareness messages throughout the year will reinforce the core concepts covered during Cybersecurity Awareness Month, and keep employees aware of changing threats. Targeting times throughout the year when attackers tend to prey on target, especially during the holidays, tax time, or when disasters strike, keeps employees on the lookout for new attacks and unique social engineering attempts.

Unfortunately, most organizations simply don’t have the luxury of hiring an army of cybersecurity professionals, so it’s important to spread this initiative across various teams. Leveraging advocates and "Security Ambassadors" within the business effectively maintains a continuous focus on cybersecurity and provides unique voices so the message is not always coming from the same security leaders. Employees tend to listen to peers and other co-workers within their function, so security advocates can be a force multiplier and drive home the reality that effective cybersecurity is a team sport.

Finally, encourage employees to report things that seem abnormal. Whether using a phishing button or contacting someone on the security team, the time to respond is always a critical component. The faster the security team can investigate and respond to a security event, the more opportunity the company has to reduce the potential impact. Companies also need to ensure that employees feel safe reporting incidents when they happen—especially if it may be due to human error. If someone clicked on a link or responded to a fake invoice, the last thing an organization should want is for the employee to hide their actions for fear of negative repercussions.

That doesn't mean there aren't sometimes consequences that arise from bad choices, but if a company doesn't promote transparency and openness regarding security events, employees will avoid reporting events. Their inaction will only increase the impact these events may cause, so maintaining open communication is vital to securing the organization.

Securing Your Organization All Year

The tools and techniques presented here are only the beginning of what is available to you to help protect your company and your employees from cyber attacks. And like I mentioned at the start of the month, proving new and exciting ways to get employees involved in their own security can make the difference in how much they remember—and how safe your organization is.

What other tips do you have to ensure cybersecurity stays important all year? Let me know on LinkedIn!

Interested in seeing how Abnormal can help protect your employees, before they need to use the phishing button? Schedule a demo now.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More