Question:

Four of our staffers fell for a cyber attack last week. They opened an email attachment they thought originated from our HR department, which regularly emails policy updates to all staff. This email had the subject line: Changes to Vacation Policies.

Even though we’ve trained our staff members not to click on suspicious emails, and certainly not ones with attachments, this one fooled them. We didn’t realize the breach until one staffer called HR with a question related to the new policies. HR immediately contacted IT, but it was already too late. We lost sensitive staff, customer and company information.

We’ve since upgraded our anti-phishing software. We’ve contacted our customers, letting them know the measures we’ve put in place to protect them, and outlined the precautions we’ve taken so this never happens again. We held another mandatory all-hands cyber-security training. What else can we do to fix the “human factor”? All it takes is one curious staffer clicking on the wrong attachment to cost us thousands of dollars.

Answer:

You’ve correctly targeted the area of your company’s greatest vulnerability, and getting your plan together is urgent. In 2023, the FBI’s Internet Crime Complaint Center reported a stunning surge in cybercrime incidents. The 880,418 complaints the FBI registered in 2023 cost employers over $12.5 billion, a 22% increase in losses compared to 2022,  .

As most employers use increasingly effective technical security control to protect their networks against hacking, cybercriminals have turned their focus on employees. Two-thirds (68%) of all data breaches involve “nonmalicious” human actions. With the increasing sophistication of cybercriminals targeting workplaces, employers need to provide employees with training to enable them to recognize and avoid mistakes that could destroy their company’s network.

Unfortunately, research shows employees forget an average of 90 percent of what they learn from lecture-oriented training within the first week. Although effective trainers combat this problem by using a hands-on approach, employees need regularly updated, clearly written protocols they can keep at their desks.

In addition to the guidelines security experts commonly offer employees such as don’t open attachments coming from outside the company and evaluate domain names for misspellings, training needs to address emotional factors. Your company fell victim to one of these—subject lines such as “vacation policies” touch an emotional nerve that leads employees to drop their guard. Another common problem is the employees’ “but I want it and it won’t create a problem” delusion, which leads employees to open an appealing site or app even when some part of their brain knows they’re taking a risk.

The answer?—provide staffers with an individual or source that offers them help if they have a cybersecurity concern, receive a suspicious email, or are about to make a mistake. Some employers now use real-time artificial intelligence coaching tools to deliver immediate responses to staff cybersecurity issues.

These AI tools can collect and analyze data about an employer’s areas of vulnerability and catch staffers engaging in risky behavior. One tool, KnowBe4, intervenes when an staff member visits a malicious website or clicks on links in a suspicious email or text.

When a risky staff behavior occurs, an alert is generated and analyzed. The tool then sends real-time security tips to the staffer through email or other company channels. The message might say, “This is a security risk” and provide guidance for handling the situation.

Employers also need to get their arms around the explosive growth of “shadow IT” in their companies—employees’ unauthorized use of apps or tools such as ChatGPT. As I noted in a recent article, 78 percent of AI users bring their own AI tools to work (BYOAI). The shadow AI tools employees bring in, and their accompanying plug-ins, often lack needed security controls and elevate the risk that staffers might leak sensitive company data.

In short, you’re on the right track in knowing you need to tackle the human factor.

Lynne Curry, PhD, SPHR, SHRM-SCP, authored “Navigating Conflict” (Business Experts Press, 2022); “Managing for Accountability (BEP, 2021); “Beating the Workplace Bully,” AMACOM 2016, and “Solutions 911/411.” Curry founded www.workplacecoachblog.com, which offers more than 700 articles on topics such as leadership, HR, and professional development and “Real-life Writing,” https://bit.ly/45lNbVo.  Curry has qualified in Court as an expert witness in Management Best Practices, HR, and Workplace issues. You can reach her at https://workplacecoachblog.com/ask-a-coach/ or for a glimpse at her novels, short stories and thought-provoking essays, lynnecurryauthor.com. © 2024