Reducing Your Exposure to Cyber Attacks

  • Author | Halie Gallik
  • 8/2/2021 2:00 pm

Your employees can be an asset or weakness in your cyber security program. Cyber criminals will often mimic co-workers as they attempt to trick your employees into clicking on links or giving away protected information by posing as a trusted individual or organization, a practice known as phishing.

According to KnowBe4, a cyber security training resource, 91% of successful data breaches start with a phishing attack directed at employees. As you review your organization’s cyber security plan, it's important to incorporate ongoing training for your employees. There are many readily available tools to train employees and help you conduct phishing tests to determine which employees may need additional training.

“We utilize a product called Sophos Phish Threat to teach our employees to be cautious when they get emails from unknown sources,” said Kevin Whalen, operations director and risk manager for First Tennessee Human Resource Agency. “An email may look like it could be from our human resources department, but on closer inspection, our staff should know not to click on the link. If our employees do click on the phishing link, they are automatically taken to a web training program, which they are required to complete, as well as pass a test.”

Free resources are available through the Cybersecurity & Infrastructure Security Agency (CISA), including vulnerability scanning, web application scanning, phishing campaign assessment and remote penetration tests. Local governments and public sector critical infrastructure organizations are eligible to utilize CISA services, which are designed to reduce and mitigate potential impacts of cyber security attacks. To learn more about the services offered through CISA, visit their website. CISA has also launched a STOP Ransomware campaign that includes guidance and resources. To learn more about these resources, please visit Stop Ransomware | CISA.

“Our IT department began cyber security awareness training and phishing tests several years ago as a way to increase our internal awareness of cyber events,” said Embry Nichols, PE Partners’ vice president of underwriting and internal services. “Unfortunately, you are only as safe as those employees who are likely to click on a link. It takes active planning and training to prepare for a potential cyber event or ransomware attack, which will inevitably happen to your organization. In addition to employee training, solid data backups that are tested regularly, regular software patching, and transitioning away from outdated operating systems or software that is no longer supported are all key elements for ensuring your organization can continue to serve citizens if you are impacted by a cyber event.”