Most security awareness training is focused around teaching people to look for and respond to indicators of malicious behavior, such as phishing emails, or to explain why the IT department needs to put certain rules in place, such as “reading company email on your personal phone is forbidden”.
Unfortunately, the fact that people receive training like this, has not made the work of hackers much more difficult. Obviously, detecting cyber-attacks will be necessary, but when the cyber-attacks look exactly like work, it is really hard to distinguish from normal communications. If you are used to receiving 5 emails per day with attachments for you to read, the probability of opening a malicious file attached to an email is much higher than if this would be a highly unusual occurrence. Let’s see how we can change work habits to make them look less like the typical cyber-attack!
Use cloud sharing instead of email attachments
Many companies have cloud computing solutions for working with documents, such as G Suite or Office 365. These platforms have sharing functionality built in. Using this, would make it less likely that receiving emails with document attachments should feel like a natural part of the workflow. If we combine this work practice with training on how to recognize cyber-attacks, we will be less likely to be fooled by the typical phishing emails.
Use internal chat tools instead of email for conversation-style communications
Using a tool like Slack or Microsoft Teams will take away a lot of the internal e-mail volume. This makes managing the e-mail Inbox a less critical work task, and those malicious emails will not so easily blend in with your everyday work.
Clean up the password chaos by using a password manager
Nobody likes passwords, yet each one of us typically has more than 100 passwords to various services. Of course, we can’t remember 100 unique, strong passwords. This is why we should be using a password manager. This is software that will securely store and automatically fill in passwords for you when you need to log in, making it possible to use random passwords like 2naZutzxejOo%WT#$w7!VC!SgyP43mYo on every site. These passwords are not possible to guess, and with unique passwords on every site, one data breach won’t let hackers log into other user accounts using the same password.
Another great benefit of a password manager like this is that it will only fill the password on when you are trying to log in to that specific domain. So, if a hacker has sent you to a fake login page, the password manager will not try to log you in – giving automatic protection against credential theft through phishing.
All of these changes will provide productivity gains – make the job to be done easier to do, while at the same time providing much better security. Teaching people these 3 practices will likely be much more effective in stopping social engineering attacks and malware delivery than any amount of “do-not-click-links” training.