Help Employees Understand the Importance of Cybersecurity

​SHRM has partnered with Security Management Magazine to bring you relevant articles on key workplace topics and strategies. 

Almost half of all employees have been working from home since the pandemic began, according to a recent Gallup poll. No doubt, that makes the job of protecting the organization's data, networks and apps even more challenging.

As the lines between work and leisure time become increasingly blurred and employees use company-issued devices and resources for personal use—such as social media, online shopping and even telehealth—the potential for cyberattacks is ever present.

Now more than ever, security, human resources and training teams should collaborate to help employees avoid and prevent cyberstalking and attacks when they are accessing email, social media and other apps while using the company's technology resources or their personal devices. While network firewalls are effective at keeping hackers from accessing your organization's data and mail servers, apps used by employees for personal email, social media and video conferencing can leave them vulnerable.

A personal cyberattack on an employee can create a huge burden for the organization—sidelining the individual for hours or days and potentially requiring security and IT support from the employer. What can and should you do to help prevent such a scenario?

Educate Employees About Cyberstalking

As an HR leader, you understand that employees in your organization are looking to you for guidance—especially when their technology usage has likely increased. You can play a critical role in creating a safe digital environment for employees by encouraging the practice of good cyber hygiene because it mitigates the risk of victimization and supports the organization's overall productivity and success.

Cyber hygiene involves three basic principles: using products and tools that fit your hygiene needs, performing these hygienic tasks correctly and establishing a routine. Cyber hygiene is about training the employees of your organization to think proactively about their cybersecurity, reducing cyber threats and online security issues.

Preventing Phishing Attacks

Cyberattacks have skyrocketed globally since March 2020, targeting major corporations, small businesses and the self-employed. A recent McAfee Center for Strategic and International Studies report estimated that since 2018 the, average "cost of global cybercrime reached over $1 trillion."

Security officers report that employees are being targeted by phishing attacks delivered via VoIP calls and emails with subject lines referring to COVID-19 and payroll matters that appear to be sent from inside the organization. Help your employees learn to exercise extreme caution before trusting the content of emails, clicking any links or opening attachments.

Many organizations have instituted an email banner in the body of emails that are sent from outside parties to employees to help workers identify when the sender of an email may not be who they claim to be. Remind your employees that it's important to report phishing attempts. Provide clear, continuous channels for them to do so, such as an incident reporting system or dedicated voice call and text option. Let them know that it helps the organization keep on top of the latest tactics adversaries are using to try to gain access to your systems.

Because every cyberattack will look different, a tailored incident response is required. Key decisions will include whether to take a device, server or system offline once an attack has been detected and determining the remediation needed to rebuild or replace the infected systems. Notifying all users about the incident as quickly as possible can prevent further damage and serve as an opportunity to reinforce the importance of good cyber hygiene.

Privacy Risks and Cyberstalking

Most organizations provide training to ensure that employees understand company security rules and policies, but it's a good idea for human resources to partner with IT security and take administrative steps to help protect employees against cyberstalking. Whether it's directed at them, their devices or your organization, employees should remember to:

• Limit opportunities for eavesdropping—both virtual and voice. If it is necessary to work in a public area, use the organization's VPN or a secure hotspot.
• Be careful about allowing physical access to computers and other Web-enabled devices like smartphones. Cyberstalkers may use software and hardware devices (sometimes attached to the back of the PC without the employee even knowing it) to monitor employees' personal data, or access the organization's data.
• Log out of an application when stepping away from the computer. Set up a screensaver that requires a password for access. This practice should be followed for all company-owned digital devices.
• Use a secure password management tool and training for online account security that includes how to create and update strong, complex passwords. 
• Increase your awareness of scams. Learn best practices about clicking links, downloading files and entering passwords into forms. Periodically ensure that your device is running up to date antivirus software to prevent spyware from being installed via a phishing attack or an infected website. 
• Reboot devices regularly and refrain from leaving computers on for long periods of time. 
• Be cautious of where you leave sensitive information. Work information should not be accessible on personal devices. Written or printed info should not be left open for others to see and should be shredded for proper disposal.
• If cyberstalking or hacking is suspected, keep a copy of any message or online image that could serve as proof. Use the "print screen" or other keyboard functions to save screenshots.

Detecting an Attack

Recognizing when a cyberattack has taken place can be even more challenging for an employee than avoiding one in the first place, but there are a number of tell-tale signs. Organizations should continually educate employees about what to look for if they suspect they have been compromised. Ask employees:

• Are you practicing webcam awareness? An employee needs to be aware that hackers can hijack their webcam by slipping malware onto a laptop, which could give hackers access to files, messages and browsing history. 
• Does the device seem sluggish? Spyware can be very resource-intensive on any device, causing it to run much slower than usual.
• Is the battery deteriorating too quickly? If spyware has been installed on the device, there will be a sudden drop in the performance of the battery that may cause it to run down much more quickly than normal.
• Has data usage increased? Spyware will cause the device to use huge amounts of data to send that information to the hacker.
• What suspicious activity has the employee noticed? Identify strange text messages, emails, phone calls or other interference as signs that something is wrong.
• Has the employee heard clicks, static or echoing noises on his or her device? This may be a signal that someone is interfering with communications and other applications on the device. 

Karen Adams serves as Training Manager with Appriss Insights, where she educates crime victims, service providers, advocates, law enforcement and criminal justice professionals about technology solutions including VINE (Victim Information and Notification Everyday) and other issues related to victim safety.

This article is adapted from Security Management Magazine with permission from ASIS © 2021. All rights reserved.