5 Non-Technical Tips to Protect Employees from Cyberattacks

Business leaders voted cyber threat the number one risk to organizations in 2023. So how can organizations avoid or reduce cyber risk? Most will suggest additional investments in security technology and staff, plus monitoring the environment more closely. But what if someone told you that most security breaches aren’t due to under-investments in security controls or a lack of expertise or monitoring, but rather, related to non-technical factors such as human behavior and habits? That’s right. Human error is responsible for more than 90% of all breaches.

Role of Human Error in Cyber Incidents

By design, humans are prone to errors and mistakes. We trust easily, we are overconfident, and we are prone to biases, impulsivity, and negligence. We like to cut corners and can be susceptible to manipulation. From a cybersecurity perspective, human error takes many forms. For example, opening email attachments or clicking on hyperlinks without due caution, responding to social media messages from unknown people, using the same password for accounts, not turning on multifactor authentication; not alerting security teams when a potential threat looms; not following security protocols issued by the business; not updating software, misconfiguring systems, leaving backdoors open while coding — the list goes on and on.

Cybercriminals take the path of least resistance when looking to break into organizations. They are keenly aware that it’s much easier to bait an employee and trick them into clicking or downloading something malicious, rather than compromise security defenses. This is why stolen credentials, phishing, and unpatched vulnerabilities are the top three methods cybercriminals use to gain initial organizational access. Once cybercriminals get their foot in the door, they steal information, install malware, or stay idle, waiting for the right opportunity to strike.

Non-technical Tips to Boost Employee Defenses

Only a few things can mitigate human error: reducing the sources of error, education, training, and practice. The greater the knowledge users possess, the less chance to make mistakes. From a technical view, organizations can reduce risk by deploying AI (artificial intelligence) to automate repetitive tasks and lessen the frequency and sources of human error. Similarly, to increase knowledge and reinforce positive behaviors, businesses can look at phishing simulation exercises to train users on identifying and reporting suspicious links, activities, and communications.

Humans aren’t machines. Organizations cannot rely solely on technical controls to reduce human error. Organizations must work on social, cultural and behavioral aspects so that employees view cybersecurity in a positive light and consider it their moral duty to act responsibly and prevent incidents. Listed below are five non-technical tips that can help organizations win the attention and cooperation of their staff:

1. Provide Timely Alerts To Employees

Threat actors are opportunistic and known to take advantage of human traits like curiosity, greed, and impatience. Scammers often spring into action during global events such as the pandemic, geo-political conflicts, tech layoffs, and more.

During the holiday season, tax season, school vacation week, shopping season, etc., it’s common for phishing attacks to skyrocket. During such times of heightened risk, organizations should remind employees to be vigilant and exercise caution when transacting or interacting online.

2. Reinforce Using Real-Life Examples

When a well-known company is a victim of a cyber-attack, it is important to emphasize and cite examples of how employee action or inaction helped to aid or mitigate the attack. For example, Samsung and Amazon banned employees from using ChatGPT, after discovering how the generative AI uses prompts (inputs) to train its models, which can lead to sensitive data or proprietary information being leaked or exposed. Using such relevant examples in training can spark employee interest and boost retention of training concepts.

3. Make It Personal

Don’t just discuss the implications of human error on organizations; talk about how cyber-attacks and breaches can affect employees themselves. If attackers get hold of the victim’s personal and financial information, such situations can cause damage.

Additionally, ransomware actors often resort to double and triple extortion attacks where they try to target customers, employees, or their families. Explaining such situations can serve as a powerful incentive to make staff members aware of the connection between their own efforts and their personal safety.

4. Gamify It

Find ways to make training and education more fun and engaging. For example, make simulated phishing campaigns competitive — the first five people who report a phishing email win a prize. Organize contests and offer rewards like free parking, coffee coupons, movie tickets and the like to motivate employees and engage them.

5. Leverage Culture Carriers

Culture is the stuff that impacts behaviors across the entire organization. Leaders are natural culture ambassadors because they hold the power of influence. Ensure that the leadership team plays an active role in endorsing and promoting security programs and policies.

Apart from leaders, identify people who are trusted amongst teams and function as a force multiplier, helping messages and behavior to go viral. Such influencers not only affect behavior norms, but they can help gauge the pulse of the organization — bringing up stories, ideas, and issues that might otherwise not be apparent to leadership.

Wrapping Up

Remember, the above tips aren’t a one-time exercise. Organizations must consistently communicate, train, and remind employees that security should always be top of mind. Just as marketers promote products innovatively, organizations must also find innovative ways to reinforce the security message in hopes of making employees value and imbibe a positive culture of cybersecurity.