What’s on your shirt? Made you look! Can’t believe you fell for that—it’s the oldest trick in the book! Oh well, people can be gullible sometimes, and not realize someone’s true intention right away. (Has someone ever pulled a prank on you, and your response was, “Hey! I thought we were friends!”) Fooled again.
Okay, so where am I going with this?
Allow me a moment to paint the scene. The Minnesota Department of Human Services recently experienced a data breach in which over 3,000 people’s personal information was exposed to hackers. Why did this happen? Was it a failure in cybersecurity technology? Was their firewall too weak? Did their antivirus software fail them? Actually, no, no, and no. The real cause: one of their employees fell for a phishing email.
That’s right—it wasn’t some ultra intelligent hacker that bypassed all their cybersecurity measures. The only thing this hacker did to initiate this data breach was send an enticing email to an employee who followed a very dangerous link that masqueraded as something seemingly harmless.
We’re seeing this time and time again in news stories: most often, the highest threat to a business’ security is their own employees. Humans can be very trusting, and when they read an email claiming that they’ve randomly been awarded $100 on Amazon, the temptation to click that link to redeem their prize is a strong urge. It’s just a link, right? You can just close out of that webpage if it’s spam, right? Nope! That’s very wrong, actually! (Remember the data breach in the City of Akron earlier this year? Also because of a phishing email!)
Say you own an apartment complex, in which every unit has state-of-the-art security measures. There are cameras everywhere, unbreakable doors, reinforced windows, and three different key code locks. Yet you still have to entrust your tenants with the key code to their unit. If your tenant shares that information with someone else, willingly or not, then that person can now stroll right into their apartment and vandalize it from the inside-out.
This is why businesses need to train their employees on detecting phishing emails. Sometimes those phishing emails are really, really convincing. And if your employee doesn’t know any better, then they can do more damage than they even knew they could do, completely on accident, and all within their lunch break.
It’s important to empower your employees so that they can make an informed judgment call when they receive a sketchy email. “Hmm, I’ve won a free getaway to Hawaii through a company I’ve never heard of?” “Oh, this email says I need to follow this link to reset my Facebook password, even though I haven’t clicked ‘Change Password’ on Facebook any time recently?” “Why is this $20 Amazon gift card email not displaying any of the pictures?” This is a scenario where it is actually beneficial to be distrusting—and even overly paranoid—of the internet, because there are countless hackers out there preying on gullible users. Can you afford to have your employees be your biggest liability for cyber threats?
Fortunately, phishing training is not rocket science. There are key red flags to look for when you open an email, and there are many, many resources to help teach people how to be informed, responsible users. Nobody wants to be the employee in the news story that accidentally leaked thousands of people’s private information because they didn’t know they were being scammed in a phishing email. That’s kind of embarrassing.
To read about the Minnesota Department of Human Services breach, visit here.