With a leadership team in place and a set of known and likely email security threats identified, African organisation’s need to be ready to build out advanced security strategy. Here are 3 ways in which advanced security strategies can be expanded.
Engage all departments and levels.
Make cybersecurity relevant for employees up and down the organisation. While the basic concepts don’t change, you get better results by tailoring the messaging and learning to the specific needs of each level and division of your organisation:
Every department is susceptible to email security threats and should receive training, but it’s vital to train everyone in HR, payroll, accounting and the executive suite.
Top-level management may not realise that they, and their privileged credentials, are at risk. Whaling attacks specifically target those in the top level. Additionally, the top brass sets the tone for the rest of the organisation and can ensure that the security program gets the appropriate backing – budget-wise, time-wise and resource-wise.
Employees who process high volumes of email as part of some business process or who do a lot of the same email-based actions each day are more likely to fall for scams.
Staff who aren’t heavy email users are also at a higher risk for being scammed because they’re unfamiliar with standard processes and don’t know how to sniff out something potentially fraudulent.
Create a continuous awareness and training program.
A one-time, once a year, training and awareness campaign isn’t sufficient to address the growing threat of email-based cybercrime, here’s how you need to make sure that training sticks:
Share key messages and tips via posters, your intranet, in email blasts, at staff meetings, and in orientations to remind your team what to look for and what to do in the event of an email scam.
Develop training activities in the correct context so they are relatable and relevant to participants. Be sure to include examples from real life that involve employees of equivalent rank.
Quiz staff regularly on procedures and common phishing scams. Provide additional education for those who struggle with the concepts and processes.
Deploy scheduled and surprise tests and drills to simulate email-based cybercrimes and see how your staff reacts. Offer additional training for those who don’t spot the fraud or use the right process.
Don’t punish or call out employees who get scammed during drills. Very smart people fall for these scams every day, which is the point you want to get out there.
Explain how cybercrime puts your organisation at risk of financial or legal impacts, not to scare your staff, but to ensure they understand the organisation’s livelihood – and theirs – is at stake.
Review processes and procedures for handling requests for funds or sensitive information, including processes for reporting suspected fraud and for alerting managers when a scam is detected.
Update training and awareness content whenever new threats arise so the entire staff is aware of tactics and preventive steps. This gives you a fighting chance of keeping up with the fraudsters.
Leverage technology solutions for training.
Don’t overlook the ways technology can support your awareness and training efforts. Take advantage of email security products that feature end-user training functionality. Ideal solutions offer several formats, such as webinars, videos, book and classroom delivery blending practice and theory.
Third-party tools like Phishme enable you to test and train employees on how to identify and respond to suspect emails via simulations. When choosing technology to support training, look for solutions that help you:
- Learn about the most common – and dangerous – types of email-based cybercrime
- See how cybercriminals and fraudsters think
- Test-drive avoidance tactics
- Watch what happens after an attack is launched
- Assess how your organisation responds to suspicious emails and cyberattacks
Edited by Fundisiwe Maseko
Follow Fundisiwe Maseko on Twitter
Follow IT News Africa on Twitter