What to Do When Employees Fail a Cybersecurity Assessment

Posted by Erik Murphy - February 26, 2018 - IT Security

Student girl with trainer working on computer and tablet.jpeg

In the wake of an increasing number of high-profile data breaches, businesses of all sizes are doubling down on IT security efforts. Cybersecurity is no longer the sole responsibility of your internal IT team or your third party IT partners. Protecting the organization from a cyber attack is everyone’s job.

Investing in cybersecurity awareness is a necessity in today’s digital business environment. If you’ve decided to assess your team’s knowledge of cybersecurity best practices, you probably know that human error is the biggest IT security vulnerability organizations face. In fact, 91% of cyberattacks and the resulting data breaches begin with a spear phishing email. Meaning, the overwhelming majority of hacks are initiated by employees clicking on emails containing some form of malware. 

Today, you can partner with an IT management firm to test your employees’ knowledge of cybersecurity best practices. But when you initiate the test and send your fake phishing emails, how do you help those employees who click the malicious link? Here are some best practices for what to do when employees fail a cybersecurity assessment.

Don’t get mad, get proactive    

Many people today still aren’t aware of cybersecurity best practices. No one is born with these skills; we all need to be taught the right warning signs and responses.

When an employee fails his or her assessment, anger and frustration are not the right responses. Instead, take the opportunity to create a teachable moment. As soon as the employee clicks the link in the email posing as a phishing scam, a pop-up should appear letting them know about their error. You’ll be informed of the incident, and you can then take time to address the employee individually and offer concrete, one-on-one advice about how they can improve their behavior in the future.

Set a precedent of not reacting with annoyance or anger incident reports. If employees mistakenly fall victim to a real phishing scam or other cyber attack in the future, you want them to report the incident right away without being scared of an overly negative response. Cyber crimes can be costly for companies and should never be taken lightly, but employees need to feel comfortable reporting incidents or they may try to hide what happened.  

Review your organization’s cybersecurity awareness plan

With each test, be sure to review your company’s cybersecurity preparedness plan. Are you providing employees with the tools they really need to identify threats?

The awareness education you provide should be directly relevant to the work of your employees and the information security risks they face. While different job functions may face unique security threats, there are certain areas that every employee needs to be aware of. Be sure your education program covers the following areas:

Account Security: Review the basics such as creating a strong password, changing passwords often, and never sharing account information.

Rules for Keeping a Clean Machine: Enforce the programs, apps and data that workers can install and keep on their work computers, and explain why.

How to Identify a Phishing Email: Go over the signs of malicious emails. Be sure to talk about what exactly the “bad guys” are looking for (company information, financial information, etc.)

Warning Signs of Suspicious Activity: Phishing scams aren’t the only attacks cyber criminals use to harm companies. Review warning signs of suspicious activity on your organization’s network.

Types of Social Engineering Scams: Identify the various types of social engineering scams and their warning signs, e.g, baiting or tailgating.  

Dangers of Unsecured WiFi: Instruct employees never to connect to unsecure WiFi or WiFi networks with lax password protection.

Track your progress

It can be challenging to truly measure your employees’ level of cyber security awareness. After all, it only takes one mistake to cause a problem. However, there are certain factors that can point to progress.

First, record the numbers and types of incident reports and support calls due to malware. Benchmark the frequency of the reports after each training session. If there are fewer incidents, then that’s clear progress. Additionally, you can track the types of incidents

Cybersecurity awareness is an issue that affects every organization. Educating your employees about their role in preventing cyber attacks is a delicate balance between protecting your data and empowering employees to be productive. When your team members fail routine cybersecurity assessments, use it as a teachable moment to further your education initiatives. Create a culture of professional skepticism at your workplace and build your frontline defense against cybersecurity risk.

layered IT security model ebook


about the author

Erik Murphy

Erik Murphy is SymQuest’s Virtual Chief Information Officer of Strategic Accounts based in the Keene, NH office. Murphy is considered an organized trailblazer helping executives reinvent IT strategy using the customization of managed services justified by financial analysis, business process re-engineering, and private cloud hosting.

Erik Murphy