In a previous post we talked about the rise of phishing scams, which lure unsuspecting users into clicking malicious links, opening malware-infested attachments, and giving up sensitive information. Phishing is a form of social engineering — a technique of manipulating human nature in order to gain unauthorized access privileges or get hold of personal or business data.

Social engineering is a modern form of the age-old con game, in which hackers exploit the inherent “niceness” of the average person in order to carry out cyberattacks. Phishing scams mimic legitimate emails and websites in order to trick users into falling for the scam. Hackers may also pretend to be employees or trusted insiders who need information for a seemingly legitimate purpose.

Security tools are of little use in combating social engineering. Social engineering is on the rise because it’s far easier to manipulate people than try to defeat security software. All it takes is one employee clicking on one malicious link to give hackers access to your network.

While some advanced tools can spot behavioral anomalies, a better approach is to stop social engineering from happening in the first place. Every employee in your organization should be trained to spot social engineering techniques, and understand the steps they need to take to prevent cyberattacks and protect sensitive data.

Unfortunately, human beings continue to be the weakest link in the security chain. According to the BakerHostetler Data Security Incident Response Report 2015, employee negligence accounted for 37 percent of all security breach incidents in which a definitive cause could be identified. Malware, in contrast, accounted for just 20 percent of such cases.

These figures point to the critical importance of employee training in IT security. Without appropriate training, employees may be inclined to give out their passwords, share data with outsiders and engage in other activities that undermine security. Employees who violate security policies through ignorance or carelessness can exact a tremendous cost on the organization by compromising private information.

Training programs should promote general security best practices and an understanding of social engineering and hacking techniques. Procedures should be established for reporting a suspected breach in order to minimize its impact. Depending on their roles, certain employees may also have specific responsibilities for protecting sensitive data. Security should be covered in training for new employees and in ongoing refresher classes for all employees.

Documented security policies and employee training help organizations meet regulatory compliance requirements as well as boost network security. In fact, security training is now required by a number of government and industry regulations.

In developing a security training program, organizations should begin by determining the goals to be met. Rather than addressing a broad range of security issues, focus on those threats that could have the greatest impact on the organization. Make sure employees understand security policies and the penalties for violating them. Role-based training should drill down into specific procedures and requirements.

Employees need to understand that security and compliance are not just the responsibility of a select few. Everyone needs to be vigilant in order to prevent a costly security breach. SSD’s cybersecurity team can assess your organization’s security risks and help you develop smart strategies for protecting your systems and data.