High Employee Turnover Heightens Cybersecurity Risks

A confluence of factors, including the pandemic, inflation, and widespread employee resignations, has created a challenging scenario for employers. 

Entering the third year of a tumultuous job market, the struggle to fill crucial positions persists as a result.

According to data from Monster.com, a staggering 96% of workers are actively seeking new job opportunities in 2023. Concurrently, the technology industry is contending with a surge of layoffs, leaving remaining employees burdened with increased responsibilities. This dynamic poses a significant cybersecurity challenge for organizations, as they grapple with training new staff members and maintaining engagement among existing team members who might be overwhelmed or disengaged. Seemingly minor errors, such as clicking on a malicious email attachment or reusing compromised login credentials, can lead to costly cyberattacks, causing millions of dollars in damages.

While people are often the root cause of cybersecurity vulnerabilities, they can also serve as a crucial part of the solution. Here are five fundamental strategies to enhance your team’s skills and bolster the overall cyber resilience of your organization:

Table of Contents

Confront Social Engineering Directly: 

In 2022, phishing attacks surged by 61%, and the US Federal Bureau of Investigation predicts a potential year-over-year increase of up to 400%. While companies typically conduct penetration tests to uncover network vulnerabilities and assess employee responses to social engineering attacks, these metrics alone are insufficient. To effect meaningful change, security professionals must develop a comprehensive plan to leverage this data, pinpoint employees vulnerable to such attacks, and cultivate lasting behavioral improvements.

Initial focus should be directed at the most susceptible employees. Cybercriminals recognize that many companies employ email security software, prompting them to target a select few individuals rather than a larger group. Through phishing simulation tests and subsequent training, you can swiftly identify team members most susceptible to these threats and provide them with the necessary skills to better defend against such attacks.

Intervention and specialized training are essential next steps. Traditional annual or biannual training is often ineffective, as employees quickly forget acquired knowledge. Conversely, promptly offering targeted training to employees who fail a phishing simulation test enhances their understanding, retention, and future behavior modification. Neglecting intervention and specialized training increases the likelihood of continued susceptibility to suspicious links in the future.

Additionally, ensure that all team members understand the steps to take when encountering a social engineering email. Establish a straightforward method for employees to report potential breaches to the security team, encouraging an open dialogue for concerns and timely notifications. Prioritize over-communication to avoid overlooking warning signs of genuine threats.

Institute a Personal Device Policy: 

During the pandemic, a common trend emerged, with individuals using corporate devices for personal matters and personal devices for work-related tasks. This practice exposed vulnerabilities to phishing, malware, and other cyberattacks. To counteract these risks, reassess how applications are accessed through insecure home networks and formulate comprehensive policies governing employee access to company accounts via personal devices. This is especially crucial for organizations adopting a hybrid work model, where remote work remains a part of the equation.

Promptly eliminate any corporate data downloaded onto home computers and review remotely established email, system, and vendor accounts for adequate security measures.

Enforce Robust Password Guidelines: 

Weak password choices remain a leading cause of credential-based attacks, including account takeovers. Establish a policy mandating passwords of at least 16 characters, combining upper and lower case letters, along with special characters. Educate employees about the repercussions of password reuse.

Address the prevalent issue of password reuse by promoting unique passwords for every account. While corporate security teams play a role in advocating for this practice, individuals themselves play a pivotal role in its implementation. Consider offering password managers as a beneficial tool and encouraging their use across both work and personal accounts.

Mandatory implementation of two-factor authentication (2FA) provides an additional layer of defense, compelling users to provide multiple distinct pieces of evidence for account access, thus deterring certain forms of cybercrime.

Emphasize Monitoring Your Digital Footprint: 

Many cyber threats originate from cybercriminals monitoring victims’ social media accounts. The familiar scenario of a friend’s hacked social media profile serves as a reminder of the risks. Most people are unaware of their digital footprints, which encompass online activity and preferences, potentially exposing them to targeted attacks. Communicate the importance of vigilant online sharing to your employees, encouraging them to periodically review and manage their digital footprints to safeguard against potential breaches.

Implement Tailored and Consistent Training: 

Cybercriminals exploit human behavior vulnerabilities, ranging from lax password practices to innocuous-seeming emails, to orchestrate their attacks. Establish an ongoing education and training program that equips employees to comprehend, identify, and respond effectively to threats. Stress that these practices safeguard not only corporate accounts but also personal online security.

While the uncertain job market may persist, it need not compromise the efficacy of enterprise cybersecurity. Security professionals should proactively educate employees about evolving threats, empowering them with the tools to safeguard both organizational and personal digital assets.