In 2019, a data analytics firm employee quietly posted an ad seeking $2.5 million in cryptocurrency. In exchange, he offered private details of every municipal water system, fire department, and emergency communications center in the U.S., plus the personal information from millions of medical claims. The FBI determined that Timothy Young used two-factor authentication to hack his company’s data.
Although this is an extreme example, it highlights the importance of cybersecurity in the onboarding process and beyond.
Employee-Based Threats
When hiring new employees, many business owners are tempted to expedite things and get people working as soon as possible, especially if the company is short-staffed. However, managers and employees must understand the inherent cybersecurity risks in the onboarding process. Hiring new workers often means giving them access to:
- Trade secrets
- Company passwords
- Client lists
- Personal information
That’s why the first important cybersecurity consideration is to vet new employees thoroughly. In 2022, insider threats were the most frequent type of cybersecurity risk worldwide,
Employers must be aware of the following insider threats:
1. Intentional Harm
Disgruntled workers pose a considerable risk to their company, whether they have a personal vendetta or simply want to make some extra cash. Intentional harm may include using unapproved technology, knowingly visiting dangerous websites, or stealing company resources. For example, an employee may download a client list onto a USB drive and sell the data to a third party.
2. Clicking Bad Links
Clicking harmful links in a phishing email or malvertisement is usually accidental and is a common mistake that leads to data breaches. A
3. Working in Public
As more people work remotely, companies face a higher risk of bad actors stealing their data. Working in a coffee shop on public Wi-Fi means a third-party access point could intercept an employee’s connection. Strangers can also eavesdrop during a phone call or meeting, glance at someone’s screen or browse an employee’s laptop while they’re in the restroom. Managers should educate workers on safe ways to work in public.
4. Poor Password Management
Employees can threaten company security via poor login credential management, whether by using the same password multiple times or opting out of two-factor authentication. Employers must stress the importance of changing passwords frequently and keeping them secure. They should also explain how to generate a strong password.
For example, a password that’s only six characters long and incorporates uppercase and lowercase letters, numbers, and symbols has a
5. Too Many Rights
Giving someone access to every company file is inherently risky. Most employees won’t need administrative privileges, the rights to install software, or the ability to stop scheduled maintenance like patches and scans. Most people simply need to be able to log in and access a few relevant files.
Employers should categorize files by their importance and sensitivity. Then, they can grant employees access to files from a specific category or privilege level. Managers should control privileges remotely so they can revoke them instantly if needed.
6. Poor Device Management
Employees using a personal email account or device for company business may not have adequate security measures to protect private data. People working from home don’t always have antivirus software or a secure network like in a traditional office. Companies that hire remote workers must ensure they have a proper computer setup, including anti-malware and a private internet connection.
Outside Security Threats
Security breaches don’t always come from the inside. Bad actors can gain access to a network in the following ways:
- Web or email attacks
- Brute force attacks using trial and error to guess passwords
- Unauthorized use of administrative privileges
- Infected flash drives
- Stealing or finding a device with private information on it
Employers should provide thorough cybersecurity training on these issues during the onboarding process. Effective training is crucial, given that
1. Phishing
Phishing — trying to steal sensitive data by impersonating a legitimate party — is still the No. 1 way cyberattacks start. Over
Phishing attacks often include an element of social engineering, making it seem like the message is coming from someone the victim trusts. Employees should limit the amount of personal information they put online to minimize the risk of such an attack.
2. Malvertising
Even if an ad looks legitimate, employees should never click on online ads. They often contain malware, and sometimes even scrolling past them is enough to install a virus. Employers should use ad-blocking software on all devices and inform workers to only click on trustworthy links.
3. Ransomware
Hackers that manage to breach a company network may hold sensitive data hostage until someone pays a ransom. Employees who encounter a ransomware attack should immediately report it to a supervisor.
4. Man in the Middle
Hackers that insert themselves into a two-party transaction are conducting a man-in-the-middle (MITM) attack. After interrupting a network connection, they can steal sensitive information. This type of attack often happens when employees use unsecured public Wi-Fi connections to work.
5. Denial of Service
In a denial-of-service (DoS) attack, hackers use multiple computers or IP addresses to make repeated requests from a company network. The attack overloads the network, causing it to become slow or completely nonfunctional. Employees should report unusually slow internet connections to a supervisor.
Security Policies
One last cybersecurity topic to cover in training is company policies regarding computer use. New employees should learn about the following:
1. Acceptable Use
The acceptable use policy outlines what employees can and cannot do with a company computer or data. It governs who they’re allowed to share information with, how they can do so, and which data to never give out.
2. Data Privacy
Which files are extremely sensitive, and why? Where should employees store them? Data privacy policies should cover this information in detail. Employees must learn safe practices, such as not sharing sensitive information via email.
3. Incident Reporting
Companies should define what counts as a security incident. Who should workers report it to? What problems should they mention, and how time-sensitive is the situation? Employees should feel safe reporting a cybersecurity breach to their employer without fear of repercussions.
4. Scheduled Maintenance
Managers should let employees know what their system maintenance schedule looks like. For example, if all the computers update once a month, employees should be aware of this and let it happen. They shouldn’t delay regularly scheduled malware scans, patches or updates. Employers should explain the importance of regular software maintenance and what it looks like compared to a system attack.
5. Security Tools
Does the company monitor which websites employees visit by taking screenshots? Does it employ activity trackers, ad blockers or antivirus software? If so, employers should fully inform workers of these security measures.
6. Remote Work
How should people working from home protect their computers? How can remote workers communicate with each other and their supervisors? Employers should cover policies that detail how quickly employees need to be available, whether they can contact their manager via cell phone and how often they’ll have regular check-in meetings.
Final Training Tips
The most vital aspect of training new employees is to explain why each cybersecurity policy matters. Rather than just telling people to use two-factor authentication, inform them that doing so protects valuable company data.
Employers should always give staff a chance to ask questions and make suggestions. According to Gallup polls,
Promoting Strong Cybersecurity Practices
Onboarding new employees involves briefing them on company policies, security threats, and safe online behavior. The training process should allow workers to ask questions and make comments.
Employers that let their staff give feedback can improve their training methods and make employees feel more involved, leading to more robust cybersecurity measures. Effective training allows people to do what they came for — to get to work.