When was the last time you trained your employees on cybersecurity? Small businesses often neglect cybersecurity training for their employees. Owners assume that they will naturally be cautious online. The human factor is a significant source of security vulnerabilities. Employees may inadvertently click on malicious links or download infected files. Business cybersecurity training helps them:

• Recognize phishing attempts
• Understand the importance of strong passwords
• Be aware of social engineering tactics used by cybercriminals

Flagstaff Tech Net offers cybersecurity training for small businesses. We teach the following:

• Understanding the types of information that thieves seek (See below)
• How to select and store information securely, including login credentials.
• Not repeating the same login credentials on multiple accounts
• Making use of two-factor authentication (2FA)
• How to identify suspicious e-mail, malware linked internet links and message attachments
• How and why to keep hardware and software updated
• Safe internet browsing, social media use, configuring secure mobile devices
• Using public Wi-Fi safely
• Recognizing and reporting potential business data breaches

Focusing on best practices helps employees recognize potential gaps in their security awareness and gives them actionable steps for improvement. Social engineering is responsible for most business data breaches worldwide. With that kind of risk, your business can’t wait until it’s been attacked. 

Flagstaff Tech Net provides security awareness training to your business employees. We also offer a class for your top executives and Board of Directors.  This training combined with our managed security infrastructure software systems can keep your business safe. These social engineering tools help prevent your employees from taking many risky actions. 

Phishing e-mails are a subset of social engineering, with an email pretending to be from a trusted or known source and prompting the user to click a link or give away proprietary information. Common social engineering attacks that your employees need to be aware of include:

• Ransomware: Cyber threats, particularly ransomware and hacking, pose significant risks to every business sector. Over the past four years, there has been a substantial increase in large breaches involving hacking (239%) and ransomware (278%), with hacking accounting for 77% of large breaches reported to the Health and Human Services Dept, Office of Civil Rights (OCR) in 2023. This year alone, large breaches have impacted over 88 million individuals, marking a 60% increase from the previous year.

  Addressing ransomware is crucial for business continuity. The decision of whether to pay the ransom is a contentious one. Some businesses believe they can restore systems from backups, dismissing the need for additional expenditures on legal counsel or computer forensic experts. However, the assumption that ransomware doesn’t mandate breach notification, thus avoiding additional costs, is not always accurate. Vigilance and comprehensive response strategies are essential to mitigate these escalating cyber threats.

• Leadership E-mails: Emails pretending to be from company executives with urgent requests for the employee. The increased pressure makes employees less likely to question the request.
• E-mail Spoofing: Using look-alike letter combinations such as ‘rn’ instead of ‘m’ to create a look-alike email to one the employee trusts, often paired with messaging that requires urgent action.
• Vishing and Smishing: Phishing attacks rely on fraudulent e-mails. Vishing, or voice phishing, is a fraud attack that occurs over the phone, with an imposter pretending to be someone else to trick the employee into disclosing sensitive information on the call. Smishing, or SMS phishing, is like phishing but through text messages.
• Website Spoofing: Directing an employee to visit a fake website that emulates a company they trust — prompting them to login revealing their credentials.
• Baiting: Scammers attract employees with a reward to obtain access to company or employee data. For example, giving free USB drives at convention, but inserting malware into the drive.

So, what are the goals of phishing attacks? What are phishers looking for?

• Proprietary data, trade secrets, highly sensitive information, or intellectual property that can be used or sold.
• Imitate the target’s typical communication style and structure by analyzing email communication trends, which makes their e-mails look more trustworthy.
• Research the target’s name, position, responsibility, contact details, and relationships.
• Utilize colleague and professional relationship information to assume a well-known persona and build trust.
• Become aware of ongoing tasks, deadlines, and efforts to be able to write seemingly urgent emails.
• Use recent news, events, or announcements to persuade recipients and make your emails seem timely and relevant.
• Create convincing scam e-mails by using their knowledge of your financial transactions, bills, or payment procedures.
• Use known vulnerabilities in software, tools, or systems by becoming familiar with the organization’s technological environment.
• Create plausible situations by knowing the target’s physical location and travel intentions
• Pose as coworkers, superiors, or business partners.
• Leverage security weaknesses, including weak passwords, out-of-date software, and a lack of staff security awareness.
• Use social media profiles to gather connections, hobbies, and personal and professional information to help create believable personas.
• Access employee directories to gather useful facts about positions, offices, and contact data.
• Increase the attack surface and send harmful emails to more people using the target’s contacts

To keep business data protected, security awareness training for employees needs to occur regularly. Regular training helps employees remember security threats and stop their risky behavior.

We use simulated phishing attacks in our training system that are directed at your employees. We send a variety of phishing e-mails to your employees testing their responses. We measure the retention of cyber security awareness. The results are reported to your company to share with employees to reinforce the need for constant awareness and response. If you would like to schedule cyber awareness training for your business, give us a call at 928-224-9462 or complete the scheduling request form below. We’ll get back to you within 24 hours.