The first line of defense against security threats is you
By Alex Norman —
Everyone’s heard the advice. Don’t click that link. Don’t respond to that unknown email. Don’t download the attachment. Don’t browse dodgy websites. Don’t send company data to your friends. Don’t let your kids play games on your laptop. Don’t trust anything. Don’t trust anyone. It can be exhausting hearing the onslaught of what not to do. But it’s for good reason. According to Cisco’s 2021 report on cyber security trends, 90% of data breaches started with a successful phish.
People are the first line of defense for every company. People also happen to be the weakest link. We forget things, make mistakes, or fall for elaborate scams. This is why awareness training is so important. Technology can help add layers of defense, but the human on the other side will always play a key role in holding those layers together.
It’s critical that startups and their growing team are aware of what to look out for and to have a baseline of training to help them detect the red flags.
| What | Start | Next |
|---|---|---|
| Phishing awareness | Links to free resources and training during onboarding | Automated test phishing simulations |
| Security awareness | Links to free resources, training during onboarding, team updates related to big events in the news | Automated training platform |
Security awareness is about making sure everyone has a common baseline of security knowledge and the confidence to build from it. Every team, every person, and every startup has a different set of experiences to rely on. Creating the baseline, picking out newsworthy themes, and tailoring security knowledge to those experiences will be key to keeping everyone aware. Since phishing is such a hot topic, we’ve included additional information specific to phishing.
To paraphrase the Australian government’s free phishing awareness page:
Phishing is a way that cybercriminals steal confidential information, such as online banking logins, credit card details, or login credentials, by sending fraudulent messages. These deceptive messages often pretend to be from a large organization you trust to make the scam more believable. They can be sent via email, SMS, instant messaging, or social media platforms. They often contain a link to a fake website where you are encouraged to enter confidential details.
Phishing emails have become more and more elaborate with each passing year. Gone are the days when you got strange-looking emails with misspellings and poor grammar. Modern phishing emails are nearly indistinguishable from the real deal. Common examples include password reset notifications or company updates from generic email aliases.
People are the first line of defense. Learning the characteristics of a phishing email and how they work will help protect both you and your business. Learning about how to handle sensitive company data in a secure manner will protect everyone from accidentally leaking information. Learning about how to raise a security question or suspicion will build a culture of open discussion and highlight insecure trends.
Basics to get started? Use free government or industry resources to learn about phishing and cyber security basics, such as the Australian government’s free phishing awareness, Amazon’s free security awareness training, or the US government’s cybersecurity awareness course. Create an internal page about the security practices within your own startup. Topics can include
- Where your customer data is stored and how to treat it
- How to safely share files with each other
- What is the recommended password manager
- Who to contact if there’s something suspicious
The internal page should be included in the onboarding pack for new starters so that they review it before getting too deep into their role. Also, include anything topical to your startup. If you’re working with financial data, including information about payment security. If you’re working with health data, including information about what sensitive data is.
Follow this up with an occasional team message or internal wiki post about something recent in the news. These topical conversations may also help your team protect their personal accounts and systems. An internal page for reference and posting group messages from time to time is a great start.
What’s next? As your startup grows, you may need to look at an automated tool for delivering the content. This will help make sure that new starters already have the training assigned to them, send out reminders to complete the course, and automatically refresh the training a few times a year. Almost all these tools incorporate some kind of phishing test. These will send out sample phishing emails to your staff to educate them on current examples. The test will also give you metrics on how well everyone is able to detect the signs of a phishing email.
What does Kinde do? Every new starter has a security onboarding session with our in-house Security Specialist. Topics include phishing awareness, data privacy, setting up security tools like our password manager and endpoint protection, and securely sharing files with each other. This session is also a time when they can ask anything security related. We also take the time to bring up something security related at least once a month during our all hands, whether it’s information about what we can do to protect ourselves based on a data breach in the news or updates on improving the security of our product based on customer feedback.