As technological tools for blocking cyberthieves become more widespread and sophisticated, criminals increasingly see humans as the weakest link. What that means: Alert and well-trained employees are more important than ever for business cybersecurity.


“The human factor is incredibly important,” says Gary Salman, CEO of Black Talon Security, a cybersecurity firm in Katonah, New York. “It is important to understand that the days of simply relying on firewalls and antivirus software to keep hackers out of your network are over. If these devices were so effective at protecting your data, there would be no data breaches.”


Indeed, security analysts have seen strong growth in email-based attacks such as phishing—when criminals send authentic-looking emails to business people to try to trick them into clicking links that will download malware. One security firm found that email attacks on businesses rose 46% in the first half of 2018 compared to the same period in 2017. And the Federal Bureau of Investigation, which tracks cybercrime against businesses, has found that business email compromise scams have grown significantly in recent years, costing businesses billions of dollars.


Employees can, however, be transformed from security weakness into strength. Here are five ways to accomplish that:


1. Teach them to spot suspicious emails

Train employees to identify phishing scams. They should be taught, for example, not to open email—even if appears to be from a reputable source—if the sender has an unfamiliar email address. They should also be leery of emails that contain grammatical or spelling errors, addresses them by their last name instead of just their first name, requests they click on a link or makes any request out of the ordinary.

If you have IT staff, have employees ask them to inspect any suspicious email to determine its legitimacy.

Show employees actual examples of suspicious messages to give them useful practice. “The way you communicate an effective cybersecurity program is by presenting them with real-world threats,” Salman says. “We teach them by going line by line through the email.”

2. Communicate best practices for selecting passwords

Simply having employees pick better passwords can prevent many cybercrimes. “A six-letter password is stronger than a four-letter password, and a 10-letter password is stronger than a six-letter password,” says Dan Hanson, senior vice president of management liability in the Minneapolis office of risk management company Marsh & McLennan Agency. “So making the passwords a little more complex can be very helpful.”

3. Set policies for guarding sensitive business information

Craft and communicate protocols for protecting user names and passwords. Salman recommends instituting a policy that no employee can use a company computer without first getting security training. He adds that businesses should prohibit sharing logins for networks and software. “Small businesses have to move away from using one username and password for multiple employees,” he says.

4. Maintain physical security of company and personal devices

Encourage employees to keep external doors and file server rooms locked, and to refuse unauthorized entry to strangers. If a hacker can get into the business and sit down at a terminal, it’s much easier to break into a network, Hanson explains. “Making sure no one gets through your physical security is huge,” he says.

5. Remind them to practice good security

It’s important to keep reminding employees to be vigilant about email. Salman recommends following up on training by occasionally sending employees suspicious-looking emails to see if they react properly. “When they know they’re going to be tested, they pay attention,” he says.


Firewalls, disk encryption, antivirus software and other cybersecurity technology still play critical roles. But so do people. “Ultimately,” Salman adds, “we’re trying to create human firewalls.”



Print this article