Training employees is key to cybersecurity

Most companies don’t have anti-malware or patching policies
Wednesday, October 20, 2021
By Cheryl Mah

Providing proper cybersecurity training for all employees is critical to prevent online attacks, according to Ron Borsholm from MNP’s Technology Solutions cyber team.

“The front door to any organization is your people. If your people aren’t being trained, aware of cyber risks, then you’re going to have a problem,” he said. “All staff play a role in cybersecurity.”

Borsholm was a keynote speaker at the 2021 BC Construction Safety Alliance’s Health and Safety Conference where he shared insights about the state of cybersecurity, types of cyberattacks and prevention tips.

With the ongoing pandemic, cyberthreats have taken a “back burner to everything else going on,” he noted, but the threats are still real with criminals shifting their targets to the mid-size market where smaller organizations cannot protect themselves.

“One of the big challenges with COVID is everybody went to working from home…this happened extremely quickly. A lot of people didn’t take a look at security,” said Borsholm. “Any person in an organization can be a breach point. It could be one person in a remote location clicking an email attachment that leads to malware that can jump across the network.”

In addition to a lack of training for employees, most companies don’t have anti-malware application or formal patching policies in place. Any missing patch is a vulnerability for an attacker to use, he said.

The predominant threat today comes from social engineering where the criminals use different deceptive tactics to trick people into giving away information. Phishing is the most common method used to introduce ransomware, said Borsholm. It’s “the number one online threat for public and private organizations.”

“Right now, the most used in phishing are new Microsoft Teams requests, COVID-19 and health warnings, and Microsoft Office 365 password expiration,” said Borsholm, explaining that phishing emails have links, data entry or an attachment.

He went on to cite an example where MNP was engaged to do a targeted phishing engagement for a client with 500 employees.

An initial email was sent out requesting they check their password strength by clicking a link to a password check page. A follow-up email was sent with the same request later in the week. The result was a real wake up call, said Borsholm.

“Fifty-one per cent of those employees clicked the link in the email and 32 per cent provided their passwords,” he said, noting those who fell for the email ranged from board members and senior management to facility operators. “When they just give passwords away, there’s no point in spending millions of dollars on firewalls because your employee is the weakest link.”

Training and awareness was his top prevention advice, and to be effective the program has to include active leadership involvement and personalized training based on roles and data access levels.

“Patching from an IT perspective is probably the most important thing to do,” he said, so if there is no dedicated IT staff managing the systems, then choose a managed service provider. “Having an unmanaged system without patching…is a recipe for disaster.”

Borsholm also stressed an incident response plan is necessary to address any cyberattacks, just like a company would have a fire safety plan. The plan should identify the actions of key employees, legal team contacts and communication messaging protocols.


Cheryl Mah is managing editor of Construction Business.

Leave a Reply

Your email address will not be published. Required fields are marked *