According to the Anti-Phishing Working Group (APWG), phishing attacks by cybercriminals are becoming more and more common. In fact, the APWG reported a 24% increase in phishing attacks worldwide from the first half to the second half of 2012, and an overall increase in attacks involving shared webhosting servers. These attacks, and others like them, pose a real and serious threat to organizations with any type of enterprise infrastructure, from on-premise ERP software to cloud and SaaS ERP systems.
Even if your organization already has fairly strong security measures in place to protect its ERP system, security can always be increased. This is especially true if employees are not yet educated on potential risks. Educating employees may be one of the most powerful security measures organizations can take to prevent email phishing attacks, confidentiality breaches and even cyber-attacks.
Employee training not only helps prevent common attacks but also creates a level of awareness and diligence that employees can learn to apply to every potential security situation they face at work.
Following are several tips for educating employees about organization-wide and system-wide security:
- Communicate your organization’s security goals so that employees understand the reasoning behind new policies and procedures. Put security risk in a context that directly relates to employees by explaining that a security breach affects not just data but the organization’s reputation and, ultimately, its ability to achieve business goals.
- Encourage employees to attend security training sessions and ask employees to sign confidentiality agreements. Similar to general ERP training, security training should be ongoing and supported by strong buy-in from executives.
- Share news about security breaches at other companies and use this as a teaching tool. Organizations may also choose to confidentially share general information about attempted attacks on their own ERP system. While stories can be strong motivators, be careful with how much detail you share because employees themselves can use this information to launch copycat attacks internally.
- Launch simulated phishing attacks to test employees’ current level of security knowledge and to grab their attention. After assessing employees’ responses, explain how they should respond to similar attacks.
Training employees on security procedures and encouraging them to remain alert is the responsibility of both managers and the IT department. If your organization is in the midst of an ERP implementation, the project team should be driving such efforts. If your organization is enjoying the bliss of post-implementation, you might have forgotten about organizational change management but here it is again! Are you surprised?
To learn more, check out some of our past blog posts: ERP Training Strategies, Protecting Your ERP System from Cyber-Crime and Cybercrime and ERP: How Vulnerable is Your Organization?