by Caroline Hroncich, associate editor Employee Benefit Advisor, September 26, 2018

Everyone gets them — an email message that looks exactly like it came from a co-worker or a supervisor. It may come with a link that asks an employee to log in with a company username and password. To the untrained eye it seems harmless.

But employees need to think twice before they click, warns Monica Minkel, senior vice president and regional director of insurance brokerage and consulting firm USI Insurance Services. These are the kinds of scams, she says, that lead to major cybersecurity breaches — and major headaches for employers.

“These claims are like spider webs,” she says. “It’s one thing that happens that leads to about 10 other things that happen.”

The number of attacks on company computer systems is on the rise. The average number of security breaches per year increased by 27.4% in 2017, according to a report from Accenture. But by the time an attack occurs, it may be too late. Discussion on preventing a cyberattack should happen before the breach even occurs, experts say, and human resource departments need to play a key role in preventing these attacks.

Traditionally, new hires are required to complete an HR-facilitated cybersecurity training during their first few weeks in the office. But a single onboarding training session is not enough anymore, experts say.

A small mistake by an unsuspecting employee is often at the center of a major security breach, says Jon Gossels, president and CEO of IT compliance and security consulting services company SystemExperts.

But Gossels says the “fundamental problem” is that many employers still don’t view cybersecurity as a HR issue, and too many place most of the burden on IT. But in reality, cybersecurity is a business-wide problem, he says, and shouldn’t just be concentrated in IT.

“It’s the human side of things that inevitably breaks down,” he says.

Having a solid employee training program in place can help prevent a cyberattack, Gossels says. Employees may not understand why, for example, you shouldn’t take important company data home, he says, and these kinds of things should be thoroughly demonstrated in training.

“It’s important not to just tell people the rules, but to explain why,” he says.

To read the entire article click here.