Are Staff Your Biggest Cyber Risk – or Your Best Defence?

Unsafe passwords leaving the doors wide open are only a part of what makes a cybersecurity risk in the modern world. Add phishing emails, calls and the urgency of the business world to the mix and you have a whole spectrum of attack opportunities, to the point where someone seemingly “voluntarily” gives out their information. In this blog post, we'll address the threats and how your you can equip your colleagues with the knowledge to prevent cyber breaches

Table of Contents

A Real-Life Phishing Scenario

Security in Microsoft 365

A Common Sense Approach to Cybersecurity

AI-Powered Cyberthreats

What Your Colleagues Actually Need

How to Support Your Team - Download Our Staff Guide

Put It to the Test - Run an Attack Simulation in M365

A Real-Life Phishing Scenario

• A colleague - let's call her Jane - at your organisation receives a convincingly real looking email from your business partner Derek with a OneDrive share link to help with a project.
• Derek is known within your company, but Jane hasn’t had any direct contact with him.
• It indeed turns out to be a phishing email to steal login credentials, which was sent from Derek's compromised account.
• Had Jane clicked on the link, your organisation would now also have to deal with a data breach.

That’s how phishing attacks can have a snowball effect.

Security in Microsoft 365

If your organisation has been using M365, you should be aware of the security features. You can dictate when staff need to update their password, if it needs to be a minimum length or meet other security requirements, if they need multi-factor authentication etc.

Also think of access rights, such as just-in-time access, granting someone access for a limited amount of time for a task and the general underlying Zero Trust principle.

Even if it’s not about giving away your credentials, you also want to ensure your colleagues share files safely, so you can e.g. restrict that files can only be shared internally via OneDrive – or implement data loss prevention policies that make it impossible for staff to send a specific file via email. Ensure anti-spam, anti-malware, and anti-phishing protection for email is in place.

But even if you have already actioned all of the above, it’s still on your staff to do ‘their bit’ where technology can’t protect from all cyberthreats.

A Common Sense Approach to Cybersecurity

General cybersecurity training is a given, but it’s often too technical and too long – or even seen as a tick-box exercise. Additionally, people forget policies but choose the “path of least resistance” – i.e. what’s easy to use.

It’s worth urging your colleagues to take a common sense approach when dealing with emails, especially the phishing kind: Think of the real example we mentioned further up in this article, or a phone call they may be receiving asking for assistance from a person they know. Prompt them to ask themselves questions like: “Have I dealt with this person before, why would they request this from me?” or “I know this person, that’s not what they sound like and why would they ask me for this?”

Email Check

Unfortunately, phishing emails come in many forms, such as those that look like they're from Microsoft (or other software vendors/platform providers). Even then, ensure you check sender details and links before clicking, especially if the email relays a sense of urgency.

Check

1. Sender mail address (sent from a supposed company, but uses a @gmail.com address; or replaces letters with similar looking ones - micros0ft.com etc.)
2. Grammar, typos (mind, they also do exist in non-phishing emails)
3. Design - what does the branding look like?
4. Link - right-click and copy the link address and paste it into a word processing application - does the URL match the text, are there small deviations from the actual (well-known) URL e.g. micr0soft.com
5. Sense of urgency - call to action: do you need to reveal any personal information, log on to a platform, open/download a file etc.?

In case of doubt - and if you know the person - get in touch in another way to check if it's really them who have sent the email. If you're interested in a more visual guide, download our Microsoft 365 Cybersecurity 101 Guide for Employees.

AI-Powered Cyberthreats

If you’ve been following recent news at all, you’ll have heard about the increase of AI use in cybercrime – we’re talking deepfakes, vishing attacks (voice cloning) and the like – for a malicious actor to pretend to be someone in a position of power to initiate a bank transfer or to obtain sensitive information. In this scenario, the same applies: What’s the rationale behind the request, does this sound like them? But there are other ways to protect yourself – such agreeing on a code word which can be asked for in a case of emergency.

What Your Colleagues Actually Need

Long story short: you’ll want to make cybersecurity accessible to create a habit of cyber hygiene and even more staff awareness. That means:

1. Plain-English tips they can use
2. Clear rules around sharing, passwords, and MFA
3. A short visual guide they’ll actually read

How to Support Your Team

We’ve created a simple M365 Security 101 handout you can give directly to staff.

Covers the basics – without the tech jargon.

✔️ What phishing looks like and what to do if they receive a phishing email

✔️ Why MFA matters

✔️ How to share files safely

✔️ How to secure their own devices

Put It to the Test - Run an Attack Simulation in M365

In case you didn't know, Microsoft offers Attack simulation training to test users in your organisation (although you'll need  a Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 licence.) This way, you can test how cybersecurity aware staff in your organisation are. Follow the instructions here.