The Chinese New Year festive season is here, and most people's inboxes and chats are starting to fill up with e-greeting messages and festive offers. And behind those messages, the number of cyber attacks is skyrocketing.

It's common knowledge by now that cyber attacks shoot up during major festive and holiday seasons, partly because people are more likely to click on e-greetings and sale offers and partly because companies tend to be stretched thin during these periods. One 2021 report by Darktrace found that ransomware attacks alone increased by 30% globally during the holiday period.

But organisations don't necessarily take any additional precautions around this time of year. Nor do many organisations seem to register high levels of cybersecurity awareness at all, despite internal training and external warnings. For example, Fortinet's 2023 security awareness and training survey found that even though 85% of organisations do have cyber awareness training programs in place, 56% of IT and cybersecurity leaders feel that employees still lack the knowledge or awareness to keep company assets safe.

Why is employee cyber awareness (or lack thereof) a problem?

People are the biggest hole in any organisation's cyber defenses. The same Fortinet survey also found that the vast majority of cyber attacks (81%) were phishing attacks that targeted employees directly, often through sophisticated and convincing emails or text messages. Employees who fell for these attacks would be persuaded to input their credentials on false sites, download malware, or even directly transfer information or funds to attackers.

The risks associated with employees getting phished – or otherwise exposing company credentials, data, and other assets to attackers – is known as insider threat, and data from the last few years indicates a strong correlation between remote work and insider threat incidents. It began with employees using unsecured personal devices to access company systems during lockdowns, progressed to a jump in phishing attacks as cybercriminals exploited the sudden surge of virtual communications, and was exacerbated by security budgets being cut during the initial emergence of Covid-19 and the resulting economic crash-landing.

Fixing the insider threat hole

The low-hanging fruit here is obvious. Organisations need to find a way of boosting employee security awareness. It's not just a defensive measure for the company, but also a layer of protection for the employees themselves.

However, the issue with much current cyber awareness training is a lack of reinforcement. Often, cybersecurity awareness is treated like a pro forma practice: employees go through course materials with or without an instructor's help, take a test every quarter or so, and are considered 'aware'. But this approach runs into the same problems as any other kind of learning and development that relies only on periodic testing. Employees do not get the opportunity to put what they have learned into practice, nor do they receive any kind of reinforcement.

Cybersecurity providers from Palo Alto to Fortinet to CyberArk recommend, and in fact practise internally, regularly testing employees' awareness – not through written or MCQ tests, but by presenting them with real-time, real-life 'threats' that give them immediate and engaging feedback on how accurate their responses are. Here are some of the more effective employee cybersecurity best practices that require minimal resources invested for a relatively large payoff in terms of risk reduction.

Sending your own 'phishing' emails

Many security experts recommend sending regular test phishes to the employee database. These are emails purportedly coming from senior leadership or other credible figures, encouraging the employee to click on a link or input their credentials somewhere unusual. Employees who fall for it will get a message that they have been fooled – the best way to make the lesson stick. They may also be logged to receive additional training in security awareness. Such test emails can be fully automated.

Sending periodic reminders

Government and law enforcement organisations often send advisories to the public during periods of heightened risk. For instance, the Singapore Police Force and the Cybersecurity Agency of Singapore issue advisories every year warning the public about festive-themed scams that create vectors for cyber attack. Organisations can similarly send automated reminders of security best practices, not just during risky periods but on a regular basis. The open and read rate of these messages can be tracked to give a general idea of whether the workforce is paying attention to such warnings.

Setting up malware 'traps'

Malware ranks up beside phishing as the top insider threat faced by organisations, and employee awareness of malware can be tested and reinforced in much the same way – emails and messages encouraging them to install dodgy software, with a payload that simply tells them they fell for it (and of course tracks who fell for the trick and how often). Some security experts have even described seeding offices with actual thumb drives loaded with fake malware, to see whether employees make the mistake of picking the drive up and putting it in their computer.

Social engineering tests

A more sophisticated and complex version of phishing emails, this can involve encouraging an employee to engage with a false persona – someone from another department, a vendor, or a customer – and eventually transferring data or funds to that 'individual'. Today's generative AI capabilities make it possible to automate such interactions, and in fact cyber criminals are already using generative AI to carry out scams.

While more resource-intensive to set up than simple automated phishing, this particular type of test also yields a great deal more data on security awareness and what needs to be done to reduce insider threat: for example, it helps pinpoint when exactly an employee realises they are being scammed, and what cues are effective or not effective in fooling the person. That in turn allows security professionals to improve the training being provided to the workforce.

This is how you get everyone to care about security

All the above tests are a form of learning in the flow of work – the current recommended L&D best practice – that support insider threat reduction strategies in five separate ways . First, they reinforce whatever people have already learned about cybersecurity. Second, they clearly communicate expectations around security. Third, they generate data that helps an organisation better understand its cyber risk level. Fourth, they create a feedback loop that helps security professionals improve the training given to the workforce.

Most importantly, though, these tests get individual employees to care about how security-savvy they are, simply by telling them to their face every time they get it wrong. Employers who want to drive the lesson home even harder can even offer a small annual bonus for security awareness - and reduce it every time someone fails such a test.

This kind of negative reinforcement is critical in a field where the payoff is not about having something happen, but about having something not happen. At a time when more than 2,200 cyber attacks happen worldwide every day and the number is still increasing, avoiding one such bullet is in itself an accomplishment.

So as the holiday comes closer and the chance of being targeted by a cyber attack rises, it might be time to send out a reminder of your own, and reduce the festive cyber risk by that much for a very small effort.