Skip to main content
  • Cybersecurity

Are some employee groups considered higher risk for cyber threats?

By Erin Hutchison
Content Marketing and Social Media Specialist

Access, authority and education are some factors that make certain groups a higher risk, which could mean they benefit from supplemental cybersecurity awareness training.

No one is immune to cyber threats—anyone is a target, and anyone (even those working in IT) can have a bad day, get caught off-guard while distracted, or become too arrogant to believe they’d fall for a phishing scam.

But there are some factors that make certain groups of employees higher risk, which could mean they benefit from customized or supplemental cybersecurity awareness training.

Here are some questions to ask that help identify these higher-risk groups.

What data and systems do they have access to?

The web team has admin access to your website. Finance and accounting deal with payments. HR likely retains sensitive employee data. Each department, and the various roles within each department, has access to data and systems. If these were to be compromised, they would affect your organization’s ability to operate.

Don’t forget, there are people other than traditional employees who have access to systems as well. Contractors, co-op students, etc. may not be the first people that come to mind when assessing risks to your organization, but they are still vulnerable. Don’t forget about cybersecurity awareness training for them as well.

What special powers and influence do they have in their role?

Whaling is a common form of phishing that targets executives in the hope of gaining access to more profitable and/or sensitive information. This means that decision-makers in the C-Suite are at a higher risk of being targeted by cyber criminals.

Another common phishing tactic involves spoofing an email to appear as if it’s coming from a person in a high position. A request for login access or payment that looks like it’s coming from a big boss increases the urgency and pressure to click.

How much training have they had? Have they been clicking links in phishing simulations?

When a user starts CIRA Cybersecurity Awareness Training, their risk score is higher, since they haven’t confirmed that they understand cybersecurity basics first. Once they’ve completed baseline onboarding training, their risk score will improve. As they continue to report suspected phishing emails to IT, their risk score will go down. If they happen to be repeat clickers (which IT admins would be able to see in the training platform), their risk score would go up and supplemental training automatically is assigned.

What can you do to address high cyber risk groups?

You might accept that there will always be some form of cyber risk with certain groups, but here are some tips to help protect your organization’s data and systems:

  • Assign supplemental training: create a specialized workflow for certain departments or roles (combination of courses and targeted phishing simulations)
  • Introduce helpful processes, tools and policies: review how employees request and grant access to systems; introduce tools like a password manager; have a clear process for handling vendor payments
  • Implement Role-Based Access (RBAC): each employee should only be able to access what information is needed to do their job. And it’s dangerous to assume people working in higher-up roles should get access to everything—they probably don’t need to access these systems on a day-to-day basis.
  • Provide ongoing training: new employees are not yet familiar with the proper processes that follow cybersecurity standards and are therefore at a higher cyber risk. That being said, tenured employees may become complacent and can also easily fall victim to a phish—that’s why ongoing training is important. Most of our training customers elect for automated phishing simulations sent on a monthly basis.
  • More extreme measures: everyone plays a role in keeping an organization’s data and systems safe, and for some repeat clickers it warrants a discussion involving the manager on the potential consequences of their behaviour, or restricting access to systems.

About the author
Erin Hutchison

Erin brings to CIRA a background of marketing experience in higher education and the not-for-profit sector. In 2015, she participated in ISOC’s Youth@IGF Programme and traveled to Guadalajara, Mexico to attend the IGF. She has a Bachelor of International Business from Carleton University.