Companies Try Tailored Approach to Avoid Cyber Missteps

New strategies include specialized training for employees in different units about how hackers might target them

Spain-based power company Iberdrola made changes to boost cybersecurity. Its procurement team, for instance, no longer communicates with suppliers via email, cutting down on spoofed emails impersonating Iberdrola employees or business partners.

Photo: alfredo aldai/Shutterstock

香蕉视频苹果下载BRUSSELS—Corporate cybersecurity teams are exploring creative strategies to bridge small gaps that could lead to major data breaches, focusing on training employees about how hackers might manipulate them.

Three years ago, Spain-based power company Iberdrola SA started requiring every unit to create its own strategy to prevent cyberattacks and teach staff about threats to specific technologies they use, said Chief Information Security Officer Rosa Kariger.

“It’s really about creating a cybersecurity culture, but you need a tailored approach,” said Ms. Kariger, speaking on the sidelines of the European Cyber Security Conference last week.

As a result of the redesigned training program, Iberdrola made several changes to bolster cybersecurity. To cut down on the risk of spoofed emails impersonating Iberdrola employees or business partners, for example, the procurement team no longer communicates with suppliers via email. Instead, the company established a direct method for those communications, Ms. Kariger said, without providing details. The procurement team also has a dedicated reporting system for reporting suspicious queries it receives to the security team.

香蕉视频苹果下载To avoid lengthy contract negotiations with business partners over cybersecurity measures, Iberdrola’s legal team started specifying security requirements when it requests proposals from potential suppliers, she added.

Since implementing training programs tailored to different business units, the company, which has more than 30,000 employees, has experienced significantly fewer cybersecurity incidents using social engineering techniques such as phishing emails that impersonate someone, Ms. Kariger said.

Employees now send Iberdrola’s cybersecurity team about 64,000 alerts on average each month about suspicious emails they receive. Though many of those emails aren’t from hackers, Ms. Kariger said it is a positive sign that employees are concerned.

Corporate cybersecurity teams view such alerts from employees as indicators that staff are able to identify suspicious behavior that could give hackers an entry point to company networks.

香蕉视频苹果下载Companies struggle to teach employees how to identify hackers’ techniques and report suspicious behavior to cybersecurity teams, cybersecurity experts say. Only 31% of employers provide companywide cybersecurity training, insurer Chubb Ltd. said in a report published in September.

香蕉视频苹果下载Cybersecurity executives often take an approach to educating employees that is too narrow, focusing on making sure their teams’ expertise is solid and sharing only minimal information about threats with staff from other business units, Ms. Kariger said.

“We’re missing the opportunity to train our engineers, our lawyers, medical staff,” she said.

Each business unit within Iberdrola nominated employees to a global cybersecurity committee, which coordinates the different plans.

At Credit Suisse Group AG香蕉视频苹果下载 , Chief Information Security Officer Chris Girling said that to better combat phishing, the bank decided a few years ago to focus on how long it took employees to tell the cybersecurity team they were duped by a test email the team sent.

“The shift of focus was not: are 5% of people clicking? It was: are 60% or 70% reporting it and are they doing it within the first two minutes?” he said, speaking at the conference in Brussels.

香蕉视频苹果下载Recent corporate cyberattacks prove that one misstep can cause a major breach, but some employees will always open phishing emails, Mr. Girling said. Companies including power utilities in the U.S. have suffered cyberattacks after employees opened email links or attachments containing malware, giving hackers access to corporate networks.

香蕉视频苹果下载With the new strategy, Mr. Girling said he is “really trying not to demonize people for a failure.”

If Mr. Girling’s team learns quickly that an employee opened a malicious email, experts can roll out defensive tools within seconds and block similar emails, he said.

Since Credit Suisse started focusing on how quickly employees respond to phishing tests, the cybersecurity team now “rewards” workers who reports mistakes by telling them how they helped the company, Mr. Girling said.

香蕉视频苹果下载Employees now alert the security team about malicious emails more often and more quickly than they did in the past, he added.

Write to Catherine Stupp at