The performance of salespersons is usually measured in terms of revenue, not in terms of security awareness. As a result, most of their efforts are geared towards closing contracts and not vulnerabilities. If your sales representatives do not know how to protect the confidentiality of business information, your valuable assets (corporate information) could be mishandled or accessed by unauthorized individuals. You also risk being non-compliant to laws that require enterprises to adhere to information safety and security awareness.

Why is Security Awareness Important for Sales Reps? Why Should They Participate?

The American Society for Training and Development (ASTD) revealed that US firms dedicate around $20 billion each year to sales training. 50% of that money is geared towards sales skills, with the rest being spent on company, product and knowledge of the industry. A major portion of this investment is set aside to train newly recruited salespersons.

But what’s astonishing is that most sales training programs don’t focus on security awareness. ToutApp’s CEO Tawheed “T.K.” Kader, while speaking to Fortune, mentioned most aspects of on-the-job sales training, but nothing of security awareness.

The purpose of including security awareness in sales training is to create competencies that allow sales reps to make sound decisions when experiencing security issues. All it requires to compromise critical company information is one salesperson clicking on a malicious attachment. Education in this context can lessen the chances of salespersons becoming victims of intrusions.

Salespersons should actively participate in security awareness programs because cyber criminals consider them the ripe fruit to pick. Hackers target them with email abuse, browser attacks, stealth attacks and other evasive tactics.

Why are Sales Reps Targeted?

Hijacking the information consumed and transmitted by sales representatives in the form of phone calls, emails, etc., could give hackers access to an organization’s personal information and knowledge about its financial capability. Moreover, because sales reps input data into an enterprise’s Customer Relationship Management (CRM) solution, they are a prime target for cyber criminals.

While CRM data is not the easiest way into, say, a plethora of customer accounts, a closer examination reveals that it is quite lucrative for hackers. These days CRM data contains everything, from intellectual property data to financial records. Therefore, more damage can be done if an adversary targets a sales rep who has access to the company’s CRM in a cyber invasion.

Sales reps are also targeted because they add a personal touch to the files they directly upload to their companies’ systems. Hackers who can access and modify their files through any attack method can bypass all current protection measures without being detected. In addition, clients and vendors can be targeted by cyber criminals directly. The latter method reduces the chances of detection as “trust” has already been developed.

Moreover, sales reps are not trained in detecting highly personalized attacks. It is particularly challenging for victims to determine if the reply to that quote/pitch includes a malicious attachment because they could assume that the reply was from a familiar contact and was vetted initially. However, that contact’s email could have been overwritten by a hacker who was spoofing the communication. Network monitor and protective software will not protect against the intrusion once the adversaries become trusted insiders.

What are Some Common Security Mistakes that Sales Rep Make?

From sensitive contracts sent via unencrypted apps to opening attachments of all kinds, sales reps are often lax about the safety of corporate information. Some of their most common information security mistakes include:

  • Lack of background research and skepticism

Salespeople often do a poor job of conducting background research on the communication exchange they have with prospects and clients. If it is an email from a name they have talked to in the past, they are likely to mark it as a trusted source, disregarding the fact that it could be a phishing attack that’s asking them to enter credentials or download an infiltrated attachment.

  • Leaving sensitive material on unencrypted channels

Salespersons often brainstorm in teams and exchange ideas over the Internet. However, they do not give importance to encryption. Ideas and information exchanged over an unencrypted communication channel could easily leak out sensitive company data to an adversary.

  • Using insecure devices

The number of salespeople using Bring Your Own Device (BYOD) policies is growing each year, but several of them lack awareness about BYOD risks. Sales reps use personally-owned devices to connect to business networks and transmit sensitive information. When these devices are used outside corporate walls, sales reps can install insecure apps, which would create a host of vulnerabilities when they reconnect to the corporate network.

  • Ignoring the security of wireless connections

Salespeople work just about everywhere. While most corporations have a strict policy about connecting to their information ecosystem via unsecured WiFi, sales reps end up doing it anyway while they are on the go. The majority do not think about the risks of being connected to public WiFi, and therefore put their company’s network at risk.

It is up to the organizations to balance out these risks with security awareness training.

What is the Best Way to Train Sales Reps on Security Awareness?

Because of the many security mistakes sales reps often make, security awareness training cannot be overlooked.

Start off with a buy-in from key stakeholders. Full support from the sales department is necessary to successfully increase security awareness amongst sales reps. The buy-in should be followed by coordination with key departments that have similar interests and could provide additional resources like distribution or funding. For instance, the compliance department can make security awareness a necessary component of sales-related processes, such as exchanging emails.

When it comes to the actual training, don’t just make it a check-box exercise. Sales reps need to understand the security culture and know that their efforts will contribute to the organization’s aim of achieving HIPPA-compliance, PCI-compliance, as well as any compliance that are a part of federal regulations. The main goal is to make sales reps adapt to security awareness training viably.

On that account, it is important to ensure that the security awareness training material is delivered to sales reps in a creative manner. You can make it fun and engaging by integrating interactivity and gamification. For instance, the security awareness department can set up a series of emails, including a few phishing emails, to send to sales reps. Salespeople who could spot the phishing attempt can be given a bonus.

Likewise, an enterprise should utilize its Learning Management System (LMS) to test the concepts of salespeople, track their progress and assign them knowledge-based questions that enable them to recall and retain the information presented to them in security awareness training. Work with other departments to make the LMS content more interesting. For instance, the marketing department is great for packaging information so that they can be asked for help.

Ensure the training is continual to build a culture based on security awareness.

Security Awareness Tips / Resources for Sales Reps

It could be challenging for sales reps to keep up – especially if they are not immersed in IT on a daily basis. However, they can avoid being classified as a “security liability” by following these security awareness tips:

  • Bookmark Security Awareness Resources: If sales reps do not know some concepts, they can get themselves acquainted by going through security awareness resources. For instance, InfoSec Institute’s computer-based security training platform, SecurityIQ, combines computer-based security and a phishing simulator to test employees’ knowledge on enterprise security.
  • Set Reminders: Even with all the learning, constantly staying vigilant can be difficult for sales reps. It is not always easy to know if there’s a threat, so it can be beneficial to set reminders about security. For instance, salespeople can stick notes on their laptops that remind them that every email could include potential malware.
  • Get a Checklist from IT: Sales reps have the option to enlist help. For instance, they can ask the IT for a checklist to run through when they receive emails, phone calls or new visits. For instance, an email checklist could include pointers like verifying the sender’s email address, speaking to the sender before opening his/her email, etc.
  • Follow Good Password Practices: Sales reps should have different passwords for personal and work-related accounts to thwart adversaries. In addition, they should keep the strongest passwords ( mixtures of numeric, symbols and phrases) for the most critical accounts. Enabling two-factor authentication will let others know that salespeople are aware of security protocols. 

     

Security Awareness

Conclusion

Providing sales reps with security awareness should be an ongoing practice. Their training should be followed by security condition and incident reports to track progress. Lastly, it should be proactive and flexible. This would ensure that the primary function of the sales department is not disrupted.

Be Safe

Section Guide

Dan
Virgillito

View more articles from Dan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Dan
Virgillito

View more articles from Dan