Cybersecurity TEMPhas been a major topic of discussion throughout 2016, with no signs of cyber attacks slowing down. Several organisations have faced high-end data breaches with millions of stolen credentials. Across the world, hackers are taking control of networks, locking away files and demanding sizable ransoms to return data to the rightful owner. From phishing attacks to ransomware and advanced persistent threats attacks, these days it is not a case of if companies get breached, but more of when.
The most basic thing that every organisation needs is security awareness training. Security awareness training is all about teaching your colleagues and employees to understand the risks and threats around the ever evolving cyber world. The main purpose is to ensure that these people realise that hackers within organised gangs of cyber criminals will try to deliberately attack, steal, damage or misuse your organisation’s systems and information, and that therefore everyone within the organisation needs to be aware of the associated risk, and thus work to adequately protect the organisation against these risks.
Security awareness training also ensures that employees are fully awake to the consequences of failing to protect the organisation from outside attackers. Such consequences span from criminal penalties to large scale economic damage to the company and the loss of employment. Finally, when the employees are fully aware of why securing data is important, and what systems they need to protect, your security awareness training program should highlight the key ways in which attackers can gain entry to your network, and the necessary steps to curtail these risks.
Before we go on explaining the benefits of security awareness training, let’s take a look at two attack scenarios.
1. Whaling Attacks
- A whaling attack is a targeted attempt to steal sensitive information from a company such as financial information or personal details about employees, typically for malicious reasons. A whaling attack specifically targets senior management that hold power in companies, such as the CEO, CFO, or other executives who have complete access to sensitive data. A recent survey by Mimecast said that 55 per cent of firms experienced a whaling attack whereby a senior member of the finance team had received an email claiming to be from the company’s CEO, which attempted to con staff into transferring large sums of money out of the company’s accounts. The most popular attack method for this is domain spoofing, which accounts for 70% of all whaling attacks.
- You might remember the massive whaling attack that happened back in February this year. The CEO of FACC Operations GmbH and the CFO have been sacked after the company lost €40.9 million (£31 million) to this attack.
- Security awareness training would educate an organisation’s employees and would actively engage users to identify safe waters and damaging phishing emails through the use of simulated phishing attacks.
2. Ransomware Attacks
- The ransomware epidemic continues to rage on, encrypting files of private and enterprise users alike. Ransomware has become a global problem. According to the FBI, the accumulated revenue in the first three months of 2016 was over $209 million.
- The two best methods to prevent ransomware are data backup and security awareness training. Learning not to click on malicious links can save your files from being encrypted by a hacker. Email security is very important.
- Security awareness training is an important process in educating all company employees, and failing to implement a precise program can often result in significantly higher reports of intrusions and ultimately the loss of company data and revenues.
So, what type of areas does a security awareness training entail?
These areas typically include:
- Password best practices – why passwords are important, how passwords should be used, common password exploitations, two-factor authentication and how to create strong, memorable passwords.
- Email and browser security – how to spot sceptical email messages, modern web browser security features, ability to identify malware/viruses, how phishing is a huge threat and best practices to alleviate the biggest risks.
- Social engineering – what social engineering is and how this works, the risks of social engineering attacks, the most commonly used social engineering techniques and methods to protect you from social engineering attacks.
- Avoiding malicious downloads – the consequences of deploying malicious downloads, best practices for keeping software updated, and installing new applications, ability to identify if a system has been infected with malicious software, web browsing configuration for better security and how to deploy internet/email security software.
- Mobile security – the most common threats to mobile devices, how mobile POS (Point of Sale) systems work and the risks they come with, appropriate procedures for cardholder data while using mobile systems, how to ensure that mobile devices are secured and the security risks associated by using personal mobile devices at work BOYD (bring your own device)
- Social media security – the best way to use social media, the privacy and security parameters offered by social media, risks of using social media at work and at home, ways to minimise social media hacks and the acceptable use of social media when at work.
- Anti-virus and software updates – the function of anti-virus software, methods to keep both software and operating systems up-to-date, how to use windows update securely, how to install, configure and update anti-virus software and methods to secure mobile devices as stringent as other devices.
- Secure remote working – the most common risks and threats associated with accessing company data and systems while working remotely, the technology and software available to make remote working more secure and protected, how to handle private data when working remotely and what steps to take when mobiles devices are lost or stolen.
- Physical security – the importance of physical security for both devices and applications, the advantages of using screen privacy protectors, the importance of wearing an identity badge, how to report any violations to physical security and keys steps to proceed with if an individual either attempts to, or successfully breaches physical security.
- Protecting cardholder data – the function of PCI standards and why compliance is so important, identifying the most sensitive pieces of information on a credit/debit card, determining what and who needs to comply with PCI standards, explanation of how card transactions work and how to handle credit/debit card data in a secure fashion.
The Awareness Tactics You Should Use
When it comes to cybersecurity awareness, the best defense truly is a strong offense.
Businesses can’t rest on their laurels, maintaining legacy systems or recycling the same old security practices. Network managers have a range of tactics to deploy to educate employees and nurture stronger cybersecurity awareness.
1. Speak Their Language
Leave the technical jargon, industry-speak and million-dollar words at the door. You’re engaging real people across real, diverse departments, not writing a dissertation.
Cybersecurity awareness will stick when it’s tailored to its audience. Highlight specific examples of how new policies and procedures will make employees’ work lives easier, not more tedious or stressful. Walk them through department-specific, pertinent security examples. Use relevant metaphors. And most of all, keep things common sense. Practical, everyday solutions go a long way to risk-mitigate employee errors.
2. Make Training Engaging…
- The best tactic to institutionalize cybersecurity awareness training is to make it a full activity for your employees, not a passive obligation.
- Many strategies can be employed to do so. Paper sessions, quizzes and questionnaires completed beforehand primes employees for their security insights and experiences. These provide direct fodder for the materials covered during training, with employees more invested in what’s discussed since they’ve already put time and thought into it.
- Furthermore, don’t be afraid to step outside the box when it comes to the training and presentations themselves. Utilize multimedia, stories and even hands-on activities for more impactful sessions.
3. And Quantifiable
- Awareness tactics are only as good as their results. And the results are only good if they can be seen and measured. For security awareness training, identify performance goals and their baselines before new policies and procedures get implemented. Track these goals with relevant KPIs, then tweak and tailor accordingly.
4. Remain Positive
- Scare tactics and apocalyptic breach stories only go so far, particularly to non-tech employees who may see themselves as removed from the cybersecurity and IT narrative.
- Instead, balance stressing the importance of cybersecurity awareness with positive updates. Report on progress, share examples of jobs and tasks made safer as well as errors caught or threats mitigated. This keeps up momentum and reframes the importance of cybersecurity from doom-and-gloom vigilance to victory.