Can you imagine what the implications would be if the personal and financial information of every employee in your company were leaked to an intruder? The 4,000 employees of Scotty’s Brewhouse sure can. They were the victims of an email phishing scam where company-wide W-2 forms were sent to an imposter pretending to be the CEO (whoops!)
But Scotty’s Brewhouse isn’t the first or only company to be burnt by the attacks of phishers, hacktivists, and cybercriminals. And phishing isn’t the only strategy these computer thugs use, either. You see, your company (and just about every other company in the world) could be vulnerable to malware, ransomware, spam, hacking and social engineering, too.
Okay. You’re officially alarmed and a little confused, not to mention one sentence away from screeching down the hall to Human Resources to request emergency cyber security training for employees – yes, all employees. But when you get there, what will you say?
What is Security Awareness Training?
Security Awareness Training starts with the organization’s acknowledgement that their employees are the weakest cybersecurity link. Conversely, they’re also the first line of defense against cyber attacks. Security Awareness Training provides every employee with a fundamental understanding that there are imminent and ongoing cyber threats, preparing enterprise employees for common cyber attacks and threats.
Security Awareness Training generally consists of repetitive training and ongoing, sometimes random, testing in the following areas of exploitation. The most prevalent IT security threats (and thus the most up-to-date cybersecurity training) include:
- Not limited to direct email, spam is now one of the main methods of attack via social media. When someone “invites” you to connect on LinkedIn, for example, that invitation may arrive in your email, but its effectiveness is directly related to your trust of various social media sites. Cyber criminals can even embed password-stealing malware from a simple LinkedIn invitation.
- Phishing is a common practice whereby hackers go after a broad target of users with emails that look genuine, but are actually intended to lead the uneducated user to click on dangerous links — possibly divulging usernames, passwords, personally identifiable information, even financial information. Phishing is akin to throwing out a wide net full of bait and pulling in whatever you catch.
- Spear phishing. While phishing schemes cast a wide net, spear phishing takes a highly targeted approach to attacking specific individuals. The most infamous spear phishing attack in recent history was on John Podesta, then-chairman of the Hillary Clinton presidential campaign. Spear phishing attacks target high-profile individuals or people with access to valuable digital assets. The email usually hand crafted, and uses all available information to make the email read exactly like an actual email from a friend or colleague.
- Short for “malicious software”, malware refers to any type of software designed to cause harm to a device such as viruses, rootkits, spyware, worms and Trojan horses. Advanced Malware has a specific target and mission typically aimed at an organization or enterprise. In 2017, the malware program known as WannaCry spread throughout the world, crippling hundreds of organizations.
- Similar to malware, ransomware is used by attackers to extort money (or possibly other resources) from the target organization. In June 2017 NotPetya infected accounting software prevalent in the Ukraine. It encrypts files on the drive, requests $300 in bitcoin, attempts to steal credentials in the memory and attempts to propagate through the network using stolen credentials or exploits.
- Social engineering. This practice is simpler than it sounds. If you’ve seen the movie Catch Me If You Can, you’ve witnessed one highly effective example of social engineering. Tripwire assessed the most prevalent types of social-engineering attacks in 2015, at its core, social engineering occurs when one person fools another into giving up access to a resource. Social engineers use a variety of tools and resources to gain access to targeted resources, but the one-on-one direct attack remains the same.
Security Awareness Training Best Practices
The following two articles spell out the most important practices for security awareness training in corporate America today.
- Wombat Security – Security Awareness Training: Best Practices to Consider
- Infosec Institute – The Components of a Successful Security Awareness Program
The two articles overlap to a certain extent; however, each offers a unique strategy to create a culture of security within an organization. These cybersecurity best practices include:
- Complying with all local and federal laws and regulations
- Getting everyone on board — the entire organization, all or nothing
- Establishing a required baseline of assessment
- Creating a system of very clear communication about the program
- Making the training intriguing and at least a bit entertaining
- Enforcing, reviewing and repeating. No “set it and forget it” or “one and done”
- Creating a culture of reinforcement and motivation for constant vigilance and learning
These seven points might be used as something of a template or starting point for developing your organization’s security awareness education program. Every organization’s individual needs are unique; however, the goals for any security awareness training program are usually quite similar.
How to Start a Security Awareness Training Program
The steps below can serve as a general roadmap for starting your organization’s unique security awareness training program.
- Identify your organization’s security requirements as they apply to individual employees.
- Determine how best to deliver the training, e.g., in person, video, online, hands-on, etc.
- Create the appropriate content for the desired training medium. This content is the training curriculum, to be delivered by a respected security professional within the organization. Material can range from free security awareness training posters, email phish testing software that train and evaluate employees, to on-site training presentations and testing.
- Set expectations for all employees as to the requirements, timing, delivery, method and expected results.
- Schedule multiple training sessions according to general availability of the organization’s employees, with the understanding that every employee has different daily priorities and that exigent circumstances happen in people’s lives.
- Deliver the training according to the expectations set prior to and during scheduling.
- Capture feedback on the training itself from as many employees as possible.
- Conduct post-training assessments of all employees to determine how effective the training was.
- Re-evaluate the training and training medium for effectiveness, and adapt accordingly. Security training is not a “set it and forget it” approach. Both the curriculum and employees must be updated constantly and regularly.
- Correlate the implementation of training with the frequency of security-related incidents to determine the practical impact on the organization’s security health.
It’s important for employees to have a positive experience for such a requirement. Otherwise, the training will be seen as a necessary evil instead of a vital means of protecting the organization’s brand and health.
Cyber Security Awareness Training for employees helps to address one of the biggest factors in major security breaches: human error. By training employees how to recognize and respond to cyber threats, organizations can dramatically improve their security posture and cyber resilience. Mildaintrainings provides individualized risk scores for employees that lets you determine how effective training has been for each individual and to provide additional training or one-on-one coaching when necessary.