407-445-2414 info@wrmllc.com
Ten key topics to cover in cybersecurity awareness training

Ten key topics to cover in cybersecurity awareness training

Resource challenges and environmental contexts often force those in security to decide which method or methods to include in awareness campaigns – and in which quantities each should be employed.

In this post, we consider the four different types of security awareness training in turn, the pros and cons of each, and an alternative, increasingly favored approach.

1. Am I really a target?

Most cybersecurity awareness training begins by talking about security threats. It seems logical. But doing so may be a mistake – because of the human bias for optimism.

As people, we tend to harbour an inherent bias for optimism. Most of the time, it’s a helpful trait. When it comes to cybersecurity, though, our inherent bias for optimism means most of us struggle to imagine ever really being victims of cybercrime.

A good cybersecurity awareness campaign needs to address this upfront – because discussing threats is largely pointless unless message recipients believe the threats to be relevant and applicable to them. Cybersecurity awareness training should, therefore, begin by overcoming a key reservation to taking training seriously. It should begin by discussing why those taking the training are indeed targets.

2. Preventing identity theft

Identity theft remains the most prevalent form of cybercrime. As such, preventing identity theft is key to any good cybersecurity awareness training campaign. As well as information on preventing identity theft, cover the warning signs and the dangers of oversharing on social media.

It may also be worth demonstrating how simple it now is to steal an identity. Such demonstrations help make training emotional, and behavior change research shows emotions have an unrivalled ability to change the way people behave. Demonstrating how simple it now is to steal an identity can therefore change not just security awareness but security behaviors, too – which should be a key aim of any security awareness training campaign.

3. Passphrases and multi-factor authentication

Today, what constitutes a secure password is becoming increasingly clear. And yet, according to the password manager SplashData, 123456 is the most common password in use today.

Including information on passphrases – ie, secure passwords that are easy to remember – as well as teaching users how to create and remember them, is essential in any cybersecurity awareness training campaign. Be sure to include information on multi-factor authentication and build in time for people to update old passwords during training.

Increasing security awareness is one thing – but changing security behaviors should be the real aim.

4. Public Wi-Fi

The ongoing rise of remote working coupled with an increase in the prevalence of unsecured public Wi-Fi, make training on public Wi-Fi essential.

It’s definitely worth including stories to highlight the personal and professional risks presented by unsecured Wi-Fi. Stories such as that of Howard Mollett, who reportedly lost £67,000 in a conveyancing scam, are unlikely to be forgotten.

However, to really drive training content home, consider demonstrating the additional personal benefits that come from using VPN, such as how to stream your favorite Netflix shows no matter where you are in the world!

5. Social engineering, including phishing and SMShing

The UK government’s 2018 cyber security breaches survey recently polled UK businesses on their experience of breaches. 75% of those that had suffered a breach had done so following “Fraudulent emails or being directed to fraudulent websites” – ie social engineering and/or some form of phishing. Cyber security awareness training should therefore give special focus to both phishing and social engineering as a whole.

It’s worth thinking about how social engineering training is delivered, too. Many companies today highlight the dangers of social engineering through simulated attacks, which test people’s response to attacks “live” in the workplace. Such attacks are backed by behavioural change theory: as well as being emotionally engaging, they help modify people’s schema. Put simply, they train people to expect attacks and, as such, help modify how people respond to genuine day-to-day threats.

6. Browsing securely

The green padlock no longer marks websites as safe to use – a fact few people outside of security actually know. Few people still have configured their browsers to avoid tracking or form auto-filling. Advice on browsing securely is therefore essential to any security awareness training programme.

Given behavioural change as an overall aim, it’s worthwhile going through step-by-step guides on browser configuration.  

7. Device security

As with passphrase management, device security is an area which most are familiar with. Most people know the importance of antivirus software and most know how important it is to keep firewalls running. And yet malware infection remains prominent year in, year out. Why?

Again, it seems as though awareness is failing to change behavior. In the past, tried and tested content on device security has failed, so security awareness training on device security needs to go beyond what’s been done before.

Framing device security training in terms of the personal benefits users can expect is usually a good idea. For example, CybSafe’s module on device security opens with the line “This module will help you save money by showing you how to set up your computer securely.”

8. Malware

Related to device security is content on malware, which should cover the different types of malware and how infections occur. As research shows we tend to ignore security warnings, it’s worth including information on the importance of heeding security warnings, or even going one step further and decoding what ambiguously written security warnings are actually trying to say.

Including content on the signs of infection is also crucial. On average, it takes 197 days to detect a data breach or malware infection linked to data loss – yet the warning signs are often clear.

9. Breach recovery

Most security professionals agree on the naivety of failing to plan for a data breach – yet information on breach recovery is seldom included in security awareness training campaigns. The depth of subject matter necessary will vary depending on the audience. At the most basic level, people need to know how to report breaches. When training security teams though, more detail will be needed.

10. GDPR and data privacy

The General Data Protection Regulation is a far-reaching regulation and one that leaves those who handle data with some additional responsibilities.

Security awareness training that covers GDPR and, most importantly, puts it into context for various areas of an organization, not only helps organisations comply with the regulation, but reinforces the importance of the secure processing of data – an essential point, but one which some seem to have been forgotten.

All ten topics above are now covered in detail by the CybSafe platform, which updates not just as the threat landscape changes but also as your people’s security understanding and behaviours advance.

After learning about individual knowledge levels and behaviour patterns, CybSafe uses behavioural change insights to advance security awareness, behaviour and culture. At the same time, it uses machine learning to continually move key security metrics in the right direction, demonstrably reducing human cyber risk. To see how it works – as well as what’s included – arrange a free demonstration here.

Source: CybSafe

Train Your Employees to Think for Themselves in Data Security

Train Your Employees to Think for Themselves in Data Security

Employers have learned (the hard way) that one of the biggest security threats in the organization is their own staff.

A report published by Ipswitch looks at data breach causes to find out how rogue employees rank. An interesting find is that up to 75% of data breaches result from insider threats, while a separate report by Veriato suggests that 90% of cybersecurity experts feel that their company is vulnerable to insider attacks. In fact, about 50% of the 472 professionals surveyed said they had suffered these attacks in the previous 12 months.

Deliberate or not, these threats are very real and as heavily as companies might invest in data security software, they are always going to be vulnerable because they continually ignore a large component of realizing fewer cybersecurity threats.

Since employees (insiders) have access to company information, they are technically a bigger danger to data security than the third party cyber-criminals who use all manner of innovative ways to gain access to personal data.

A curious business owner wants to know: Why must I involve employees in implementing data security when they have been shown to be a weak point in the same strategy?

1. Social engineering transcends security tools
Human error is often the weakest link in an otherwise ideal chain. From technology to literature, social engineering is the big boss you have to beat after meeting all the other mini-bosses.

By definition, social engineering involves the use of psychological tricks to manipulate people into revealing sensitive information about themselves. For an organization, once the hacker has your employee at this point, they can gain access to all the areas the employee can typically access. Through social engineering security awareness you can help your employees avoid the three commonest security scams thereby protecting your company as well: identity theft; vishing; and baiting.

Without adequate education on social engineering and covering that loophole, security tools are almost useless.

2. It’s part of their responsibility
Apart from preventing the catastrophic aftermath of social engineering, data security is the responsibility of every employee in the organization in this sense: if consumers expect organizations to protect their data, isn’t it the responsibility of employees to make sure the data doesn’t land in the wrong hands?

Dropbox’s 2012 incident, during which hackers reportedly stole data belonging to over 60 million of Dropbox’s clients at the time, was attributed to employee negligence.

As reported, the hackers who used the password of the employee were able to access the company portal by reusing a password from the LinkedIn breach of the same year that exposed the emails and passwords of 117 million LinkedIn users.

Such an example shows that as a company, you can still unwillingly betray your customers. While Dropbox wasn’t entirely to blame, one of their employees reusing passwords was a great insight into the company’s internal security standards and more importantly, a good example for all employees on password don’ts.

3. It is now a common regulatory requirement
Through internet security awareness training, organizations are required to equip their staff with knowledge about data security. Some of the laws, regulations and industry codes include HIPAAFTC Red Flags Rule and PCI DSS among others. While many SMEs don’t do any training to remain compliant, many conduct the training to avoid cyber-attacks.

These tips will help you implement a great training program:

  • Diversify your training methods. Have a mix of training techniques at your disposal including classrooms, videos, team discussions, newsletters, posters, etc.
  • Educate often. Conduct regular training in monthly, quarterly, or annual cycles.
  • There’s no one size that fits all. Different members at different levels will start learning at equally different points.
  • Don’t ignore industry regulations.

Don’t be like the owner who delegates the role of data security to themselves because it’s “too important.” If you really want to be stress-free, train your employees well and promote a culture of information security.

 

Source: InfoSecurity

Author: Joseph Chukwube