In our previous article, we focused on cybersecurity awareness and why you need to create an awareness program in your company. While it was just a roadmap to what you should consider including in your plan, we already emphasized the importance of cybersecurity awareness training for your employees.In this article, we decided to go one step further. We focus on what elements you need to incorporate into your employee cybersecurity training. Before elaborating on what you need to teach your staff, we explain why employee information security training is vital and also compare the old way and new way of cybersecurity awareness training.
Traditional security training doesn’t work. Mika Aalto, Hoxhunt Co-Founder and CEO, wrote the following:“If done efficiently, security awareness training helps fend off cyberattacks like a shield. Unfortunately, right now it focuses too much on awareness and too little on practice.”This article aims to help you to re-imagine the human part of your information security training, putting your program into practice for a modernized approach that can truly help you to fight off cyberthreats.
Why focus on training your employees on security
Your employees can help you shield your organization from cyber-attacks. When you involve your employees in information security training, you provide them with up-to-date know-how on cyber threats. But, it’s not enough that they are aware of the risks. They need to be able to identify different attack types, but they also need to know how to act once they detect that something is off.To change or improve your employee’s behavior, practice is the key.
When you include people in your practical security awareness campaign, you equip them with the right knowledge and skills. This can create a shared sense of responsibility and accountability. By engaging all people from your organization, you communicate that everyone in your company is responsible for security.
Information security technology vs. Human firewall
You’d probably not think twice about investing in information security technology to protect your organization. Gartner forecasted that in 2019, companies would spend 124 billion US dollars on defense technologies. Since most incidents start with human error, you should also spend money on employee training. Employee error puts your company at risk. You seriously need to consider improving your defenses. Without being able to recognize the threats, your employees are easy targets for hackers.
As we spend more time online and cyberattacks become increasingly common, it’s essential that people recognize the threats and know how to behave. You should encourage people to behave the right way while they are at work but highlight also that you provide them with an essential skillset to be more secure in their private life while browsing the internet, using email, or shopping online. This is the knowledge that they can also pass down to their families, friends, or their communities.
Help employees recognize the most common cyber threats
First, people should be aware of the most common threats:
- Phishing (56% of IT leaders claimed that phishing attacks are their top security threat)
- Spear phishing
- Ransomware (In 2018, ransomware cost businesses over US$8 billion)
- Social engineering (fake identities, clickbait, sneaky tactics used by hackers to get company information)
- CEO phishing scams
- Business email compromise (BEC) (BEC losses were accounting over US$12.5 billion globally)
(More on some of these threats will follow below.)These attacks could result in a severe data breach or other consequences, such as paying criminals millions of dollars to secure your information.Cybersecurity is a constantly evolving area. Hackers move fast, and they come up with new attack types all of the time. You need to make sure that you keep your employees updated – by not only communicating to them the different attacks but also by allowing them to practice and learn by doing.
Untrained employees are the biggest risk for your company
Untrained employees are the biggest threat to your company. When you think about the training topics, remember, it doesn’t need to be complicated. Training can be super simple, but it should still cover essential areas.The emphasis is on continuous learning. Remember to update and repeat the training regularly. Repetition is the key to creating a habit.Frequent practice means that employees can become accustomed to cyber threats like phishing or social engineering. If they fail some of the exercises, at least they fail in a safe environment.Cyber-trained employees will add the most critical layer of defense to your IT security.
The old way vs. the new way of cybersecurity awareness training for your employees
The field of cybersecurity awareness is changing quickly.This is partly because of innovative training providers who have made it their mission to help companies improve their employee education and partly because more and more CISOs recognize that people are an essential part of the defense against cybercriminals.We have created a table to make it easier to compare the main differences between the old and the new methods of cybersecurity awareness training.Before looking at the table, ask yourself what you recall about security training.For most of us, it means an eLearning environment, PowerPoint presentations, clicking through educational material, lectures on policies, and a few sessions of training a year apart from each other.
What to cover in your employee cybersecurity awareness training?
While we would advise you to customize the security training for different stakeholders, such as employees, managers, IT administrators, and IT developers, in this article, we focus on what you would teach to your average employee.We’ve curated a list of important topics that people should be aware of.
Essential cybersecurity training topics
We recommend that you tailor your program based on which modules are the most important for your success in terms of reducing risk. For example, if you have been experiencing an increasing amount of phishing emails, make sure you train your employees on that. If you have a workforce of remote workers, you want to create policies and excellent training around working remotely, traveling while working and bring your own device (BYOD) rules.(Note that the topics are not in a specific order.)
Perhaps we don’t need to introduce you to passwords. They are a simple way of protecting your data and IT systems from unauthorized access. While the concept is simple, it can be surprisingly powerful if it’s used correctly.You want to keep intruders far away from your company. For the best possible protection, your employees should use strong passwords, and it’s recommended that they use a different password for each different site and software.A password manager can help to make your employees’ lives a lot easier, and it encourages them to use a variety of strong passwords.
Although you are most likely using various tools and security measures to keep your organization’s email boxes safe from unauthorized access, compromise, and loss, your employees should also be aware of the threats.Today, email is the most typical channel for spamming, phishing attacks, spreading malware, and using social engineering to get sensitive information.As attackers commonly try to access your data through these tactics, you should pay special attention to education on email security. While you can purchase solutions to keep your emails safe, it is invaluable that your employees know what to expect and how to behave to protect your resources from intrusion.
Any software that was developed with the intent of damaging your devices and systems or steal your data is considered malware.It’s easier to prevent malware than control the damage after the incident. Therefore, it’s important to educate your employees to recognize threats from malware and how they can avoid spreading one.
In a previous article, we defined social engineering as the following:“Social engineering is a set of tools and practices which rely on social manipulation and social psychology and are used to get people to perform certain actions.”. Criminals use manipulation to deceive employees for their own benefit. Corporate social engineering methods include credential theft, advanced persistent theft, financial scams, or, for example, tech support impersonation.
“Phishing is a form of cybercrime where an attacker poses as a legitimate institution and uses their fraudulent authority to lure information from their target.”As we mentioned above, 56% of IT leaders said that they have a phishing problem. It’s not enough that your employees know that phishing exists. They need to be appropriately trained on how to behave when they receive phishing emails. There are several subtypes of phishing:
- Vishing (e.g., You Win a Prize)
- Web Phishing
- Mass Marketing Phishing (e.g., Amazon Gift Card)
- Spear Phishing
- C-Level Email Impersonation
Phishing training could be a cornerstone of cybersecurity awareness training for your employees. As this is one of the biggest threats that your employees will most likely encounter, preparing them by investing in their education is a great first step.For more details on phishing, we published two detailed articles:
Forcepoint defined data leakage as the following: “Data leakage is the unauthorized transmission of data from within an organization to an external destination or recipient. The term can be used to describe data that is transferred electronically or physically. Data leakage threats usually occur via the web and email but can also occur via mobile data storage devices such as optical media, USB keys, and laptops.”Most data leakages are accidental and often start with a phishing attack. Minimizing your chances for data leakage is only possible through proper employee education.
Business Email Compromise
We published an eBook before titled Just How Much of a Threat Is Business Email Compromise. In the eBook, we defined business email compromise as follows:“Business email compromise (BEC) is a type of ‘advanced deception.’ It uses a sophisticated series of steps to ultimately trick someone in a company into moving money into the scammer’s account. BEC is also known as CEO Fraud, because the scam often begins with the CEO - the cybercriminal placing their focus on the highest-level officers in an organization. The cybercriminals behind the scam use the practice of social engineering.”BEC can happen in the form of an impersonation of a C-level executive or an attorney (e.g., invoice BEC), email account compromise, or data theft for further crimes. People should be aware of the different types of BEC to be able to prevent possible attacks.
Ransomware is malicious software that aims at extorting money from the victims. It can affect both individuals and corporations. When using this method, criminals will threaten that if you don’t pay the ransom, your systems will be compromised or entirely shut down.A notification may pop up on the screen, telling you that your network has been encrypted, and you won’t be able to access it (won’t get the decryption key) until the ransom is paid. Criminals will threaten you with the key being destroyed if the money is not paid.Both crypto-ransomware and locker ransomware prevent you from accessing your data. If an attack like that happens, you should have an action plan, and your employees should be aware of whom to report to and what to do.
Incident reporting is essential for keeping track of the attacks that your employees receive. Having proper processes in place means you’ll be able to collect data, classify threats, and determine how you are going to respond to threats and incidents originating from a malicious source.Incident reporting can vary by industry. For example, these are a few common ones:
- HIPAA (healthcare)
- FISMA/NIST (federal agency or government contractor)
- PCI DSS (if you accept, store, or transmit credit card data)
- NERC/CIP (energy and utility companies)
- NYCRR (New York insurance companies, banks, or other regulated financial services institutions)
- SOX (public organizations — in some cases, private companies must also comply with SOX regulations)
Working remotely & traveling
Today, the workforce is more mobile than ever before. People have the freedom to take their devices and work from their homes or anywhere in the world. Many workers also travel for business.From a cybersecurity perspective, this is a CISO’s nightmare. You need to protect your company’s data, minimize data leakage, and avoid a data breach.Be sure to create policies to follow for remote working. For example, use Transport Layer Security, Corporate IT’s Mobile Device Management, and Conditional Access to manage how and when your users can access the data, encrypt all devices, and emphasize password protection (for example, require multi-factor authentication).Also, clarify the bring your own device (BYOD) rules for everyone. Preferably, forbid access to documents and information on devices that don’t meet the security requirements of your company and that are not managed on the corporate level.
Training your employees in cybersecurity awareness can pay off
Creating a strong cybersecurity culture starts with employee training. You should emphasize that everyone can help to protect your organization.While cybersecurity awareness training for your employees may take an enormous amount of effort to plan, communicate, and execute well, the results could be stellar in fighting off cyber attackers.In the next blog, we will explain how to evaluate and measure the success and effectiveness of your cybersecurity awareness education.