Unfortunately, technology alone cannot protect you from cyber security attacks. You can have the best tools available, the most skilled security operations team, but... Without an effective ‘cyber’ user awareness programme, your business will always be at risk. While it is unlikely (albeit possible) that a disgruntled employee could cause deliberate harm, they’ll likely make an honest mistake that opens the door to a cyber attack.
In fact, 90% of successful cyber attacks start with a phishing email.
Hackers target weaknesses caused by users. Weak passwords are the unlocked windows. Phishing is your aunt letting a con man into the house. A cyber security user awareness programme trains, supports and empowers your users to ensure your business isn’t low-hanging fruit for criminals. If you can measurably reduce human error, or the likelihood of clicking on a phishing email, you have significantly improved your cyber security defences at considerably less cost than another new technology.
It is important to establish a baseline measure - a starting point. How much do your employees know about cyber security, particularly phishing scams? With huge data breaches and ransomware attacks hitting the headlines in recent years, you could be forgiven for assuming your users understand these threats. While users might be aware that threats exist, they often don’t know much about the threats they pose - and don’t be surprised if some have never heard of the word phishing! Once you have established a baseline, you can develop tailored training programmes and measure improvements.
Develop mock phishing attack training programmes and see how well they perform. This will give you a clear picture of the current employee awareness levels of phishing, ransomware, and spear phishing. From this point, you should clearly understand potential security weaknesses.
Once you have established user security awareness, it is important to conduct a thorough audit of all policies and procedures. Check these against regulatory compliance and tighten them accordingly.
Ensure you factor in GDPR, PCI-DSS and other compliance requirements. You should also look at the results from Step 1 and shape your policies to address security vulnerabilities among your staff.
Here, you outline the basic information to improve user security awareness. This would include the motives and objectives of hackers.
Provide good examples and highlight the consequences of the most common types of cyber attacks. > The seriousness of the threat and the possible outcomes to the business. > Outline what staff should do with suspect emails, or in the event of a successful scam. Your internal communications should take the form of department-wide emails, publications and awareness posters covering specific cyber security awareness issues, such as ‘How to create a strong password’ (they can remember!) or ‘How to identify a phishing email’, together with regularly planned training briefings to keep staff on their toes.
Once you’ve revised your policies and procedures, it is time to put your policies to the test. This is where you develop training programmes for specific roles or departments, such as HR, senior management, and even IT. To do this, you should: > Send out simulated phishing emails, and make spoof phone calls. Can you “reset a password for a user” without following the correct protocols? Tailor your campaign based on job role, department, and awareness level (assessed from Step 1). > Who clicked on the phishing emails? These individuals should be enrolled in a user awareness training programme (ideally role-based). Senior Managers have more responsibility and access to sensitive data than non-management employees. The training should reflect likely scenarios the employee is expected to face. > Utilise the main cyber attacks in training simulations, including phishing, spear phishing, password strength and ransomware attacks.
Your employees have undergone simulated cyber attacks, and assessing the results is the next step. This will tell you: > The effectiveness of your training programmes, policies and procedures > The weak areas that require mitigation. It is good practice to grade the weaker performing areas by severity. This makes it easier to revise policies and training to address the most vulnerable and prone to attack regions first. When complete, develop and introduce a plan to address problem areas.
Finally, as cybercrime evolves, you should develop audit programmes and assessments to keep pace. Formulate proactive processes and procedures that check for trend changes in cyber security attacks.
Cyber security user awareness training is not a one-off exercise.
You must continually assess your ‘cyber awareness’ to maintain a high level, with continuous training initiatives and up-to-date policies that include new joiners, new technologies, and new threats.
Implementing a security awareness programme can have a big impact, significantly reducing human-based threats. However, it will naturally require time and effort to implement and manage. CyberOne’s comprehensive Email Phishing & Cyber Security User Awareness Service provides a ready-made security awareness programme to maximise the impact and effectiveness without using up the bandwidth of your internal team.