May 30, 2019
Hacking is widespread with cyber criminals deploying any viable method to breach your security. Their motives vary, but all represent a threat to your organisation.
Even if you already have sophisticated cyber security controls in place, you may feel you have done enough to protect your business. Sadly, there is one vulnerability that remains:
It is well understood (by hackers and IT pros) that employees are the weakest security link. Us humans are prone to error and manipulation, which is why hackers use numerous techniques to exploit that fact.
The good news however, is that effective security awareness training will measurably improve your users’ susceptibility to social engineering and other commonly exploited vulnerabilities.
Cyber security awareness training: What is it?
Security awareness training is the key to stopping many cyber attacks.
Simply put, security awareness training involves taking known techniques used by hackers, explaining how they work to your employees, how to spot them – and procedures to follow should an employee suspect it is a suspected attempt to breach security.
This extends to password policy, phishing emails, sending documents to the wrong recipient, losing a device, or sending files to the wrong recipients.
Testing your users’ cyber awareness
Couple this with ‘real-world’ tests, you can benchmark and quantify your employees’ susceptibility – and therefore quantify the improvements (and reduced risk) after training.
Why should you prioritise cyber awareness training?
As a business, there are naturally a number of reasons you should prioritise user awareness training within your organisation. Some of these should be obvious, but as we know, best practice is not always implemented by either users, or business.
It is easy to crack passwords, whether from using lists of previously hacked passwords, or testing common combinations, such as ‘Password123!’. So it is critical your staff follow proper protocol when choosing a strong password.
Why is the most common password is still ‘Password’?!
Phishing emails are a component in over 90% of successful cyber attacks. Whether in deploying malware, or fooling users into providing login details.
So you should educate your staff as to what a phishing email and spear phishing email looks like. Highlight the consequences of giving a sensitive password over to hackers and downloading files that could contain malware.
Simulated phishing emails are a great way to test and measure users’ susceptibility to attack.
Naturally, employee security measures should extend outside of the office too. With more and more flexible working, it is important to have robust policies in place for dealing with lost/stolen devices, managing passwords and adhering to important technical security controls.
It is important employees understand their roles and responsibilities in legal compliance and regulation. Like Health and Safety, the company has a duty of care to all its stakeholders. This extends to how employees use IT equipment.
What should cyber awareness training cover?
In order to raise the security awareness among your employees, an outline programme should include:
Awareness of the types of cyber attacks
- Make your staff aware of the different types of cyber attack, including phishing, spear phishing, bogus phone calls, password attack, malware attack, adware tracking, spyware tracking, ransomware, and trojans.
- Be sure to include how they work, what they do, and what to do if your employee becomes suspicious of emails, websites, etc.
The damage from cyber attacks
- Should a hacker crack your password they can steal data, send spoof emails, or execute viruses. Or they can sell on this information to on the Dark Web, or publish the data for public scrutiny. And If they steal sensitive data such as credit card numbers the hacker can use this for personal gain. The potential damage is limitless.
- Educate your teams on how to create strong (and unique) passwords they can remember, as well as the importance of not giving out a password to anyone.
- Ensure your password policy and working practices eliminates the need for one employee to give their password to another.
Phishing and Spear Phishing
- Educate your staff not only to what phishing is, but also the level of sophistication deployed by hackers. And provide examples, as well as the success rates of phishing in successful cyber attacks.
Working from unsecured remote networks
- Highlight the dangers of working from unsecured networks.
- Public Wi-Fi, in hotels, airports, cafes etc. can bypass your security controls, creating a hole in your defences.
- Develop robust policies and practices to deal with human error scenarios, like sending the documents to the wrong person or losing equipment. These should be easy to follow for staff and easy to implement.
- Develop similar procedures for accidental file deletion. It is important that every staff member realises the dangers, their responsibilities, and that it the responsibility of every stakeholder.
Developing a security awareness training programme
It is important that your policies are robust and you have an ongoing training. A training programme can start with simple guidance on password policy, but could also include simulated phishing attacks and marketing campaigns to raise awareness across your organisation.
But one thing is certain, your employees will always remain an important security vulnerability, but with the right training, they can also be your first line of defence.
- How to create strong passwords you can remember
- Different types of malware
- 8 most common cyber attacks explained
- How often should you audit your cyber security & who should do it?
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.