The Ultimate Guide To Security Awareness Training (Free PDF)

Understanding The Cyber Security Landscape

 

39% of businesses surveyed found a BYO device on their network that had downloaded MALWARE

As we come to depend more on technology in business as within our day-to-day lives, the threat to our systems is evolving. We’ve moved on from simple viruses that attack a vulnerable PC leading to hours of removal and repair work. We’re now in an era where the wireless technology is being used to control devices across the organization; where each individual has their own smart phone.

Now, each team member has their own role to play in protecting their organization and its customers from outside threats. And so, the question becomes: What can organizations do to empower and guide individuals in supporting organizational security in this era of increased digital dependency?

 

An evolving threat

With an increasing consumer awareness on security breaches and data risks, companies must now be more proactive in how they manage their systems. The studies show that cyber-attacks are increasing in both frequency and scale. Research by digital services company Gemalto found the number of data breaches worldwide increased by 164% between 2016 and 2017. And many growing companies across the country are still not prepared to face the new and emerging threats.

 

Let’s look at the factors that are influencing the current cyber security landscape and shaping the marketplace.

 

Device Changes

The diversity and number of devices that both employees and customers of the modern organization use is increasing. Whether it’s the latest iOS system or the newest Android release, mobile devices are now increasingly being targeted by hackers directly as a way to access business information and extract valuable data.

The newest devices might feature the latest security protocols, but companies must still put safeguards in place, and educate employees on the benefits of their use. This is particularly true within an organization with a BYOD policy, where outside devices are being brought into the office.

Policies of this nature might give employees more flexibility and autonomy within their positions, but they also present a threat to companies in which data control and access limitations are critical security considerations.

 

The IoT

The Internet of Things is a developing marketplace in which every item within the office, from the thermostat to the refrigerator, is connected to the Internet to provide a constant data link that helps automate various elements of office life. While this increasing automation is making the life of the modern employee easier, and helping companies reduce costs, it also presents a very real security risk.

In an environment where many systems are connected to the same server, it only takes a small flaw in a rarely used product to allow access to the entire data infrastructure. And, all too often, connected devices are left vulnerable through the use of default passwords, and standard security protocols that have long since been infiltrated by hackers.

The IoT trend has given rise to the looming threat of botnets, which are automated systems that scan large swaths of information in seconds for potential weaknesses. Botnets use default passwords and other standard security processes to log-in to unprotected devices, allowing them to control the device after entry and then use the data they find to impact the company, its staff and employees.

In capitalizing on the IoT trends within their companies, teams must maintain clear sight on their security goals and mitigate the impact of automation on their security structure.

 

Lack of Onsite Skills

With the increasing need for IT security guidance and the rising challenges emanating from across the globe, there’s a dearth of onsite skills for the modern business to utilize. Specialists in IT security, particularly in modern IT security threats are few and far between.

Recent data shows that 75% of organizations worldwide lack a cybersecurity expert on their staff4. And this is leading companies to turn to outside sources for a response to the challenge. It’s the reason many are outsourcing their security education and working with trusted companies in ensuring their IT teams and other office staff have the information they need to make more effective security choices.

 

New Forms of Attack

In recent years, attackers have also devised novel ways in which to attack organizations and access data. One of the more common methods in large scale attacks in recent years has been the use of ransomware. Ransomware attacks involve infecting an organization’s systems and then asking for a form of “ransom” in order to stop the attack and remove the infection.

The success of these types of attacks was highlighted by the WannaCry event, in which 250,000 computers in over 150 countries, including systems in 16 NHS medical centers, were infected within less than a day.5 As with the Equifax breach, a patch would have resolved the issue but, without a proactive focus on IT security, organizations incurred a significant cost.

Business email compromise is another form of attack that is on the rise in recent years. The data shows that between October 2013 and December 2016, hackers stole over $5.3billion in the U.S. alone through BEC attacks. 6 This style of threat is becoming more popular along with BYOD policies. Companies allowing their employees to bring their own devices must be acutely aware of the importance of email security and threat analysis.

Many experienced professionals have fallen victim to sophisticated email attacks in recent years, simply due to a lack of education within organizations and a lack of attention to detail. The goal for the modern company is to train employees to identify out of the ordinary requests and common strategies used by attackers to gain data access.

Prediction Models an Important Security Element within the current security field, AI-based prediction modeling has become another important element in safeguarding companies against potential threats. Studies involving the use of AI-based machine learning programs are helping to determine when an organization is most vulnerable to attacks and through which channel a threat might be arise. This can give companies the upper hand in terms of defending their data and in threat mitigation over the coming years. The focus is now on helping staff work with these machine learning systems and on learning the measures to take when a threat is highlighted.

 

Use of Applications as a Threat

While mobile applications are now helping improve the performance of smartphone and increasing the capabilities at the hands of the mobile workforce, the data on mobile applications is at significant risk of attack in the modern area. Many organizations are now harnessing sever-less apps, which support greater scalability. These applications also capitalize on the use of data in transit.

Data being sent between networks is at its most vulnerable state and can be captured by coordinated attacks seeking out specification information on a company, its employees and customers. The use of applications within their workforce can make companies more vulnerable to DDOS attacks, in which a server-less architecture might fail to scale with the demand for service, leading to expensive disruptions for the company.

How Security Breaches Occur?

In learning more on information security, business leaders must first study the most common types of security breaches and how organizations have been impacted by these events. The following are common techniques that attackers use to breach the security of the modern company.

 

SQL Attacks

SQL attacks are considered the low-hanging fruit of the security field, as they are one of the easiest to prevent and yet remain among the most common techniques deployed by attackers. The SQL attack allows a hacker to enter malicious code in a piece of text, perhaps in an email or a Word document. The malicious code then allows the attacker to take over the device and extract specific data. Using this technique, cyber criminals have been able to gain access to company financial information, customer data, and other high-value items that might be stored on a server.

 

Stolen Passwords

Another common way in which attackers gain access to information is by stealing passwords from a company directory. They might gain access via a traditional SQL attack or by simply by using social engineering to acquire information over the phone. Teams must learn more on how social engineering is being used to gain access to information. In this scenario, a person may call and say they are from the firm’s IT security department and require access to login credentials to update their computer. In many cases, employees simply trust the person on the phone and provide their details of their own free will.

A password can also be stolen easily if the user has kept their default password or if the password hasn’t been updated regularly. Hackers are now using botnets to brute force attacks using default passwords on millions of computers over a short space of time. Keeping the default username and password on the device leaves the user vulnerable to password theft and data loss.

 

Malware Installation

Another common form of attack in recent years is through the use of malware. Malware is a form of malicious software that, when installed on the target system, can be used to control system data and allow the attacker to steal all available information. The malware is often installed after an email is sent to the target.

The email is usually designed to look as if it came from an authority within the company or a software manufacturer offering an update. By accidentally installing malware on their computer systems, users can then allow the malware to spread throughout the company’s network, infiltrating all data areas and causing significant issues.

It’s part of the reason that companies are now educating their employees on how to spot the signs of a malware infestation and guiding them on mitigating the issue before it begins to cost the company and its customers.

 

Device Theft

In the BYOD era, companies are now giving mobile staff members the option of bringing their device with them and then using their personal device to communicate with customers and other employees. Data retained on these devices has become highly valuable to attackers as it often contains the credentials for logging into secure areas of the company network. And so, when a device is lost or stolen, it can put the company at risk of a significant financial loss. Proactive companies are now building policies that help to safeguard data in the event of theft or loss.

They are also encouraging employees to back-up their device data on cloud based system to mitigate the threat and implementing BYOD policies such as document protection to ensure lost devices don’t lead to further financial loss for the company.

 

65% of companies don’t enforce their password policy.

Ponemon Institute

 

Documentation Errors

Human error is another of the leading causes of security issues within the modern organization. With the vast amount of documentation being disseminated throughout the globe, companies are now focused on using these documents effectively and preventing private document data from getting into the hands of cyber criminals. Oftentimes, a security breach within a large company is the result of a simple documentation error by an employee.

The employee might simply make the mistake of publishing private data on a public resource, giving access to a website or the email address of a company employee which then leaves their data vulnerable. The forwarding of sensitive information is another common mistake. Choosing the wrong email address or adding information that should have remained on a private server to the email chain can have a significant impact on the company.

It’s why so many are now taking the time to teach their employees about how to work with documents and how to control the flow of information from their computer.

 

Failure to Back up Data

The failure to back up the data on the server could make a security breach costlier when teams have to add the data back into the system. Many security breaches not only result in the theft of data but also the loss of data for the company. In the case of a stolen device for example, this could leave the team with no understanding on which data was lost and who has been impacted.

Take the time to back up data regularly and find out who is using which data on the system. This data retention process can help create a chain of custody for the data and prevent significant costs being incurred in the future. In view of these threats, what can companies do to safeguard their data? There are multiple steps that should be followed in ensuring that data is safe and security breaches are eliminated. Our team at Cyber Risk Aware specializes in advising companies on IT security and we recommend the following steps be taken to prevent data breaches:

• Institute end user awareness training through a qualified company
• Craft a comprehensive encryption policy
• Perform regular vulnerability reviews with the team
• Apply patches regularly and review new patch options
• Back up all data regularly.

The Threats Facing your Organization

In safeguarding their company in the current landscape, business leaders must learn more on the common threats to their organization and its data. Each industry faces varied risks from threat actors, each with their own motivation and intent. As leaders in the cyber security marketplace, Cyber Risk Aware staff regularly work with our clients in mitigating threats to their business and we have found the following threats to become a growing issue within today’s organizations:

 

Man in the Middle Attacks

One of the more common modern techniques hackers use is a sophisticated version of the traditional man in the middle attack. The attacker finds their way into the organization and then places a keylogger or another tracking system on a computer. New attacks use IOT devices to listen in on all wireless communications across the network. They then gain access to a company email address and watch the communications that take place between the user and others in the company. Because they have access to the user’s credentials and their passwords, they can then act as the person in emailing others for financial information and private data.

 

Phishing Scams

A recent phishing scam conducted by a Lithuanian cyber-criminal cost Facebook and Google more than $100 million combined. There are still rich rewards for phishing attacks and firms must be prepared to mitigate the issue. Companies continually fall victim to phishing scams, despite this technique being one of the more common and widely understood issue within the security marketplace. The typical phishing attempt involves a simple email which is designed to look like it came from an authority within the company. The email might ask the person to download a document or click a link within the content. Once the desired action has been completed, the attacker is given control of the device and can then access device data and act as the user of the system.

 

BotNets

A botnet attack begins with a single computer virus. The virus then spreads to connected computers on the network, and then sends a signal back to its command center, which is operated by the cyber-criminal. From their command center, the criminal can then control all the computers within the botnet, and use any data they discover as the review the network. Botnet attacks are on the rise across the globe and many skilled hackers are even now offer botnets for hire for others to use. It’s a billion-pound industry that is only set to grow with the increasing success of botnet events.

 

Malicious JavaScript

The websites that we click on every day during work hours can detail specific information about our location and our computer. Those with criminal intent can create sites that have a malicious JavaScript written into the programming to allow the instant download of a virus once the user opens the site. One click from a user within a company network can cause the download of a virus that shuts down the entire network, and potentially costs the company thousands of pounds in lost revenue. This is yet another reason behind the importance of secure web use and for installing the latest virus scanning and removal products.

Harnessing The Value Of Security Awareness Training

 

Training employees how to recognize and defend against cyber-attacks is the most under spent sector of the cybersecurity industry.”

John P. Mello Jr. – Tech Beacon

 

With the wide-ranging threats facing organizations in the modern business climate, the need to educate employees is clear. But most companies still have little understanding on the importance that a comprehensive employee-training program can bring to their business and so here our experts will layout the value provided through security training.

 

Protecting the Business

The latest threats from computer hackers are designed to impact your business and steal money and data. Only through a proactive approach to security awareness training can companies ensure that each team member is security savvy. Security awareness training can help keep businesses running effectively when a security incident arises. Training can also help to minimize business downtime and showcase the firm’s understanding of the current climate and its commitment to protecting customers and employees.

 

Remove The Weakest Link

While the technology teams use is often designed with the goal of mitigating threats and ensuring business safety, those using the technology aren’t always adept in effective security practices. One of the key benefits of working with a training specialist on a security awareness program is that it removes the weakest link within your security infrastructure – the employee.

It provides the individual with the knowledge they need to detect and stop threats before they impact the business. By empowering the employee to take the measures required to protect the company, firms are now minimizing the potential for attackers to target individuals. After training is completed, problems related to social engineering and other individually focused attacks can be reduced.

 

Consistent Approach

A lead benefit of security training is that it keeps every team member is on the same page when it comes to security. When a threat arises, each team member will know exactly what the process is for dealing with the problem effectively. While the burden of responsibility is still on the individual employee, they are given the tools and resources required to act on potential threats. Team members can work together in resolving security issues, building an environment of trust and confidence among coworkers.

 

A Focus on Prevention

Prevention is far more affordable than responding to a security issue. Companies can save millions of pounds by using security awareness training to prevent potential attacks on their systems. Security awareness training is the ideal investment for the growing business intent on harnessing the newest technology.

 

Speedier Detection

In the event that hackers try to access company data or use any of the more common techniques such as phishing, man in the middle attacks, and social engineering, trained employees will be able to detect and report a security incident in a much more efficient manner. Their security training, awareness, and vigilance will allow them to notice the changes that have taken place on their system as a result of their training, and they can then alert their managers who will initiate the appropriate response process.

 

The average 10,000-employee company spends $3.7 million a year on dealing with phishing attacks.

Ponemon

Outlining Key Features in Your Security Awareness Training Program

In considering security-training companies, business leaders must take into consideration the style of program offered by the firm. Only quality programs can ensure the best return on investment in security training.

Let’s look at the key features of a comprehensive security awareness training program.

1. Incorporate a Variety of Tools

The leading security awareness training programs incorporate a range of tools and content to get the message across. From quizzes to hand-on training services, programs should be diverse to incorporate all the methods employees require for education on security.

 

2. Integrated Testing

The top companies completing awareness training offer integrated testing that simulate a security event and test the teams based on their response to the simulated threat. Such testing has proven critical in improving team knowledge and given management staff a clear understanding on the points-of-weakness within the organization.

 

3. Regular Training

The training program should include regular education classes to give employees the opportunity to build their understanding on a week-by-week basis. Conducting short, regular training over the long-term has been shown to increase user understanding and help teams remember key training elements during their everyday activities.

 

4. Security Roles Assignment

Additional training should be provided for those in management positions in order to oversee employee actions and deliver maximum return on investment. Management teams should be trained on the steps required to help team members move forward within simulations and testing. They should also undergo training on the actions required when real-time security issues are reported by team members.

 

5. Comprehensive Reporting Features

The training programs featuring built-in reporting tools help provide actionable data on the strength of the company’s security, and ensure the information is available to decision-makers. This helps to significantly enhance the value of the program and support team members in meeting their security goals. Reporting tools allow teams to see in clear detail where room for improvement exists and then to target these areas in upcoming training.

 

6. Guidance on Real-Time Actions

The training should prepare all individuals on how to respond to real-time security issues and help them take active steps in managing the issue the moment it occurs. One of the key benefits of security awareness training is in  reducing the time it takes to respond to a security threat. The best programs guide team members on immediate responses to real-time events and help teams build a comprehensive policy for protecting data and hardware in real-time when a security issue arises.

 

7. Updates on the Security Environment

Through their regular training, employees will also be able to learn more on the security environment as it evolves. In a fast-paced marketplace such as this, it can be difficult to track and respond to the latest threats with a one off course. A regular training course allows the specialist to help guide employees on new issues facing companies in their sector. Whether it’s a new botnet or a new piece of malware, knowing what to look for can help mitigate potential damage within the business.

 

8. Train Outside the Box

Implement gamification techniques into your training plans. Challenge your training participants to take on the mission of security; use real world scenarios for them to encounter obstacles and then have to role play the decision of what to do next. By inserting themselves into these scenarios, they will be actively engaging in security practice and learning through hands on experience how they themselves would or should act. Also, take the opportunity to offer recognition of participant accomplishments, whether it be through email communication, by awarding a certificate, or by whatever is feasible at your organization.

Refined Security Awareness Training – Best Practices Checklist

Armed with the knowledge on the content of a quality security awareness training program, companies can now better select the ideal program for their teams. But success within the training program can only be achieved by building the ideal team environment within the individual business. Let’s review a checklist to the best practices for creating and supporting a security-training program.

 

1. Partner Across Departments

A critical element of security awareness training is partnering between and across departments so that performance goals can be shared and agreed upon. For example, make sure that HR teams are involved within the security training procedures so they can then integrate those training elements within the new employee onboarding process. Beyond this however, it is also important to combine shared needs and interests across departments. Security is everyone’s responsibility, but the facets of that responsibility are shared across departments. HR departments may be tasked with safeguarding employee data, Legal departments with third party assessments and contracts, IT with system upkeep, other departments with proprietary, sales, or consumer data, and so on.

A comprehensive solution can only be built when a full assessment of the current risks and vulnerabilities are carried out. Those at the executive levels should also be kept aware of the training and have the opportunity for input to keep the program moving in the most effective direction for the organization. Getting each member of the team on the same page regarding security will minimize confusion and create an environment of streamlined communication and cross-department cooperation.

 

2. Listen To Your Staff

It is worthwhile to survey staff periodically, not only to get an understanding of their vantage point on existing security risks at the employee level, but to hear about specific vulnerabilities or incidents that they may have experienced. Additionally, it is important to gauge whether every corner of an organization is receiving the appropriate security message. Is security a priority to them, to their managers and team, etc.

 

3. Incentivize Awareness

One of the goals of a robust security-training program is to raise awareness and understanding of cyber threats with staff. However, in order to motivate change it is often necessary to not just punish negative behavior, but to reward positive behavior.

A reward system in place for employees that follow procedures and complete testing according to the training roadmap will engage staff in the success of security. Rewards should also be provided for reporting security issues and concerns in order to keep lines of communication open.

 

4. Commit to Measurement

The single most important outcome of a training and awareness program is for measurable change in behavior. It is not enough for employees to know a security guideline or process by memory, but to follow it as well. The only way to determine this is by maintaining metrics. Additionally, actionable data on the value of a company’s training program can help to show board members and c-level executives the return on investment.

This involves committing to the measurement of program success. For example, a company might implement a phishing simulation at the beginning of the program and then another simulation halfway through to show the progress being made. This can help solidify the program’s value and increase the potential for investment in security moving forward.

 

5. Use Relevant Data

Relevant data on real-time security threats is essential in implementing the training program. Teams must use the information from recent trends to showcase the importance of training and ensure appropriative security counter-measures are taken. By demonstrating the relevance of the training being provided and showing the true cost of modern threats, companies can motivate their teams and guide them towards taking the most effective approach for optimal security.

 

6. Conduct Random Simulations

A common mistake made in security awareness training is simply using the same simulation techniques at the same time in the week. Soon, teams catch on to the simulation schedule and will be better prepared to respond. To get a real understanding on security preparedness, conduct simulations at random times. Try not to give any advanced warning of the simulation. Companies can gain actionable data on the success of their training through careful scheduling and comprehensive analysis.

 

7. Communicate

Communication is vital to security. Not only should clear communications be made as to expectations of security, including relevant policies and guidelines, but maintaining communication with leadership and staff will also keep those individuals engaged, informed, and vigilant.