In one of the more recent and convincing phishing scams, attackers send authentic-looking emails that very closely resemble Outlook quarantine messages and provide links for recipients to click to enter their credentials in order to release emails that have supposedly been blocked. The email used in this attack does not include any indicators typically seen in phishing messages.
If your employees are not trained to recognise emerging threats like this one and if they click on links or open attachments in a malicious message, serious consequences could follow. This is but one of countless scams that may be used to target your employees and compromise your IT security.
An effective IT cyber security strategy will focus on People, Processes and Technology, unfortunately, there has been an over reliance on Technology. The reality is that technical controls can't stop all attacks and there is no way to completely prevent bad actors from somehow making contact with your organisation's employees.
It is therefore essential that you address all three pillars (People, Processes & Technology). In this article, we’ll explore the “People” pillar and look at how an effective cybersecurity training program can arm your people to be your best defence.
Focus on the biggest threats first
When building your training program, begin with a focus on the most commonly used attack vectors along with those that pose the biggest threats (like the previously mentioned phishing email).
Trying to cover every type of threat initially will only delay the rollout and maintain the risk to the business. Teaching your employees to recognise the most common attacks will give them the skills needed to identify others.
This means that you'll need to periodically research current phishing and other social engineering attack variants and emerging threats and find out how they're typically used, whom they target, and how to recognise them.
There are many online sources that offer this type of information. You can also find stats regarding the most common and effective malicious tactics currently being observed in the wild.
Develop a regular training schedule and course requirements
Simply requiring employees to participate in an annual security awareness training course has proven not to be effective. To be of value, training must be delivered with regularity. Ideally, this means at least once a month with results tracked. Some of your training should target individual departments within the business with materials applicable specifically to those groups.
For example, you should consider developing courses for C-suite management personnel and others for HR employees that include information regarding attacks that are typically being used to target members of those particular groups.
Coursework should be developed for new employees and delivered during the onboarding process. This training should be comprehensive, including materials relating to current threats and how to recognise them.
This should be in addition to formal acceptance of the companies IT policy’s that detail the proper handling of data, use of credentials, how to report potential threats, and other applicable material a new employee would need to be aware of upfront in order to maintain the security of your environment.
Methods to deliver the Training
Training delivery methods should be varied to keep employees interested and could include phishing attack simulations, videos, online courses with exams, games, and newsletters. Varying delivery methods help to maintain interest. Employees interested in the material being delivered tend to retain more of the information provided.
Creating a culture of cyber security awareness in the business is an essential step to minimising risk exposure.
Injecting humour into training helps to hold trainees' attention, as does provide them with material they can use in their personal lives as well as in the office. If something benefits them personally, they are more likely to remember it.
Examples would include basic security concepts applicable anywhere and reasons why sharing too much information on social media is a bad idea.
If the training material is relatable along and real-world examples are used, that too, makes it more memorable. A story about how a company similar to yours that suffered financial and reputational damage as a result of an employee inadvertently installing ransomware by clicking a malicious link could be used to drive home the importance of carefully examining suspicious emails and reporting them to the IT department/partner.
Regular phishing simulation campaigns are very valuable,
- they inform the business where there is a potential risk,
- they not only test the employee but educate them safely on what they may have missed, as it’s personal to them it’s found to improve retention.
Periodically evaluate your program and employee awareness
You will not know how effective your cyber security awareness training program is unless you evaluate it periodically. Incorporating course short tests into the program will measure your employees' level of security awareness.
Not every security training session should necessarily include testing, but periodic testing of basic cyber security awareness levels and course material retention will allow you to better measure the overall effectiveness of your program.
Reviewing the results allows you then target specific revision or cybersecurity training to employees in an area that is identified as being weak. You'll also be able to identify specific areas within your cyber security training program where improvement is needed.
If you need help with training development and delivery...
Developing and delivering a training program and measuring its effectiveness over time can be a very time-consuming undertaking, especially in a time of worsening shortages of qualified IT security personnel.
If you need assistance, Lantech offers cyber security training programs as a service. The training program can be tailored to fit your needs and provide you or your HR department with the results that will allow you to easily measure effectiveness. Included in the service is
continual regular phishing simulation campaigns,
training videos (some quite entertaining),
IT Policy repository and management
Our cyber security awareness program integrates with your IT systems in order to automate the process of enrolling new employees in training and removing those who have left the business.
Our Cyber Security Training as a service (now included in some of our Managed Services Bundles) greatly reduces your administrative burden, improves your staff’s awareness of cyber risk and protects your business from harm.
If your industry is regulated and must provide evidence of training, this type of automation and tracking can also alleviate the burden of tracking and reporting training completion.
Cybercriminals are constantly coming up with new ways to target your employees and use them to facilitate attacks on your company's resources.
No amount of technical controls can stop them from leveraging the human component (unless you disconnect from the internet and power off your IT systems!!!).
This being the case, effective cybersecurity training is essential. Training should be interesting, impactful, and continuous. Your results should be measurable and be regularly evaluated to facilitate continuous improvement.
This is your best course of defence against ever-evolving and continuously changing social engineering threats.
If you would like to discuss your Cyber security awareness program or would like to explore our managed cyber security awareness programs, please book a meeting using the link below.
Reach out to Lantech today to schedule a free consultation and see why we are the perfect fit to meet the unique needs of your business!