Importance of Security Awareness Training
Welcome back to week 1 of cyber security awareness month with Secure Sense!
Cyber Security Awareness month makes for a great time to review your cyber security policies with your organization and ensure that your staff are well versed in their training. In 2021, 82% of security breaches occurred through social engineering tactics, leaving human error to be the most common cause of breaches. We can combat this by properly training our employees to have good awareness of security hygiene and suspicious activity.
Today we will be discussing best practices, training, and how your managed service provider can help.
Every employee should have cyber security training
Hopefully, all organizations have controls in place that are critical to an effective security posture, such as governance policies, firewalls, antivirus, logging/monitoring, etc. However, phishing attempts and other social engineering techniques can reward attackers with credentials that allow them to bypass layers of expensive protection simply by sending an email or talking to them.
Typical security awareness training modules will include many topics, including password hygiene, wi-fi best practices, social engineering, and reporting cyber threats. Let’s review:
When training your staff on password hygiene and best practices, there are a few main tips they should learn:
- Always have unique passwords: passwords should always be unique for every account and each should have multiple characters including numbers, letters, and symbols
- Change passwords regularly: employees should be changing their passwords every few months to protect them in the event that their password does become compromised
- Use multi-factor authentication whenever possible: providing two or more verification factors to login to accounts is ideal, especially when the employee has access to confidential data to make it more difficult to leverage stolen credentials. This is especially important for publicly available services, such as webmail or VPN Access
- Password Manager: provide employees with a password manager or have them install a free one to manage their passwords so they can confidently use unique passwords for all accounts and not worry about forgetting them
Wi-fi Best Practices
When training your employees, especially when they’re working from home or remotely, ensure they are aware of wi-fi best practices and have access to a VPN. Training should include the following:
- Avoid public wi-fi, unless absolutely necessary and other protections are in place: public wi-fi hotspots are notorious for man-in-the-middle attacks and other tactics and exploits designed to intercept sensitive information
- Always try to connect to a private wi-fi or VPN. If connecting to a public wi-fi, use a VPN: a VPN ensures the data transmitted is encrypted (among other benefits) making it far more difficult to decode if intercepted
- Never share private information or sensitive data over public networks: understanding the risks of public networks should inform what kind of information one is willing to share over that connection—the less the better
- Check your Home Network for Rogue Devices: Many wireless routers offer a feature which shows you which devices are connected to your wi-fi. You should make it a habit to check this semi-frequently to ensure that nobody unauthorized has managed to connect to your wi-fi network. If they do, change your Preshared key to a new and strong WPA2 or WPA3 preshared-key
Your training should include information and examples of social engineering tactics and ransomware attacks. These attacks often occur after an employee or user opens or clicks an infected attachment or URL. When these infected links are opened, the virus is installed on the user’s computer and begins to either encrypt their files or simply lock their screen– effectively holding that data hostage.
Ensure your employees know how their devices become vulnerable. Phishing emails and malicious attachments and links directly installing ransomware onto their device is a major way attackers can wreak havoc and all employees should be well aware of these types of attacks. These devices can be especially vulnerable if they aren’t updated with the latest software security patches, has outdated/unsupported operating systems, or if it does not have anti-malware installed to help detect and stop ransomware. We will be talking more about patching later this month so be sure to keep checking back to the blog to learn more!
Common phishing email traits to train your employees on include:
- Unknown sender: this could include an unfamiliar email address or a familiar name but the address may look different
- Emails that contains links or attachments: if employees aren’t expecting an email with links or attachments, they should never click a link or download an attachment without safely investigating the source
- Emails asking for personal information: this includes information via email and websites. Many phishing scams ask victims to share personal information online – make sure to let employees know that no one would be asking for this via email. If they are unsure, they can always phone the sender to clarify
Using real world examples of phishing emails is a great way to show your staff what to avoid. Run through a series of phishing emails and regular emails to ensure they are able to distinguish between the two.
Tools and Services from your MSSP that can help
When creating your cyber security training program for your staff you should always be able to look to your managed service provider for guidance for how to implement training, as well as how to generate intelligence from this initiative in order to leverage data and feedback for further improvement—not just of training, but of your security posture in general. Looking for a managed service provider that offers training as either part of their service or as an additional service has many benefits for security awareness.
- Tools from your MSSP to help you with your cyber security training: There are a variety of specialized products/platforms for security awareness that can be offered as a managed solution. Events generated by endpoint protection or device control products (to name just a couple) can be instructive in their own way if use case response processes are designed with behaviour in mind and not just device security.
- Run a phishing campaign: Training modules are a good start, especially if they incorporate realistic examples of how social engineering actually occurs in order to raise red flags to the user and establish a healthy amount of paranoia about scams and phishing tactics. Utilizing your MSSP to help run this type of campaign can be very beneficial for training and to receive feedback about where employees may need some extra help in recognizing an attack.
- Turning data and feedback into a targeted approach: Your MSSP will have many ideas about how to inform you about business practices and user behaviours that require your attention and either new security use cases, controls or training efforts to reduce their associated risk. They also should be able to provide intelligence from a departmental, work unit or role-based perspective how to most efficiently prioritize which users may need additional policies and training thereof on top of more generalized security awareness training.
Reporting scams is everyone’s responsibility
Employees should not only be trained on threats and best practices and told to avoid them; they must also know who to talk to if they make a mistake like accidentally click a malicious link or giving out sensitive information. Critically, employees need to know who to report their concerns to and feel like they can do so without risk of being shamed, blamed or punished. Give your employees an appropriate point of contact they feel comfortable approaching, whether it’s their manager or the company IT team, and make sure everyone knows this information for when they may need it.
When it comes to cyber security training, the bottom line is that giving regularly updated, annual (at least) training sessions is the right thing to do. Threats are always evolving, bad actors are always developing new tactics, and sometimes everyone needs a refresher course to bring security to the forefront of their thoughts.
Here’s your key phrase: “Social Engineering”
Interested in Chatting with a Security Professional?
Interested in implementing cyber security training but don’t know where to start? Contact us today at firstname.lastname@example.org or 866-999-7506 and our team of experts can assist in creating your own training program for your organization.
If you missed last weeks blog, check it out here:
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.