Security Awareness Training
Welcome back to cyber security awareness month with Secure Sense!
Due to the current climate, many organizations have transformed their business to run mainly online, and may even have moved their employees to work completely remote. It’s extremely important to regularly keep up on cyber security training for staff as the risk of cyber attacks continue to rise. Cyber Security Awareness month makes for a great time to review your cyber security policies with your organization and ensure that your staff are well versed in their training. Humans remain the weakest link in any security stack and account for 95% of security breaches through social engineering tactics. Human error may be the most common cause of breaches but it’s also something we can combat by training our employees to have good awareness of security hygiene and suspicious activity.
Today we will be discussing best practices, training, and how your managed service provider can help.
Every employee should have cyber security training
Hopefully, all organizations have controls in place that are critical to an effective security posture, such as governance policies, firewalls, antivirus, logging/monitoring, etc. However, phishing attempts and other social engineering techniques can reward attackers with credentials that allow them to bypass layers of expensive protection simply by sending an email or talking to them. As mentioned, human error is responsible for 95% of security breaches; therefore, cyber security awareness is a must in reducing the risk associated with these types of threats.
Typical security awareness training modules will include many topics, including password hygiene, phishing, wi-fi best practices, and reporting cyber threats. Let’s review:
Password hygiene
When training your staff on password hygiene and best practices, there are a few main tips they should learn:
- Always have unique passwords: passwords should always be unique for every account and each should have multiple characters including numbers, letters, and symbols
- Change passwords regularly: employees should be changing their passwords every few months to protect them in the event that their password does become compromised
- Use multi-factor authentication whenever possible: providing two or more verification factors to login to accounts is ideal, especially when the employee has access to confidential data to make it more difficult to leverage stolen credentials. This is especially important for publicly available services, such as webmail or VPN Access
- Use a password manager: provide employees with a password manager or have them install a free one to manage their passwords so they can confidently use unique passwords for all accounts and not worry about forgetting them
Phishing
Almost all organizations will encounter phishing attempts and their prevalence is only increasing. Anybody in your organization can be a victim of a phishing scam and our best chance to prevent falling prey to them is to train your staff on what a scam looks like and the type of impersonation or even psychological tactics used by scammers. Training should include:
- Always be wary when you receive an email from an unknown sender: this could include an unfamiliar email address or a familiar name but the address may look different
- Investigate emails that contains links or attachments: if employees aren’t expecting an email with links or attachments, they should never click a link or download an attachment without safely investigating the source
- Don’t share important/personal information online: this includes information via email and websites. Many phishing scams ask victims to share personal information online – make sure to let employees know that no one would be asking for this via email. If they are unsure, they can always phone the sender to clarify
- Examples of real world phishing emails: a great way to show your staff what to avoid is to run through a series of phishing emails and regular emails to ensure they are able to distinguish between the two
Wi-fi Best Practices
When training your employees, especially when they’re working from home or remotely, ensure they are aware of wi-fi best practices and have access to a VPN. Training should include the following:
- Avoid public wi-fi, unless absolutely necessary and other protections are in place: public wi-fi hotspots are notorious for man-in-the-middle attacks and other tactics and exploits designed to intercept sensitive information
- Always try to connect to a private wi-fi or VPN. If connecting to a public wi-fi, use a VPN: a VPN ensures the data transmitted is encrypted (among other benefits) making it far more difficult to decode if intercepted
- Never share private information or sensitive data over public networks: understanding the risks of public networks should inform what kind of information one is willing to share over that connection—the less the better
- Check your Home Network for Rogue Devices: Many wireless routers offer a feature which shows you which devices are connected to your wi-fi. You should make it a habit to check this semi-frequently to ensure that nobody unauthorized has managed to connect to your wi-fi network. If they do, change your Preshared key to a new and strong WPA2 or WPA3 preshared-key
Reporting scams is everyone’s responsibility
Employees should not only be trained on threats and best practices and told to avoid them; they must also know who to talk to if they make a mistake like accidentally click a malicious link or giving out sensitive information. Critically, employees need to know who to report their concerns to and feel like they can do so without risk of being shamed, blamed or punished. Give your employees an appropriate point of contact they feel comfortable approaching, whether it’s their manager or the company IT team, and make sure everyone knows this information for when they may need it.
When it comes to cyber security training, the bottom line is that giving regularly updated, annual (at least) training sessions is the right thing to do. Threats are always evolving, bad actors are always developing new tactics, and sometimes everyone needs a refresher course to bring security to the forefront of their thoughts.
Tools and Services from your MSSP that can help
When creating your cyber security training program for your staff you should always be able to look to your managed service provider for guidance for how to implement training, as well as how to generate intelligence from this initiative in order to leverage data and feedback for further improvement—not just of training, but of your security posture in general. Looking for a managed service provider that offers training as either part of their service or as an additional service has many benefits for security awareness.
- Tools from your MSSP to help you with your cyber security training: There are a variety of specialized products/platforms for security awareness that can be offered as a managed solution, but on top of that your existing managed solutions can be instructive to management and end users in terms of cyber security awareness. Events generated by endpoint protection or device control products (to name just a couple) can be instructive in their own way if use case response processes are designed with behaviour in mind and not just device security. Feedback on unsanctioned actions on user devices or encountered threats can be passed on to users in ways that foster further awareness of threats. This is part of event/incident response that is often overlooked in taking actions that lower the risk of repeat incidents. Some endpoint security solutions allow for behaviour correcting alerts or emails to be configured, which is highly effective; but even if the relevant products in your security stack don’t have these features, centralized logging/reporting tools or response automation tools used by your MSSP’s SOC can allow for feedback ultimately directed to end users in an instructive way to correct risky behaviour and be instructive of better habits. Ultimately, reporting/intelligence from many devices can inform beneficial changes to user behaviour that can be targeted by training.
- Run a phishing campaign: Training modules are a good start, especially if they incorporate realistic examples of how social engineering actually occurs in order to raise red flags to the user and establish a healthy amount of paranoia about scams and phishing tactics. But without feedback about how users respond when targeted, we’re left waiting around to see how effective our efforts have been when the inevitable occurs. A phishing campaign can provide a realistic measurement of how effective current training efforts are. If your security provider does not offer this as a service (we do), they may likely be partnered with a company that specializes in this area (we are). If this is done manually via an internal team or service provider—rather than via a specialized software with tools for analyzing results—your MSSP can also be invaluable in tracking and analyzing the results and road-mapping additional controls for higher risk personnel and endpoints.
- Turning data and feedback into a targeted approach: Your MSSP will have many ideas about how to inform you about business practices and user behaviours that require your attention and either new security use cases, controls or training efforts to reduce their associated risk. They also should be able to provide intelligence from a departmental, work unit or role-based perspective how to most efficiently prioritize which users may need additional policies and training thereof on top of more generalized security awareness training.
At the end of the day, security awareness training is about prevention AND response. Employees need to be aware of threats and how to avoid them and have the ability to speak up if they are suspicious. As well, you want the lessons learned from the threats encountered by our organizations to feed back into policies and training efforts. This should be a dialogue between your security team (or provider) and your stakeholders, but it is also a dialogue with employees via constructive awareness and training campaigns. Engaging training modules that test user comprehension and provide metrics to administrators are very valuable especially for a general audience. That said, your security controls can provide an incredible amount of data that can be curated in such a way as to inform more prioritized and advanced efforts identify and address behavioural risks—with a little planning and experience that your MSSP is well positioned to provide.
Interested in Chatting with a Security Professional?
There’s no better time than the present to enlist help for your security needs. Available across Canada, our team of specialists are eager and ready to learn how to become that trusted extension of your security team.
Don’t hesitate to reach out to us at 866-999-7506 or shoot us an email at contactus@securesense.ca.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.