the size or area of business, all organizations must have a proper cybersecurity
strategy in place to protect their infrastructure and data from growing cyber-attacks.
However, no matter how much time and money are invested in deploying and later maintaining the best, state-of-the-art solution, it is simply not enough. Contrary to popular belief, most security breaches are not the action of a malicious, external party but come from the inside, usually due to human errors from our very own employees. Even though these security breaches are not cyber-attacks per se, they can have a tremendous impact for the organization, potentially leading to the loss of Intellectual Property (IP), Personal Identifiable Information (PII), reputation, and revenue.
It is critical to raise awareness of the impact of day-to-day security mistakes and how to address them. The best way to turn employees from potential weak links to our first line of defense is using dedicated security awareness training. It is most important to get employees onboard, and this is only achieved if they understand why they are being asked to do (or not do) certain things. It is important to explain the possible impact that some day-to-day, apparently harmless actions can have, and how this could lead to data being used by malicious actors against the company. Following security guidelines and procedures is not “against” them but for them, to protect their computer, their data, and so the company. Plus, most security practices can be reused to protect their personal computer, mobile devices, and data at home.
understand the risks associated with their everyday actions, from simply sending a document to an external recipient, to identifying a suspicious SMS.
What is Security Awareness Training?
awareness training is used to prevent and mitigate security risks by providing specific training programs designed to help employees understand their role in protecting their own organization.
Employees learn how to avoid the most preventable security breaches, are taught proper cyber hygiene, and raise their awareness so they can spot any possible cyber-attacks, or at least be
suspicious whenever something seems odd.
Which Topics Should be Covered?
awareness training usually includes the following topics:
Teaches employees how to recognize and avoid potential phishing attacks. Phishing is the most common cyber-attack, used as a point of entry for hackers to get into an infrastructure, spread, and take control to perform ransomware attacks. They usually come in the form of email (spam), SMS with a link to click that will later install malware, phone calls where the employee is deceived into providing sensitive, personal information, or even online when logging into websites in order to steal his credentials (see “Browser in the Browser (BITB) Attacks”).
Instructs employees on how to recognize threats coming from the inside. These are the hardest threats to detect, as the people involved would usually be trusted and thus not raise suspicion at first. The reasons behind an insider threat can range from an angry employee willing to hurt and/or cash in reselling company IP to its main competitors, to a compromised or blackmailed employee, or simply a negligent employee who does not respect the minimum rules and processes in term of data handling.
While more and more organizations are moving to a password-less strategy, passwords are still very much in use. Usually, there are specific policies dictated by the organization and enforced by IT to ensure employees change passwords often and on a regular basis (e.g., every 30 to 60 days), do not reuse the same passwords, and create passwords with a certain level of complexity. However, it is important to educate the employees on why this is done, as some could view the effort as pointless or a waste of time; password strategies should be reframed as another measure to protect employee data and by extension their entire organization, making it an essential part of their job and responsibilities.
Training should cover how corporate, sensitive and/or regulated data, like employee health records, should be handled and stored, in line with the current laws and regulations, like HIPAA in the United States or GDPR in Europe.
Bad practices like sharing corporate, customer, or partner information should be discouraged, and the possibly devastating consequences explained. For instance, a data breach, voluntary or involuntary, can affect a corporation not only in terms of loss of reputation and revenue, but also from a legal perspective.
Stress the importance of not trying to circumvent security processes put in place, for example by using unregulated Instant Messaging communication solutions (e.g., WhatsApp, Telegram) to share corporate, customer, or partner data. Not only could this have a direct impact on reputation and revenue if the data falls into the hands of a malicious party, but also legal consequences that would eventually result in a fine from authorities.
Not all critical, sensitive information is electronic, stored on computers and back-end servers. A lot of sensitive data is still printed on paper, and it is important to help employees understand how leaving a simple piece of paper with some information on it out in the open could be used by a malicious insider to perform reverse engineering, impersonate someone’s account, and/or access internal resources, aiming to steal them. Employees must be trained on how to properly store these documents, in a locked cabinet, and how to dispose of them when no longer needed, for example using paper shredders instead of just throwing them into a recycling bin.
Also, employees must learn the practice of locking a computer session once they leave their seat, even for a moment to grab a cup of coffee or for the night when leaving the office. Any simple act that might help protect the integrity of the infrastructure should not be overseen, and it is crucial for the employees to understand the potential impacts of their actions and inactions.
How Does it Look?
Security Awareness Training would usually consist of a mix of online web-based training, including videos and quizzes to first explain what the existing threats are, how they work, and how to detect them. It should not be a long, one-off session, as too much content at once would be counterproductive, but should instead be persistent and delivered regularly over time. Many also use gamification to make the training more attractive and interactive, promoting some healthy “competition” between employees as to whom has the best knowledge by ranking security scores, obtained after taking and passing some quizzes and exams.
Then, schedule fully automated, simulated phishing attacks based on real-life attacks to challenge employees and see if they can either spot them or if they will take the bait. This would typically include phishing SMS, email, and phone attacks, based on real-life attacks but unweaponized, to test whether your employees would be able to recognize a threat or, when in doubt, escalate internally to the IT department, or even better the security department to identify a possible threat.
Nevertheless, all the training in the world is only good if your organization also has specific processes and procedures in place, for example onboarding, for whenever a new employee is hired so that they know which tools and services are available and how to use them properly.
With today’s ever-increasing security threats, ensuring your infrastructure and devices are protected is paramount. While cybersecurity risks will always exist, providing security awareness training to your employees so that they can identify threats and know the best course of action to take can help prevent cyber-attacks. The team at ISEC7 has been working with companies in the private and public sectors to ensure their ecosystems are protected and their security posture endures through training and best practices. If you have any questions, please reach out to the team at ISEC7, and we can complete a security assessment and help you navigate the options available to help strengthen and protect your infrastructure.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group