October 7, 2024
Your average cybercriminal does not need to be a mastermind to pull off a successful attack. Tools exist to do much of the heavy lifting, many of which are free or can be purchased on the dark web for very low prices. Often, attackers don’t even have to bother spending time trying to crack passwords to get into company environments, because employees fall for phishing scams at such high rates that they’re literally giving them away.
One of the best ways to reduce this risk is through security awareness training. Simply put, high-quality security awareness training isn’t a “nice to have,” it’s a “need to have.” And in this blog, I’ll cover what should be included and why.
Why Are Security Awareness Training Programs Important?
Building your human firewall is a worthwhile investment. Here are a few recent stats that drive the point home:
- 90% of successful cyberattacks start with email phishing
- 61% of Americans are highly vulnerable to phishing emails
- 82% of data breaches are due to human-related security weaknesses
- Cybersecurity awareness training leads to a 70% reduction in security-related risks
Employees can be your greatest cybersecurity weakness or your greatest asset. Proper security awareness training is a strategic process to move them from the former to the latter.
8 Things Your Cybersecurity Training Should Cover
Cyber threats are constantly evolving. If you haven’t updated your security awareness programs since 2020, here’s what they should now include.
1. Password Security
No one still uses the same password for every account, right? Back in 2019, 13% of Americans used the same password for everything, and while we are getting better, password habits are still not where they need to be:
- 78% of individuals use the same password for more than one account
- 52% use it for at least three accounts
- 4% use it on at least 11
Proper password security includes a few basics, like creating strong, unique passwords and not sharing or reusing them. That sounds like a big burden, but it certainly doesn’t need to be. Password managers can still make login fast and easy.
However, since the most secure passwords can still be harvested if your employees fall for phishing scams, proper user account security also includes the use of multi-factor authentication (MFA), which can prevent 99.9% of cyberattacks. Just like a good password manager, MFA can still make login quick and easy for authorized users.
2. Phishing and Social Engineering
Most people still underestimate their susceptibility to phishing scams. But phishing has come a long way, and scammers have learned how to bait their hooks with the clever use of social engineering. Cyber attackers are constantly evolving, and the recent advancements in artificial intelligence allow attacks to be more tailored to their audience, and conducted at an even greater scale.
Once your staff is trained to recognize telltale signs, they tend to do much better at recognizing a scam — especially when they understand that while cybersecurity tools are very helpful, they can’t catch everything that comes their way.
A clever hacker will still try to use our brain’s biases to trick employees into acting without thinking. But understanding a few common techniques that attackers use — like a deal that sounds too good to be true or a message to immediately wire funds that appears to be coming from your boss — should instantly raise red flags with the majority of your employees. All of us will have careless moments now and then, but if you’ve also encouraged your employees to report any suspicious phone, text, or email communications, they can help prevent others from making a costly mistake.
A good security awareness training solution will have the ability for your IT department to run “phishing campaigns”. This allows end users to get tested on how well they are performing through fake emails sent safely by the IT department through the solution. If they fail the phishing test, users can get automatically subscribed to the training they need to feel confident the next time the issue arises. Over time, this additional level of training can really make a difference in the overall culture and security performance of a company when it comes to phishing.
3. Safe Browsing Habits
AI has helped a lot of us avoid grammatical errors and craft better messages, and those same tools are now employed by scammers as well. The days when spelling errors and grammatical mistakes would make malicious emails and websites easier to spot are largely over.
Not only should your employees understand that, but they should also be given best practices, including using HTTPS websites and avoiding sharing sensitive information over public wi-fi, as well as watching out for red flags, like URL irregularities, intrusive pop-ups, aggressive sales tactics, and unusual payment or information requests.
Employees should also be told to treat any links or attachments with caution and to think before they click — even if a website or email appears to be legitimate.
4. Data Protection
Data can be lost or stolen in a number of different ways, and not all of them are new. Printed documents left in the paper tray or on an unoccupied desk are still huge data protection concerns. Data can also be harvested from devices that haven’t been securely decommissioned.
Not only is proper data storage and disposal good cybersecurity hygiene, but if your business is regulated, it can protect you from lawsuits and heavy fines. Cybersecurity and data privacy laws have changed! So depending on where you’re located, the data you collect, and whether or not you offer financing, you might have new legal responsibilities.
5. Mobile Device Security in the Workplace
Mobile devices are convenient for employees and also for some cybercriminals. Even if your workplace isn’t technically bring-your-own-device (BYOD), unless you strictly prohibit it (and maybe even if you do) your employees are likely accessing your systems and data from their personal smart devices. If these devices have access to your company data, there is a good chance they are not secured to the standards that your company policy requires.
Microsoft Intune can make device security relatively simple, but you should also make sure your employees are aware of the risks of using personal devices for work, and how to install and use apps safely.
6. Physical Security
It’s also important to secure the company’s physical office by providing communication and policies around tailgating, visitor check-in policies and procedures, and how employees are to manage their workstations when unoccupied.
7. Incident Reporting
Unless you’ve already cultivated a culture of security, it’s understandable that even when an employee suspects a phishing attempt or accidentally clicks on a malicious link, they won’t report it. No one wants to look foolish, and some employees may believe that their IT department will already be aware of the threat.
In addition to helping your employees recognize a potential security risk, it’s also important that they know what you’d like them to do next. Perhaps this is needless to say, but if you want your employees to keep reporting emails that seem suspicious, all of their reports should be received with gratitude — even if some threats turn out to be completely innocent. It’s always better to err on the side of caution.
Proactively build a culture where requesting confirmation from the supposed sender through a trusted communication channel is seen as a commended practice and not a burden.
8. Software Updates and Patch Management
Most IT teams will understand the importance of applying software updates and patches and paying attention to end-of-life (EOL) and end-of-support (EOS) dates. However, sometimes, these updates will temporarily disrupt work. That’s not ideal, but a little understanding can go a long way. Help your employees understand why they have to update their software and devices as soon as possible and what risks are associated with using unsupported software. For those business-critical devices, find times that they can be updated without causing disruption - but make sure that there is follow through. If these devices go un-updated, which is all too frequently the case, your chances of having a major incident go up. Schedule these updates, and make sure they don’t just go on the “someday when we have time” pile.
Social Media Security Risks for Businesses
Social media is full of malicious links and phishing scams, so employees should review their privacy settings and be wary of sharing too much information — especially information associated with common password retrieval questions.
“Let’s have fun by sharing the make and model of our first car!”
“Teachers are important. Who still remembers the name of their first-grade teacher?!”
“Your fun nickname is the street you were born on, plus your favorite color!”
Those aren’t innocent posts designed to bring people together. Those are gathered to help scammers break into your online accounts. Stop answering questions like these, and be highly suspicious of any post that offers a deal that’s too good to be true or urges you to take immediate action.
Pro tip: You don’t always have to answer retrieval questions honestly! If you have a process for securely storing your retrieval question responses, they can be made up and significantly reduce the likelihood that an attacker would ever guess them based on the data they’ve collected.
Implementing Cybersecurity Best Practices for Employees
Remember, most of the tips you’re giving them not only can help protect your business — these are tips that can also help people protect their own banking accounts and make their physical workplaces safer.
If you already have an engaging security training program, I hope some of these tips are relatively simple to incorporate. If you’re starting from scratch and you’d rather leave it to the pros, we also help clients implement security awareness training and other cybersecurity basics.
If you want to give your employees a little preview, we’ve designed a little game to help people understand what modern phishing scams look like, and see if users can tell legitimate emails from malicious ones.
