Business Security
Knowledge is a powerful weapon that can empower your employees to become the first line of defense against threats.
October 19, 2023
•
,
5 minutes. read
It’s Cybersecurity Awareness Month (CSAM) again this October. This is an awareness initiative that extends to both the consumer and corporate world, even if there are many crossovers: after all, every employee is also a consumer. In fact, as we increasingly work from home or from our favorite remote workspace, the lines have never been so blurred. Unfortunately, at the same time, the risks of compromise have never been more acute.
Building a more cyber-secure world starts here. So, what should IT leaders include in their security awareness programs, now and in 2024? It is important to ensure that you face the cyber threats of today and tomorrownot the risks of yesteryear.
Why training is important
According to Verizonthree-quarters (74%) of all global breaches in the past year include the “human element,” which in many cases meant error, negligence, or user error. be a victim of phishing and social engineering. Security training and awareness programs are a critical way to mitigate these risks. But there is no quick and easy path to success. In fact, what to look for is not so much training or awareness, as both can be forgotten over time. It’s about changing user behavior in the long term.
That can only happen If you run programs continuously, keep the learnings top of mind at all times. And make sure no one is left behind, including temporary workers, contractors and senior managers. Anyone can be a target, and it only takes one mistake to potentially let the bad guys in. Also organize sessions in small chunks, to have a better chance of messages sticking. And if possible, include simulation or gamification exercises to bring a particular threat to life.
as we have previously mentioned, courses can even be customized to specific roles and industries, to make them more relevant to the individual. And gamification techniques can be a useful addition to making training stickier and more engaging.
3 areas to include now and in 2024
As we approach the end of 2023, it’s worth thinking about what to include in next year’s programs. Consider the following:
1) BEC and phishing
Business Email Compromise (BEC), which exploits targeted phishing messages, remains one of the most profitable categories of cybercrime. In the cases reported to the FBI last year, victims lost more than $2.7 billion. It is a crime fundamentally based on social engineering, typically involving tricking the victim into approving a transfer of company funds to an account under the scammer’s control.
There are different methods by which they achieve this, such as posing as a CEO or a supplier, and these can be seamlessly integrated into phishing awareness exercises. These must be combined with investments in advanced email security, robust payment processes and double verification of all payment requests.
Phishing itself has been around for decades, but remains one of the primary vectors for initial access to corporate networks. And thanks to distracted home and mobile workers, the bad guys have an even better chance of achieving their goals. But in many cases, tactics are changing, as are phishing awareness exercises. This is where live simulations can really help change user behaviors. For 2024, consider including content about phishing through texting or messaging apps (smashing), voice calls (vishing) and new techniques like bypassing multi-factor authentication (MFA).
Specific social engineering tactics change extremely frequently, so it’s a good idea to partner with a training course provider who can update their content accordingly.
2) Remote and Hybrid Work Security
Experts have long warned that employees are more likely to ignore security guidelines/policies or simply forget about them when working from home. A study found that 80% of workers admit that working from home on Fridays in the summer makes them more relaxed and distracted, for example. This can put them at high risk of compromise, especially when home networks and devices are less well protected than their enterprise equivalents. And that’s where training programs should come in with advice on security updates for laptops, password management, and using only company-approved devices. This should be accompanied by phishing awareness training.
Further away, hybrid working has become the norm for many businesses today. A studies claims 53% of them now have an insurance policy, and this figure is expected to increase. However, going to the office or working from a public place carries risks. One concerns threats from public Wi-Fi hotspots that could expose mobile workers to adversary-in-the-middle (AitM) attacks, where hackers gain access to a network and listen in on data flowing between connected devices and the router, and the “evil twin” threats. where criminals set up a duplicate Wi-Fi hotspot pretending to be a legitimate hotspot in a specific location.
There are also fewer risks associated with “high technology”. Training sessions could be a good opportunity to remind staff of the dangers of shoulder surfing.
3) Data protection
GDPR fines increase 168% annually to more than €2.9 billion ($3.1 billion) in 2022, as regulators crack down on non-compliance. This makes a pretty strong case for organizations to ensure their staff are properly adhering to data protection policies.
Regular training is one of the best ways to keep data management best practices top of mind. This means things like using strong encryption, good password management, device security, and immediately reporting any incidents to the appropriate contact.
Staff may also benefit from a refresh on the use of blind carbon copy (BCC), a common error that leads to unintentional email data leaks, and other technical training. And they should always ask themselves whether what they post on social media should be kept confidential.
Training and awareness courses are an essential part of any security strategy. But they cannot work in isolation. Organizations must also have strict security policies enforced with strict controls and tools such as mobile device management. “People, Process and Technology” is the mantra that will help build a more cyber-secure company culture.