Corporate cybersecurity is a mindset as much as it is a strategy.
According to Verizon’s 2018 Data Breach Investigations Report, internal actors still account for an alarming number of data breaches. Last year, 28% of attacks involved insiders.
Although adequate security systems are vital, these findings point to the importance of educating employees on cybersecurity best practices. To efficiently protect their data, organizations need to develop a security culture throughout the company. The best way to do so is to introduce relevant, engaging, and regular security training for employees.
For those who tried to do so but failed and for those who are not sure how to start, we asked top cybersecurity experts for their best advice. Take a look at what they said and start implementing their tips today.
- Jef Towle, Intel Corporation
- James Olivier, Shades of Security
- Lisa Parcella, Security Innovation
- Lauren Hilinski, Shred Nations
- Robert Douglas, PlanetMagpie IT Consulting
- Wade Yeaman, Fluid IT services
- Neil Readshaw, Anonyme Labs
- Greg Scott, Author
- Mihai Corbuleac, ComputerSupport
- Sean Spicer, AgileIT
- Derek Anderson, Biztek Solutions, Inc.
- Joshua Crumbaugh, PeopleSec, LLC
- Eyal Benishti, IRONSCALES
- James Goepel, ClearArmor Corporation
- Tom Evans, Ashton Technology Solutions
- Morey Haber, BeyondTrust
- Dean Coclin, DigiCert
- Peter J. Canavan, Safety Expert
- Robert Huber, Eastwind Networks
- Benjamin Dynkin, Atlas Cybersecurity
- Eric Sheridan, WhiteHat Security
- Mike Meikle, SecureHIM
- Bryan Dykstra, Atlantic Data Forensics
- Joshua Feinberg, Data Center Sales & Marketing Institute
- Larry Kahm, Heliotropic Systems, Inc.
- Tom DeSot, Digital Defence, Inc.
- Kevin Gray, EnvisionIT Solutions
- Justin Lavelle, BeenVerified
- John C. Ahlberg, Waident Technology Solutions
- Robert Siciliano, HotSpot Shield
- Amanda Bigley, Hummingbird Networks
- Isaac Kohen, Teramind
Cyber Security Awareness Training, Advice From Industry Experts
Sr. Cloud Solution Security Architect, Intel Corporation
Jeff Towle is an industry veteran in the Information Security, Governance, Risk and Compliance industries. At Intel, Mr. Towle specializes in optimizing Intel-based security designs to contend with modern-day threat vectors for Cloud Service Providers.
Mindfulness with safeguarding your Identity
An employees’ Corporate Identity is THE critical component to safeguarding all valuable top secret or highly classified documents, customer records, Intellectual Property, or design secrets. Hackers will go to great lengths to trick employees/end-users to steal their access credentials. This goes way beyond just making sure you update your password with strong alpha-numeric characters regularly per corporate password reset policy. A good rule of thumb is to treat all the files, folders, documents, social media, corporate websites you have been granted access to as would your own bank account. Sharing your corporate ID is never a good idea, even under temporary circumstances. It’s also a good idea from time to time to check with IT to see what exactly you have access to. Especially if you have been at the company for a long time. Do you want access to systems you used 5 years ago? This only creates risk, and it’s OK to ask for a list of things you still may be able to access and request that access be removed.
Attribution of all Business Communications
What is attribution? Simply put, “Do I REALLY know who sent this message to me? It’s important to train yourself to get into the habit of verifying the author or creator of a digital communication to you (via email, text, social media, automated message, website alert/notification, etc.). This is an awareness technique that’s easy to adopt once you start to just ask the question. With email, you can double-click on a name or hover your mouse on the From: field, and it will resolve to the actual email address. SPAM, Phishing attacks and Malicious Ransomware messages often resolve to a string of characters that are easily seen as suspicious. If the email doesn’t end in “companyname.com” you likely are being subjected to some sort of deceptive communication. The same is true of malicious URL’s. Instead of clicking on the link to find out what it resolves to, hover your mouse or right click to see what the whole string looks like. These changes in behavior can really make a difference beyond just updating antivirus, OS patching, and firewall security controls.
You can be your own best anti-hacking expert with these simple tips:
- Don’t leave your laptop or desktop alone with applications open. Make sure to have a password enabled screen saver activated any time you leave your workstation
- Don’t tailgate. Remember your Identity is critical, and this is true of your employee access badge. It’s only meant to let you into the building, parking lot or server room. Make sure you don’t just let people follow you as a matter of courtesy or convenience.
- Hackers love social engineering. They will call and posture as a co-worker or service agent. They can be very crafty about piecing together information to hack into systems or break or sneak into a building. So beware of those asking questions about scheduling and where people will be at what time. Safeguard information around people’s system access just like you do your own.
- Don’t even read it, delete it. And the worst thing you can do is forward it to others.
- Make sure you have a backup of your laptop or workstation’s data. Ask the IT staff if your data is being backed up regularly. This may be the only way to recover from severe ransomware attacks.
- Believe it or not, you can become a frontline defense security expert to assess whether any application or system you access is vulnerable to some attack. Pay attention to irregular content that’s posted, the amount of time it takes to process information on systems or any strange errors reported in a business process flow. Hackers rely on a lack of incident response planning to have their malware spread and escalate access to damage or steal data so the sooner your report something that is not normal, the better.
Principal Cybersecurity Consultant, Shades of Gray Security
James Chad Olivier, author of Trust Me I’m Lying: Banks Pay Me to Rob Them is the owner and Principal Cybersecurity Consultant of Shades of Gray Security.
Make Your Security Training Program More Personal
Training is much more effective following a social engineering test. If you can show them how you tricked them into letting you into the facility, the success statistics of a spear phishing attack, and/or the success of phone call social engineering, it leaves a big impact. Especially on the ones that know they were tricked. I never reveal who was to blame as I explain the test is not a witch hunt, but an awareness exercise.
I use colorful stories from my past exploits to make the lessons more enjoyable. They have just seen one example of a test, so I tell them some other ways an attacker might exploit them. My style is to lighten the mood and tell them from my perspective which makes it more cinematic in their mind. Like a good suspense thriller. Their responses range from amusement to frightened out how easy it is to con people. When I visit them for the next training (often a year later), my clients remember the old tales and tell me how they have seen similar things during that time, and are excited to learn some new stories. This keeps them much more attentive than just a boring statement of policy and procedures.
I don’t make it just about the company. I tell people about how they are tricked personally. How to avoid scams, credit card protection (how to avoid skimmers), and encourage them to share the material with their friends in family. I explain that if we can make ourselves safe, it is better for our employer, our family, and society in general.
If nothing else, no one wants a boring recitation of policy, procedures, and best practices. Liven it up, don’t speak in a monotone voice, and don’t just read bullet points. That applies to any presentation though.
VP of Product Management & Marketing, Security Innovation
Lisa Parcella designs and delivers comprehensive security-focused products and educational solutions for Security Innovation’s diverse client base.
Training Should Engage Staff
Training needs to be engaging to build internal expertise and competency. Here are four ways to keep cybersecurity training exciting for employees:
- Keep it Interactive: Leverage multiple types of interactions to keep learners engaged. Hands-on simulations/real-world training and tabletop exercises are influential in building offensive and defensive cybersecurity skills and help assess an organization’s situational preparedness. This supplemented with computer-based training, and reinforcement assets are effective in reinforcing lessons learned.
- Groom security champions: It’s much easier to get staff to jump on the security bandwagon if one of their own is driving the adoption versus having it come down as a “must-do” from high-level management.
- Motivate with incentives: From simple recognition to formal awards, incentive programs like belts, certificates, spot bonuses, gift cards, etc. help to facilitate progression and motivate employees to want to learn more. Role-Based: Security is a shared organizational responsibility, and there are many stakeholders including general staff, infrastructure, cloud, and development teams, and managers that need to write policy and ensure adherence to compliance and other mandates. Progressive topic-driven modules customized for specific roles are useful in building the required cybersecurity skills.
Digital Marketing Specialist, Shred Nations
Lauren’s company partners with document shredders across the nation and aim to make it easy to keep private business and personal information safe.
Use Real-Life Scenarios in Awareness Training
- Create consequences. If you are implementing new cybersecurity rules, create consequences for following or not following them. Whether its a reward or special monthly recognition, or if its some kind of punishment for not following your new security rules, give your employees a reason to get engaged.
- Use examples from real life cases. Yahoo, Blue Cross Blue Shield, Equifax and other large organizations have experienced devastating data breaches. Bring these cases to life with numbers and data proving the seriousness of the topic and showing that it can happen to the most sophisticated systems.
- People don’t like change, so if you are implementing new rules make sure to explain *why*, in simple terms that your employees will understand. You know your team better than anyone, explain the information in a way that makes them understand why behavior needs to change, so that even if they don’t like the changes, they understand that they are important.
- Make the information relevant. Too often these types of presentations aren’t industry specific and seem out of touch with what your employees do every day. Bring the information down to their level so that it is at the very least relevant.
President, PlanetMagpie IT Consulting
Robert has worked in the IT industry for 30+ years, consulting on everything from network infrastructure to cybersecurity.
Build each training session around a theme
- Basic email security. Never click on an email link or attachment you are not expecting. Email is the #1 delivery method for malware & ransomware. 60% of all successful hacks occur because of one person’s mistaken click.
- Never use personal email for work. Consumer email does not have business-grade security, backup & compliance features, and all of your emails could become discoverable in a lawsuit.
- Use complex passwords! Store your passwords in password management software and not on sticky notes attached to your monitor! (Begging you here.)
Founder and CEO, Fluid IT Services
Founder and CEO of Fluid IT Services has more than twenty years of experience including leadership and operational responsibility for functions related to both business and information technology.
Use Current Events To Resonate
- Make the training engaging by using real-life scenarios. For example, drop a USB drive in the audience before the training and then during the class ask if anyone found it. Once they respond, ask them what they would do with it. The typical answer is ‘plug it into my computer to see what is on it.’ This is a great tool to show how social engineering works on the human gullibility to infect a machine and an organization.
- Make it relevant and use actual examples from recent current events. Technology is already complicated for non-technical employees to understand, the language is foreign, and most technology professionals are not proficient at translating critical technical terms into easy to understand and relevant business terms. Using actual present-day examples not only makes bridging the gap easier, but it also engages the audience in ways relevant to their experiences. One way is to show real examples of malicious emails and point to specific objects and pieces of information within each email that makes them illegitimate. I always include examples from the past 2-3 weeks to demonstrate what is happening now and also to show the importance of always being diligent.
- Make the presentation fun. This is probably one of the most challenging aspects of the training because nothing about cybersecurity is fun, but mixing in more light-hearted material, such as videos (from The Jimmy Kimmel Show in my example), change up the monotony of delivery and make use of humor to get the points across on serious topics.
- Make it collaborative. Many in the audience may be there because they were forced to, but there are always those wanting to learn and participate. Know the industry and business of your audience and ask them questions related to their specific industry, operational area, and even job type. Throughout ask what they have experienced and what they did about it. Include examples of real security incidents, breaches, ransomware and how those companies dealt with it and recovered. Understanding the amount of time, effort and money expended to recover from an incident is often hidden from employees is very eye-opening. Making cybersecurity ‘real’ will leave everyone more aware of the actual risks they will encounter both professionally and personally.
Chief Security Officer, Anonyome Labs
Neil Readshaw is a seasoned security and compliance executive, who spent over 20 years at IBM overseeing technical direction for security architecture, leading the security workstream for the IBM Cloud Computing Reference Architecture, and programming new global data security products.
Context is the most critical aspect of security awareness training
Context means a few things to me:
– Why it matters to our company, not just generic statements about risk management.
– When the message is relevant to the employees.
– For whom the message matters most, i.e., vary the training content or its delivery by job role, as much as is practical.
Here are some examples of how we train employees:
I try and spend some time with each new employee to reinforce our security culture from the beginning. I hope that also helps the new hires see that my team is approachable and helpful. I also get a benefit from this, as I can learn what the security environment was like at their previous company. It is a great way to get new ideas and challenge the ones with which I am currently comfortable. And it is the right way for new hires from the get-go to understand the robust security and data protection culture we have at Anonyome, and thus what will be expected of them.32. Teaching employees how to detect a phishing email is very important, especially as the mailbox is so often the key to password recovery/password reset for other services.
What has been most impactful is showing people real phishing emails that have been received by our employees, as opposed to boilerplate examples. I try and share these examples through our intranet platforms as they happen, to try and capitalize when other employees may be receiving similar phishes.
For the developers in our company, security about our internal assets, but also how we build and operate systems for our products. The unfortunate data breach at Equifax became relevant for our product teams when they understood that the issues at Equifax were due to old, unpatched software. That was a reminder of why we have procedures around patching systems and keeping our use of open source software components up to date.
We keep formal, recurrent security training to a minimum to avoid cyber safety burnout from employees. However, we regularly check in with key account and data owners to ensure compliance and processes are being adhered to and of course answer any questions employees have.
Author of Bullseye Breach: Anatomy of an Electronic Break-In
Greg Scott is a veteran of the tumultuous IT industry. Greg started Scott Consulting in 1994 and Infrasupport Corporation in 1999. In late summer, 2015, after Bullseye Breach was published, he accepted a job offer with a large, open source software company.
- Keep it simple. Start with care and share to be prepared and expand from there. You have to make the case it is worth their time to care about cyber-security. Once you have made that case, persuade them to share what they learn.
- Make this happen by relating every concept you teach to real-world scenarios, ideally with stories that have protagonists, antagonists, conflict, and high stakes.
- Entertain. Boredom leads to apathy, which is your worst enemy.
Senior IT Consultant, ComputerSupport
I am Mihai Corbuleac, Senior IT Consultant at ComputerSupport.com – IT support company providing professional IT support, cloud and information security services.
Start sessions with relevant and scary cybersecurity statistics.
Facts like 46% of entry-level employees don’t know if their company has a cybersecurity policy or the fact that ransomware threats increased by 36% in 2018 or that 1 in 130 emails contains malware etc. It’s important for people to understand the risks of not being informed and educated regarding cybersecurity.
Secondly, always emphasize how destructive lack of knowledge and negligence could be. Finally, don’t forget to mention that most cyber-attacks could have been prevented if specific protocols would have been followed and that due diligence and staying alert represents the state of normality in today’s cybersecurity.
Director of Inbound Marketing, AgileIT
Sean Spicer is a 17-year digital marketing veteran who studied Marketing at U.C. Berkeley and earned a computer science certificate from Harvard.
The biggest issue with any security awareness training program is that the people most qualified to teach it are the same ones who are most liable to talk above their audience’s skill level.
While many of the issues in online security are fascinating, it is easy to lose the attention of your team if you get too detailed.
- Keep it fun. Roleplaying phishing scenarios, talking through real work attacks, watching the Pwn videos from Rapid 7 that detail some of the ways they have successfully breached client’s security are all fun ways to engage the audience.
- Keep it actionable. Knowing the dangers of ransomware and identity theft is useless if your team members do not know what to do if they are suspicious of something. Have a point contact or shared email box where they can forward suspicious links.
- Do not victimize, or make examples out of your team. Phishing test exercises are a valuable tool to demonstrate vulnerabilities. However, your most vulnerable employees can feel victimized if they are publicly outed or shamed, which leads to a loss of engagement with the training. Instead of highlighting who failed the assessment, highlight who did the right thing, by forwarding the emails to IT or reporting an unsuccessful penetration testing attempt.
- Be consistent. Complacency is the biggest threat to security, no matter if it is physical security or computer security. Keep your staff up to date on new developments and tools, and make sure to run assessments and micro-training at regular intervals to keep your team vested in the process, and aware of new and emerging threats.
President, Biztek Solutions, Inc.
Cyber Security training should be personable and relatable
- Speak to the employees and how they can secure themselves in their personal lives, not just company policies. This gives them more buy-in and reason to pay attention as you are now delivering them value on what they can do to protect themselves and then translate that into how the same principles apply to the organization. I always give my audience a handful of tips they can use personally first, then move on to company policies and then connect the two. It comes back to the old what’s in it for me? If companies just speak about how employees should protect their business, there is less interest, but if you give them personable tools and tips that also relate to the business, you will find greater success.
- Find engaging content. Videos are best in this day in age. I use videos that demonstrate how easy it is for criminals to hack and gain access to personal information. The videos need to be entertaining not lecturing.
- Get out of the classroom/meeting room and get hands-on. We provide a service (and several companies do) that provide real-life employee awareness training that involves sending fake malicious phishing emails to our clients’ staff. The emails do no harm, but replicate what actual bad emails do. When employees fall for our emails, they are kindly told that they failed and need to watch a video on what key points they missed. We provide owners and management reports on their companies phish prone score which gets improved quickly (30 days) with testing and sending these emails and watching the videos. This becomes more random and on-demand training that can be as little as 1 minute to 15 minutes but is consistently ongoing and raising awareness amongst the team.
Chief Hacker at PeopleSec, LLC
Joshua Crumbaugh is one of the world’s leading security awareness experts and internationally-renowned cybersecurity speaker. He is the developer of the Human Security Assurance Maturity Model (HumanSAMM) and Chief Hacker at PeopleSec.
- Shorten the length of training sessions to under 1 minute to accommodate short attention spans.
- Simplify messaging to its bare essentials and do not cover more than one topic in a single security awareness program.
- Phish users on a weekly basis.
- Capitalize on just-in-time training by educating at the moment a mistake is realized.
- Anchor lessons in emotion.
Founder & CEO, IRONSCALES
Eyal Benishti is a veteran malware researcher and founder and CEO of IRONSCALES, the world’s first automatic phishing prevention, detection and response platform.
Most cybersecurity security awareness training conducted for employees is related to email phishing, specifically providing tips and tricks for how business workers can better identify a malicious email. In theory, this is a sound investment. With nine out of ten attacks beginning with phishing, there is a human vulnerability that needs to be addressed.
The challenge is that today’s attacks are so sophisticated and complex that even hyper-phishing aware employees cannot identify them. As an example, 1 in 3 workers in the utility industry in Michigan recently opened a fake phishing email even though those people are mandated to go through security training. In fact, Verizon estimates that only 17 percent of phishing attacks get reported.
So what should companies do?
For starters, if they are going to invest in phishing training, then they should adopt tools that are gamified and tailored to each user’s specific level of awareness. This method is proven to keep people’s attention spans longer and help trigger information retention. Secondly, and most importantly, organizations must realize that humans alone – no matter how much training – can never be relied upon as an actual security safeguard. Instead, companies should look for ways to have humans and machines work together in layers so that when one misses an attack, the other has its back. In this scenario, each time there is an attack, both the human firewall and the machine get a little smarter, further reducing the risk of future phishing emails being successful.
James Goepel, Vice President, General Counsel, and Chief Technology Officer at ClearArmor Corporation
Improving cybersecurity awareness requires cultural changes
Employees need to better appreciate the potential business impacts of their actions, and they need to be held accountable. Until that happens, training is just something employees have to suffer through, rather than being something they understand they need to do. Accountability does not mean the company focuses on punishing those who do not comply. It can also reward those who do.
This can be achieved, for example, through gamification, with employees who do comply receiving positive rewards, such as Starbucks or Panera gift cards if they achieve and maintain certain scores. These kinds of positive reinforcements help move security from being an afterthought to the forefront of employees’ minds, which in turn helps security become part of the culture.
Over 35 years in IT. Cyber security awareness training for employees is a part-time occupation now that I am retired. End-user support and dealing with security issues occupied most of my working career.
- Actually do training. Even boring training is better than no training. If you do not have the resources in-house, seek outside sources. There are many.
- People enjoy videos these days. There are lots of them out there that help emphasize the severity of the issues. Believe or not NOVA (PBS) has some excellent ones on YouTube. Cisco and others have videos that can be used in training.
- I give out candy when someone answers a question posed to the group. it is not a lot but it gets people involved.
- Once a year is not enough. You cannot train one time and expect people to remember everything. The threat landscape continues to change and training needs to evolve to keep up.
With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions.
Test The Effectiveness Of Your Staff Training
- Make it interactive. Whether the training is online or in a classroom, it must be interactive and engaging. Watching videos, hours of powerpoint, or even mindless cartoons does not work. Any training, regardless of media, must require the end user to engage the instructor, scenarios on the screen, and provide feedback. Making it fun is important but making it positively interactive is critical.
- Make it real-world. Too often training is based on what-if use cases. If you click on this link, if you open this email, if you share your password, etc. this will happen. While these are informative, good cybersecurity training includes real-world examples from other companies (or from within your own) of people doing bad things and the real-world ramifications. If it included the public details from Uber, Equifax, Ashley Madison, Delta, etc. – then employees can relate better to their own experiences.
- Include role-playing and testing. Employees will learn best if they are placed in actual situations that reinforce what they just learned. While standard role-playing is good, testing and cybersecurity certification are required. There is no reason that security teams should stop there. They should perform a light-hearted pen test after training. This could sample phishing emails; a few loosely dropped USB thumb drives or even fake phone calls. People always remember training best when tested with real-world role-playing and testing.
- Do not do it in isolation. Any staff security awareness and training should not be from a person’s desk. It should have dedicated time and location even if it requires them to use their own laptop. There are too many distractions.
Senior Director of Business Development, DigiCert
Dean Coclin has more than 30 years of business development and product management experience in cybersecurity, software, and telecommunications.
More useful than training videos are actual tests or exercises.
For example, a phishing exercise where employees are sent random phishing emails to see if they click on links or attachments provides valuable feedback to both the IT department and the employees. A contest amongst employees to see who can spot the most phishing emails (by forwarding them to an alias) puts some friendly competition into the mix while providing a valuable exercise. Rewards can be simple gift cards or a more complex points program which can be redeemed for prizes. Similar activities can target mobile devices or laptops by asking employees to download unauthorized software.
Peter J. Canavan
- Social engineering attacks are the most insidious. You must educate and train your employees on what phishing attack emails may look like including official-looking logos, a sense of urgency, the need to wire funds or check account or package tracking information immediately. By hovering over the links in a message and noting the URL that appears, many of these phishing attacks can be thwarted. When in doubt, look up the company’s phone number or customer support email on your own and do not rely on the contact information in the email to ascertain validity. However, more and more various websites are hacked, and code installed on them that the site owner is unaware of. Just visiting a compromised site can allow malware to get into your systems.
- A great exercise is to have your employees try to spot fake vs. valid emails and to make a game out of it. Divide employees into teams, and then have them mark which emails are legitimate and which are not. The winning team gets a prize (lunch, leave work early, PTO time, etc.)
- Passwords are one of the easiest places to gain entry into a system. Stress the need for strong password security. Use passwords that are LONGER and not necessarily complex. Any password that is 12 characters or longer is almost uncrackable. It would take too much time for a computer/hacker to crack it. Teach them to use easy to use phrases as passwords such as turning vacation time in Aruba into Vaca710n71m31nAruba! which makes an easy-to-remember phrase into a super strong 20 character password.
- Drill into your employees the need to be vigilant and not complacent. Just because they (or your company) have not been hacked before, does not mean it cannot happen. A recent survey by the National Small Business Association found that 50% of businesses they surveyed had reported being victims of cyber attacks, and 3 out of 4 were small businesses with less than 250 employees. The average cost of a cyber attack is around $21,000, and within six months, 60% of those attacked go out of business. Let your employees know that if they want job security, they need to help contribute to your company’s security!
- The apparent need for a robust and centrally managed antivirus solution on all your servers and workstations is a must. Besides, your router’s firewall must be hardened by an expert who knows exactly what the best practices are. Having a solution that combines the two is an excellent option for small businesses.
Robert Huber, CSO, Eastwind Networks
Eastwind Networks is a cloud-based breach analytics solution that aims to protect government agencies and enterprise organizations from cyber threats that bypass traditional security measures.
- Ensure cybersecurity is a part of every employee’s performance goals.
- Gamify the security awareness training program, so there are points amassed, a leaderboard or prizes.
- Ensure the situations reflect real-life concerns of the enterprise. Rather than using generic scenarios, show how a loss of control, loss of personal information, loss of client sensitive information, intellectual property or similar related to the business affects the bottom line, company profits, reputation, stock price, etc.
Benjamin is a cybersecurity attorney specializing in helping businesses understand, manage, and mitigate their cyber risk. He has published extensively and has been featured in a TEDx on cybersecurity and cyberwarfare.
Information security awareness requires hardening the human element
While there are countless strategies for making a data security program useful, to transform a compliance checkbox into a strong security posture.
- Security Awareness training should be a constant presence in the lives of employees. To be effective, a program cannot merely be a quarterly, semiannual, or annual gathering of employees to be lectured on not clicking a link. Instead, it is essential to create an iterative and dynamic process that tests employee through various types of cybersecurity attack vectors, pair that with general education, and finally, to develop specific interventions for ‘habitual clickers’ and other weak links in the organization.
- In the same spirit as the previous tip, small nuggets of knowledge dolled out regularly are far more effective than drawn out lengthy presentations that are spaced over time. 2-3 minute refreshers or targeted lessons with a specific purpose (risk of phishing, operational security, specific compliance issues, etc.) are far more effective than lumping everything together into a single hour-long (or often longer) session.
- Gamification. The average person is more interested in clicking a link than protecting their company from abstract threats. Thus it is vital for a cybersecurity awareness program to change that dynamic. One of the most useful tools for doing that is gamifying security awareness programs. Gamification refers to the process of turning a mundane task into a game. How to gamify security awareness training is a question that involves creativity and an understanding of the employees of the organization. Depending on the scale of the organization and the resources available, gamification can be something as simple as publicly calling out good acts of security awareness such as reporting a phishing link or completing a training course. For a more intricate and involved solution, an organization can create a public point system that rewards proper conduct and punishes poor practice. The company can give rewards and other benefits to top scorers while hoping that poor performers are encouraged to step up their training.
Chief Scientist, WhiteHat Security
As the Chief Scientist of the Static Code Analysis division at WhiteHat Security, Eric oversees all research and development for Sentinel Source and related products, defining and driving the underlying technology.
The pace of change within and outside of an organization is staggering. Many businesses are in the process of digital transformation where applications and the APIs that connect them are becoming the digital fabric connecting the world. No longer is it taking months or years to build out IT infrastructure and applications. In many businesses today, it might be just a matter of days or hours. We have customers who are pushing application updates multiple times a day.
Cybercriminals are staying on top of this change too, evolving their capabilities at a similar pace. Organizations and individuals must be vigilant when it comes to security education and training, and security vendors need to make it as easy as possible for businesses and consumers to get the training and education they need to stay current on potential cyber threats.
To stay ahead of security risks, here are the top three practices to put in place:
- Enroll in Training Programs: People’s understanding of Security generally falls in two buckets: either the person is uninformed, or the person is informed but their knowledge quickly goes stale. A big part of thwarting attacks is to keep the team trained. There are training programs, some even free such as the WhiteHat Certified Developer Program, that can add to a company’s training and education arsenal and help both security teams and IT/development teams learn valuable secure coding skills and how to secure applications through the entire software development lifecycle.
- Phishing Training: People rely on emails and websites to function on a day-to-day basis, and phishing continues to be an effective means of victimizing users. According to the Verizon Data Breach Investigations Report, 30 percent of phishing messages were opened, and around 12 percent then actually clicked the malicious link or attachment. The best phishing attacks target something that you rely on, whether it be online banking, email or credit cards. Continued education and possibly warnings before executing the links are the best way to combat phishing attacks. Two-factor authentication is a great barrier for anyone attempting to hijack your account. Not only will an attacker need to compromise your username and password, but they will also need to compromise a device as well.
- Security in Context: Covering general security topics will only go so far. Optimal training programs provide curriculums that are tailored to the roles and responsibilities of the individual partaking in the curriculum. By way of example, Software Engineers need to have an understanding of the security implications of clicking an untrusted link, and they must also have an understanding of the security implications of building SQL queries at runtime using user-data.
Mike Meikle is a Partner at secureHIM, a security consulting and education company that provides cybersecurity training for clients on topics such as data privacy and how to minimize the risk of data breaches.
Companies should include information on general security threats, how hackers compromise systems (social engineering, malware, etc.), top hacker targets (Facebook, Twitter, LinkedIn), defense techniques, an overview of the hacking ecosystem, and the cost of lost data to the organization.
Initially, training should be done in-person with a presenter. A slide presentation with topics that highlight how hackers affect the specific organization’s industry should be included. Live websites and video should be used to keep the audience engaged.
Follow-up security awareness presentation can be via a recorded webinar that is updated to reflect the changing threat landscape. After the recorded session there should be a quiz to measure how effective the presentation was with the target employees.
Also, the Information Security group can send out regular email blasts on threats and create a monthly newsletter or blog to keep security in the forefront of employee’s minds.
The best way for organizations to protect their data and keep their employees from compromising security is to train them on information security best practices. This must be done on a continual basis, in layman’s terms and at a minimum of six-month intervals. Sixty to seventy percent of data breaches are due to social engineering and hardware theft; an issue best addressed by training.
If an organization keeps the issue of information security in front of employees, makes it engaging and keeps the organization informed on how threats are impacting the company, then the employees with have a reference point on how their behavior is or could impact the company.
People love hacker stories. As part of our business we handle data breaches for companies, so we have plenty of stories on how hackers broke into organizations and what they did once inside the network. Many of these stories are relatable and get people interested in the topic. Often we will have 2-3 hacker stories in a briefing to introduce better security practices or ideas.
People like to talk about themselves. I make sure that I provide plenty of time for people to ask questions about their personal cybersecurity concerns related to their email, social media and smartphone use. The concerns that are typically expressed by one person in the group are usually shared by others and always leads to lively discussion and better training.
President, Data Center Sales & Marketing Institute
Joshua Feinberg is a digital strategist and revenue growth consultant, specializing in the data center, mission-critical, and cloud services industries. He is also a president of the Data Center Sales & Marketing Institute.
- Avoid cyber security courses where IT teams are scolding employees for being careless about their use of IT assets. While the 1990’s SNL skit with Jimmy Fallon (Nick Burns, Your company’s computer guy) is sure to be an excellent icebreaker for what your IT team shouldn’t be acting like, it’s far better to infuse a tip or two into other company meetings that employees want to attend.
- Use stories/videos to drive home the point. A few minutes on YouTube, looking for current events about breaches should yield plenty of 2-5 minute videos worth watching. For example, it’s widely known that a very high-ranking 2016 U.S. presidential campaign manager was compromised over essentially not having two-factor authentication turned on. (which brings me to my next point)
- Accept that shadow IT exists and provide department/application-specific advice. For example, show what should be done in settings to protect against the basics: turning on two-factor authentication, enforcing strong passwords, and forcing SSL usage in webapps. A tech-savvy power user in finance or marketing can often be a great person for your IT team to partner with on these efforts.
- Point out the dangers of public WiFi and why VPN software is so critical. Anyone with young kids, or who remembers being a kid, can relate to the telephone game, where you whispered in your friend’s ear to reveal a secret. This is an excellent analogy for this topic.
President, Heliotropic Systems, Inc.
Larry Kahm is president and owner of Heliotropic Systems, an IT provider for small businesses and entrepreneurs, located in Fort Lee, NJ. He has clients throughout eastern Bergen County, New York City, and Long Island.
Some general “rules of thumb” about emails that ask you to pay for invoices or to send out financial or client data:
- The same rule as you would use for a phishing email: Be very skeptical.
- If you have an admin handling your mail, make sure they ASK directly, or by phone or text, before they take any action.
- If the email is from someone you know, call them to double-check.
- If the email is from someone you do not know – do NOT call them. It is likely that they will try to use social engineering to convince you to send it.
- Do NOT send attachments if you do not know who requested them
- If you are at all uncertain about the email’s legitimacy, delete it. If someone really and truly needs something – they will get back to you!
I realize that this last one flies in the face of all social contracts. But each of you has to weigh how much you value your businesses’ security program over some possibly ruffled feathers.
EVP and CIO, Digital Defense, Inc.
As chief information officer, Tom is charged with key industry and market regulator relationships, public speaking initiatives, key integration and service partnerships, and regulatory compliance matters. Additionally, Tom serves as the company’s internal auditor on security-related matters.
Build A Powerful In House Defense Against Cybercrime
- Arm employees with the required knowledge to thwart information security intrusions designed to help train, educate and reinforce a security-aware employee base.
- Use All Tools Available to Fight Hackers – Kick off a new way of training and create maximum excitement and support by leveraging a fun and enjoyable staff security awareness program.
- Improve Your Team’s Security IQ – Easily deploy fun and engaging animated videos to all employees regardless of keeping security awareness top of mind. Easy and convenient, these videos will be accessible from multiple platforms (PC, laptop, iPad/tablet or mobile device).
Vice President, EnvisionIT Solutions
- Employees need to be educated on what a phishing email looks like and why they are BAD. We do this by sending out test phishing emails and track which employees click on the link in the test email, and then we can educate that employee on a personal level.
- Another great tip is to not use or connect your devices to public WIFI. (i.e., hotels, airports, Starbucks, etc.) use your phone’s hotspot, so you are not allowing other devices to view your network access.
- Sessions are often boring wastes of time, both for employees and the IT teams responsible for them. How do you avoid this? – Whether we are educating our clients or presenting at a cyber security conference, we always do 2 things to make the event not a boring waste of time 1.) FOOD – we always have food and provide catering at our events and 2.) Giveaway gift cards throughout the presentation and at the end. Ask questions to get audience participation and give away $$. The bottom line on cybersecurity and reducing your risk is TRAINING/EDUCATION. You have to make it a priority to educate your employees.
Chief Communications Officer, BeenVerified
BeenVerified is a leading source of online background checks and contact information. It allows individuals to find more information about people, phone numbers, email addresses, property records, and criminal records in a way that’s fast, easy, and affordable.
Start an Employee Security Awareness Program ASAP
The secret sauce for cybersecurity is focusing on two simple things – Talk about it and think about it. The reality is that dealing with security is a business issue (not an IT issue) and it involves hundreds of little things (usually not expensive or time-consuming) and not just the several big things you think you need to be doing (which can be costly and time-consuming).
Talk about it. We have found great success just getting people in the same room and telling stories. Call it a lunch and learn or do it in the afternoon and call it a snack and learn. The company buys some food, and everyone has to show up. Takes an hour or less and have someone come prepared with some best practices and stories of how people have made poor security decisions (we play this part for our clients). It is amazingly powerful seeing one employee explain how they got a phishing email and how they fell for it and say how they avoid it in the future and then hearing weeks later that someone else in the room saw the same thing but were not a victim because they listened to that story. It is super simple and really works. Just talk about it.
Think about it. Most people do not want to bother thinking about security. It is easier to turn a blind eye and think nothing bad will ever happen to you. All the business person needs to do is to make a conscious effort to think about security. Ask their IT for information about their business applications and such – manage who has access with privileged access management, what rights do users have, what is the password policy (complex and expire after X months), should you be using MFA (Multifactor Authentication), reports for antivirus and software updates, etc. Also think about if there are any concerns with other business areas – physical access control, third parties like banks, etc. Think about it and you will be more secure.
Identity Theft Expert with HotSpot Shield
Train your staff and test your employees
- After presenting information about security awareness, come up with a scheme to set up a situation where employees are given the opportunity to open a very alluring link in their email. This is called a “phishing simulation.” This link will actually take the worker to a safe page, but you must make the page have a message, such as “You Fell For It.” You should also make sure that these emails look like a phishing email, such as adding a misspelling. The people who fall for this trick should be tested again in a few days or weeks. This way, you will know if they got the message or not.
- Do not make it predictable as to when you are giving out these tests. Offer them at different times of day and make sure that the email type changes.
- Consider hiring a professional who will attempt to get your staff to hand over sensitive business information over the phone, in person, and via email. This test could be invaluable, as it will clue you into who is falling for this.
- Quiz your staff throughout the year, to allow you to see who is paying attention. You want to focus on educating your staff, not disciplining them. They should not feel bad about themselves, but they should be made aware of these mistakes.
- Make sure your staff knows any data breach could result in legal, financial or criminal repercussions.
- Schedule workstation checks to see if employees are doing things that might compromise your business’ data, such as leaving sensitive information on the screen and walking away. Explain how important security is to your business and encourage staff to report any suspicious activity.
Marketing Associate, Hummingbird Networks
Amanda Bigley is a marketing associate for Hummingbird Networks. She enjoys researching and writing about all things cybersecurity.
- Make a game out of it. Provide your employees with security basics of identifying social engineering through a quick read or cheat sheet and then incentivize them to put their knowledge to the test. Consider something like a department-wide game of Jeopardy. This method eliminates the boring lecture and boosts employee morale.
- Train employees as they come. Create material for training employees as they join the company. This will eventually cancel out the need for a large group training and ensure employees are properly vetted from day one. A quarterly quiz could help ensure their cybersecurity knowledge stays fresh and relevant.
- Create entertaining literature. Using the good old ambient marketing method, consider printing bathroom literature that provides employees with some easily consumable content. Taking a humorous tone, inform employees of current cybersecurity risks and tips, or company security news with a weekly, bi-monthly or monthly print which is then displayed on the back of stall doors. Create a simple template that requires little time to update with new info.
Founder and CEO, Teramind
Isaac Kohen is the founder and CEO of Teramind, an employee monitoring, insider threat prevention platform that detects, records, and prevents malicious user behavior.
Cybersecurity awareness sessions for employees can often be boring wastes of time.
Combat the snooze fest of employee education sessions by making them engaging. This can be done by making the courses relatable. Create cybersecurity scenarios that employees can easily understand.
Utilize games, trends, gifs, memes, etc. whatever you need to convey your cybersecurity message. Understand your environment and hone in on whatever applies to your employees. You can easily incorporate funny and relatable scenarios to keep your employees attention all while helping them understand why cybersecurity is vital.