In life, it is often said that “it’s not what you know but whom you know”. In the world of cybersecurity, the equivalent saying is “It’s what you know and what you do with that knowledge, that counts”. Security awareness training has become a vital part of the armory of all companies of all sizes. A study by Aberdeen Group demonstrated that security awareness training can reduce cyber attacks by as much as 70 percent.
In a complex cybersecurity landscape, with ever-changing attack methods, and increasingly sophisticated techniques, technology alone cannot protect our organizations. To keep up with cybersecurity threats you need to know what you are dealing with.
Putting the Human into Cybersecurity – Why Security Awareness Training Has Come About
Confidence tricksters have always existed. A con-person will use the natural behavior of an individual to trick them into handing over money, etc. In a modern world, where the internet allows us to connect instantly with each other, the old ways of the scammer have been replaced with their modern digital counterparts. Cybercriminals use versions of old tricks to get us to hand over money, personal data, and login credentials. The only real difference is that this time, technology like emails, mobile apps, social media, and so on, are used as the tools of the trade.
What is Social Engineering?
According to security firm Know4Be, 98 percent of cyber-attacks use “social engineering” to perpetrate a digital crime.
Social engineering is a cover-all term to describe how human behavioral traits are manipulated to help carry out a cybercrime. The cybercriminal/hacker effectively socializes the methods used to carry out a cyber-attack. When a cyber-attacker utilizes social engineering, they use tricks to manipulate human behavior and psychology. The cybercriminal tailors’ emails, mobile messages, social media posts, and phone calls, in such a way, as to encourage us to click on malicious links or download malware-infected attachments. The tricks used, play on our natural reactions.
Typical behavior manipulation methods include:
- Brand impersonation: Social engineering scams often disguise their emails, websites, etc., to look like well-known companies like Facebook, Apple, and government services. The Anti-Phishing Working Group (APWG) found that cybercriminals will use the most popular brands of the day to disguise their phishing emails.
- A sense of urgency: Phishing emails often use ‘urgent’ messages to encourage a recipient to “click here” or “download an attachment” within a given time. This is to initiate a knee-jerk reaction, so the user doesn’t think before they click.
- Rewards: Phishing often contains financial or similar rewards to encourage recipients to click on a link.
- Helpfulness: Sometimes a phishing email will simply prey on the human desire to be nice.
Cybercriminals are always looking out for new ways to socially engineer us. Wombat, in their latest State of the Phish 2019 report, found that large-scale ‘malvertising’ campaigns were targeting users. 35 percent of them tempted users with pirated video and movie streaming. These campaigns use online videos and images to hide malware and exploit kits, subsequently used to infect users.
Other Human-Centric Security Issues
Social engineering is only one way that data breaches and other security issues occur. Human beings are at the center of many other security incidents. Areas like password hygiene and accidental insider threats are also a serious problem; a 2018 Verizon report found that one-fifth of data breaches were caused by human error.
What Does Security Awareness Training Entail?
Where once we depended on firewalls to protect our workplace, we now also need our workforce to help prevent a cyber-attack. But a workforce that does not understand what a cyber-threat looks like, cannot prevent one. This is where security awareness training comes in.
Everybody joins in
Security awareness training is a program of education that is performed across the entire workforce and sometimes also out into the wider company ecosystem. The training program is usually performed by a specialized company. The training typically involves teaching staff about the basics of cybersecurity. This includes password security issues, using two-factor authentication, the different types of social engineering, online safety, etc. It also often includes phishing simulation exercises. Analyst, Gartner, keep a list of well-known security awareness training companies with customer reviews to help you choose the right one for your company.
Different for every company
Security awareness training is usually able to be tailored to your specific organizational needs. For example, you may have industry regulations that require that you focus on a specific area, like two-factor authentication. Training packages can also be tailored to certain areas of the business to keep it in line with your business goals and operational needs.
Many modern security awareness training packages will use gamification of the modules on offer. A study by the Norwegian University of Science and Technology found that making security training fun helps to cement the lessons.
Ultimately, security awareness training helps to build a cohesive company-wide culture that is security focused.
What Are Phishing Simulations?
Phishing simulations reproduce the conditions of a real phishing attack. Generally, phishing simulations are part of the security awareness training company’s overall package offering. The company will create a phishing simulation exercise tailored for your organization, which will send out realistic phishing emails to anyone involved in the training.
The simulation will take on all of the aspects of a typical phishing campaign. However, instead of capturing personal data and/or infecting a computer with malware, the phishing email will help collect data on your employee’s reaction to the email. This will include actions such as clicking on links, downloading attachments, and data on who opened the email. These data will result in metrics which can then be used to optimize the training of your staff. They can also be used to demonstrate how well the training is going and help you identify where improvements can be made.
Security Awareness Training and Compliance
We are in a period of some turbulence with respect to data protection regulations. Many, like the GDPR and PSD2 are being updated to reflect the modern, data-rich, hyper-connected environments that we work in. Some of these regulations now expect that you carry out regular security awareness training. Regulations and laws which encourage or require security awareness training include, HIPAA (USA healthcare) PCI-DSS (companies that process financial transactions) ISO/IEC 27002 (general) GDPR (general).
The Human Firewall
Cybersecurity is about so much more than technological solutions. Getting security optimized in an organization is a multi-part exercise. It involves technology, security awareness training, phishing simulations, and processes and policies. Cybercriminals are continuously looking for ways into your organization. They also go for the weakest link in any chain. Even a single click on a malicious link in a phishing email can result in infection with ransomware or stolen database login credentials. Fighting back against cybercrime through education is one of the best ways to tackle cybersecurity threats. Well-educated staff can be your greatest asset in the fight against cybercrime – creating a human firewall that works in harmony with your technological security solutions.