It is an unfortunate fact, but cybersecurity is now a serious consideration for every company. Gone are the days when security was something that happened to someone else. Now, security awareness is as much a part of company culture as the coffee break.
Why is this so? Well, the massive increase in cyber-attacks in the last 5-10 years is one reason. Versions of malware, the malicious version of software that causes infections like ransomware, just keep on rising. AV-Test who keep tabs on the numbers of different types of malware, show a year on year growth in malicious software; 2018, saw more than 856 million different variants.
But this awareness of security issues is also because of the changing ways that the cybercriminal operates. The old ‘hacker’ image is replaced by a sophisticated trickster who understands human behaviour. Social engineering is the cyber tool of the century.
And then there is the mass availability of malware. Malware-as-a-Service means that anyone can get their hands-on malware and use it to make money. The cybercriminals are making cybercrime into big business, and the cost is your business.
The end result is that many companies are staring down the barrel of cybercrime. But the fightback has begun in earnest. We can play the cybercriminal at their own game by understanding what they do and how they do it. Security awareness training has entered the ring allowing us to play the cybercriminals at the own game, and win.
Types of topics covered by security awareness training
Being security aware is not just about knowing what a phishing email looks like – although this is part of it. Security awareness covers literally every aspect of working life and includes home life too – especially if your employees work remotely or whilst travelling. The following areas should be covered by any security awareness training course you engage:
What is malware
Teaching your staff about what exactly they are up against is important. This is a fundamental starting point that will ring bells when you talk about things like phishing and the importance of patching.
The session can also be used to demonstrate the tell-tale signs of infection by malware. Users will then be able to notify your organization to help you avert a disaster. The training will also show them what to do to help contain any infection.
According to Microsoft, phishing is still the number one way that malware infection happens. Email, mobile text, and voice are the most common methods used for phishing. Security awareness training should include a dedicated topic on this most prevalent of security threats. The training should give your staff the know-how to spot the tell-tale signs of a phishing attempt.
Some security awareness training programs also offer phishing simulation exercises. These will be tailored to your organization. They send out ‘spoofs of spoofs’ phishing emails to your staff. The staff training can be tested by seeing how they interact with the spoof phishing emails. Metrics are gathered from this interaction and you can then adjust your training to optimise it.
Mobile devices and BYOD
Many companies now allow employees to bring their own devices into work and use them to work on. Coupled with the increasing use of remote and on-the-move working, mobile device security awareness is a must have.
Employees should be trained in all-aspects of mobile security. This can also fit in with other training courses such as patch management and phishing. Employees should be apprised of using a PIN/password to control phone access, the importance of safe app installation, and the safe use of public Wi-Fi.
Social media and being safe online
Social media is often used both in the workplace and at home. It is an open window to the world. Social media can also end up being an open window where sensitive data is thrown out.
A security awareness training program should have a module that covers the safe and appropriate use of social media by staff. It should also dovetail with the phishing and scam modules as this medium is now a conduit for both.
Clean desk policy
A clean desk policy makes sure that your staff understands the importance of security hygiene. That covers everything that could lead to a leak of information, such as not leaving printouts on the printer, keeping passwords safe, and closing computers down when not being used, even for a few minutes.
Passwords and authentication
Best practises in the creation and management of passwords is a fundamental part of security awareness training. Staff should be trained in your company security policy around passwords. For example, does your company mandate the use of specific robust password policies?
Understanding of the principles of multi-factor authentication such as two-factor, should also be part of the security awareness program. Two-factor authentication can have push-back from individuals as it is another layer of interaction, but once people understand how important it is, they are more likely to embrace its use.
Personal data and compliance
Compliance is increasingly on the table in security awareness training. Regulations like GDPR have stringent requirements and heavy fines. Staff needs to understand the part they play in maintaining compliance with data protection laws.
An interesting study from the University of Illinois tested out what would happen if they left a random USB fob on the floor. Around 98% of them were picked up by staff and over half of the staff had a look at what was on the fob.
Staff should be trained in the importance of protecting any removable media.
Patching computers and mobile devices
Malware can infect a computer if the software has a vulnerability in the code. These vulnerabilities are common, and the software vendor will put out a patch to fix it once they find out about it. You’ll no doubt have seen regular security patches from the likes of Microsoft, but pretty much all software vendors have to regularly patch their products as they spot issues.
Staff should be trained to expect patches to be required. Patching should be a topic in your training program as it is very important. Once staff understands why it’s important, they are more likely to do it. Even if they are not directly involved in patching, they may need to reboot a device to complete the update.
Spotting a scam
In an age where scams abound, being scam-aware is vital. Scams such as Business Email Compromise (BEC) make social engineering into an art-form. Training your staff about the different types of scams will give them the armoury to deal with them, not just in the office but at home too.
From Security Awareness Training Topics to People Power
Security awareness training covers many aspects of cybersecurity. It can be a lot for an individual to take in. Making it a fun and engaging process not only means that your staff will stay the course, but that they will likely learn more from the lessons. A number of studies have shown the positive benefits of a fun learning experience. One such study “Does fun promote learning? The relationship between fun in the workplace and informal learning” found that employees were more receptive to learning new ideas if they were introduced in a fun and engaging manner.
Offering interactive security awareness training courses for your staff is one thing, but they also need to be up to date. Cybersecurity challenges are ever-changing. Security awareness training should be carried out on a regular basis with refresher courses based on new events. And, overall, making it fun, accessible, engaging, and interactive are the most important things to making the topics you teach, stick. For now, and the foreseeable future, knowledge looks to be the best weapon we have against cybercrime.
Let the Defence Works help your business avoid cyber security breaches – sign up for a free security awareness training demo, today.