AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

Boring security awareness lecture. Everyone falling asleep.
Don’t make your employees sit through long and windy security lectures.

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

Phishing simulation setting employee up for failure

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

  • After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
  • Have your IT team look at proven hacking incidents before and after training began.
  • Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
  • AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.Phishing simulation email on phone at work desk.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.Blurred group of business people representing the human risk in cyber security

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Did you think GDPR compliance was done at your company once you got your mailing-list subscribers to opt-in? Or once you fixed a few things on your website? From now on it is your organisation’s duty to protect any and all personal information you client or subscriber might give you. Furthermore, you must implement certain data protection principles within your company. These are the basic facts of GDPR and the ones most companies have already complied with. But wait, there‘s more!

Stamp that says GDPR compliant

GDPR is in effect everywhere in the EU. It also applies to every organization that does business with citizens of the EU. According to the GDPR, any company that handles personal data of any kind (be it a European company or non-EU company handling EU citizen‘s personal data), must now implement measures to keep this data as safe as possible. This means that data protection measures need to be in place both within the company‘s systems (such as by encryption) and within the company‘s culture.

GDPR and good security culture

GDPR compliance or not, it always makes sense to take data privacy seriously. Part of complying with GDPR will actually help organisations protect themselves against cyber attacks. Cyber attacks are expensive. Even more expensive than paying those GDPR non compliance fines! When organisations raise their cyber security awareness through active security culture and training, they minimize the threat of attacks. As a result they help safeguard the personal data they are legally obligated to protect under the GDPR laws.

Security training for GDPR compliance
For many companies, implementing a security culture falls onto the DPO‘s role but for others it is the responsibility of the HR or the IT department. Depending on the size of your organisation, resources to implement cyber security awareness training vary greatly but one thing is for certain: If you don‘t have the time or the money to implement security awareness training, you definitely do not have the time or the money to deal with a security breach, fines and loss of data.

Comply with GDPR in no-time

Security Awareness TopicsWe’re here to help! AwareGO has created an easy to use cloud-based Learning Management System (LMS) with high quality security awareness videos that you can start using right away. Adding users to the system is quick and easy and so is sending out security awareness campaigns. Admins can even plan the whole employee training for the year ahead.

Each training video is around 1 minute in length. This minimizes the interruption to your employees and keeps them focused throughout the whole training. We release two new awareness training videos a month on topics ranging from phishing and CEO scams to physical safety such as tailgating and unattended computers. For small and medium businesses our LMS and security awareness training videos are available directly via our website and our prices are very compatible. You can become GDPR compliant in no time.

We believe in our product and we are dedicated to improve cyber security awareness for a safer workplace. That‘s why you can test our learning management system for free and send your employees two of our security awareness training videos as well.

Sign up for a free trial to see what we‘re all about.

Spear phishing is a specific cyber-attack aimed at an individual or individuals that are associated with an organisation.

The US Federal Bureau of Investigation (FBI) gave the following example: “Customers of a telecommunications firm received an e-mail recently explaining a problem with their latest order. They were asked to go to the company website, via a link in the e-mail, to provide personal information—like their birthdates and Social Security numbers. But both the e-mail and the website where bogus.”

The key to spear phishing is that the criminal knows something about the recipient. In the FBI’s example, the criminal knows that the recipients were customers of a telecommunications company. It’s that small piece of information lends credibility to the scam.

The dangers of spear phishing

Imagine your staff getting an email from a criminal that says they would like to place an order at your restaurant. The email includes a word document with instructions to enable editing, and therefore open the floodgates for malware. This is exactly what happened at the restaurant chain Chipotle when millions of customers’ credit card numbers were stolen.

Spear phishing attacks differ from phishing attacks in that they are targeted to a specific group. In a traditional phishing attack, there is no information that shows that the sender knows who they’re reaching out to.

Computer screen showing spear phishing cyber attack with text

How to prevent spear phishing

Educate and train employees

Education is the most important way to prevent spear phishing in your business. Teach your staff what to look for and make sure that they understand the dangers of spear phishing.

Here are some of the guidelines that you can teach your employees to prevent spear phishing: 

● Simply never use links in emails
Teach your employees to never click a link in an email. If a bank, or even your own company, requests that they log in or make changes, they should go to their browser and type in the URL themselves.

● Verify URLs
Every hotlink in an email or even on a website redirects to someplace else. Teach employees to look at the URL more than once before clicking anything. One of the tricks that criminals use is to create a close approximation of a domain. For example, to trick someone into clicking a page, they will change www.usbank.com to www.usbenk.com. The name is close enough to trick someone who is not reading closely.

● Never give out personal data
One simple rule to institute is to tell employees to never share any information like passwords or account numbers. Unless they are instructed to do so by management, they should never share any information. Moreover, they should never share it via email or any other electronic medium. Anything typed into a computer connected to the internet is susceptible to having information stolen.

● Be careful with social media
The more information that employees put on social media, the easier it can be for criminals to spear phish them. Criminals can use online information to increase confidence in the recipients.

Cyber Security Awareness video

Spear phishing prevention with software

 There are several steps that you can take using software that can protect your company.

● Keep your software up-to-date
Spear phishing relies on malware to infect your system. By having the most recent patches and security software, you can minimize the risk of the malware if it arrives.

● Antiviruses
Antivirus software is, and always will be, a necessity. Look for software that scans and updates itself constantly. It could prevent malware from getting a foothold on your server.

● Encrypt sensitive data
File and data encryption is a great way to keep spear phishers from being able to use the data. All of the sensitive data on your network should be encrypted. This keeps any data that a criminal receives from being useful for anything.

● Multi-factor authentication
If someone asks for an employee’s password, but there are multiple layers of protection, the password is useless. For example, if your system is protected with passwords and bio-metrics, a password is useless on its own.

Staying safe from spear phishing

All spear phishing is based on human behavior. Therefore, the best way to make sure that your system stays safe from spear phishing is to teach your staff what to avoid.

The technological solutions are powerful, but education and security awareness training are the most important elements.

Awareness training factsFor over 30 years companies have been connected to networks and the internet. And for almost all of that time they have been dealing with cyber security threats. From all this experience one thing has become absolutely certain … The best way to secure your network and keep your data safe is security awareness among employees. Equally important is the employee engagement in security awareness training.

ChiefExecutive.net wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” In reality, business owners often get great antivirus software and powerful firewalls and that’s great news. The bad news however, is that they forget to factor in the human element when it comes to cyber security. Security Awareness Training is an effective way to help avoid some of the cyber threats that exist in the world. Many of them will arrive on a business’s network via email attachments and malicious websites. Therefore, teaching your staff what to look for is an excellent way to reduce your company’s risk.

Why is employee buy-in so important?

We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees excited about a new loyalty card or the latest  computer program is difficult. Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Employees must understand that the impact of ignoring cyber security could mean the loss of their data or their jobs.

Employee engagement in cyber security because the cost of malware attack is high.
Threats to the company and employee jobs

According to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.
It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets. In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.

Threats to the employees’ data

One threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children’s social security numbers are on the company’s network. The same goes for their addresses, telephone numbers, emails and more. Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume. With any luck, all of this will bring home the idea that cyber security is in their best interests as well as the company’s.

Formatting training for employee buy-in

To ensure employee engagement in security awareness training, make the training short and entertaining. In addition it needs to be informative, but it doesn’t need to be boring. The classes can take place over several days or even weeks. Just keep in  mind that nothing annoys employees more than an 8-hour class on something that has nothing to do with their jobs. Therefore you should make the classes short and focus on one aspect of security at a time, such as email security, password security, etc.

The key is to deliver lessons in smaller portions so that everyone can learn what they need to without getting bored.

Another great way to make people aware is to use short security awareness training videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having them fill out a test. You could also use a log-in tracker that tells you who looked at the whole training and who didn’t.

Consider offering a reward for great behavior

Of course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous. However, it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.
Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.

The easiest way to ensure employee buy-in for cyber security awareness

The short and simple answer is to include your employees as if their livelihoods depended on it. Because they do!
Approach security awareness from the perspective that this is really their concern too. You’ll be able to speak to them in a way that makes them feel included and not simply lectured at.

Cost of Data Breach in 2018Cyber Security Awareness is more than simply knowing about cyber threats. It’s a series of training, policies, and actions that lead to a higher level of security culture in your business or organisation.

Why do you need cyber security awareness?

Rather than give you a lot of words, here’s the “Global Study at a Glance” from an IBM report:

The average total cost of data breach is $3.62 million

The average cost per lost or stolen records is $141 

The likelihood of a recurring material data breach over the next two years is 27.7% 

Training

“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.” – ChiefExecutive

The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to start with the humans in the organisation.

cyber attacks stem from human activity
There are a number of elements that your employee cyber security awareness training needs to have:
Awareness training facts

  1. A clear explanation of what cyber attacks are and what to look for – This includes letting them know what a dangerous link might look like and what a computer might do after being infected.
  2. In-depth explanations of the dangerous activities – Speak very clearly to the idea that clicking links, downloading attachments, and other actions can cause the problems. It’s also important to make it clear that it’s the action that causes the problem.
  3. Discuss alternative ways of getting things done – For example, if a staff member gets an email from the bank, they should call the bank or at least go to a browser and log into the bank directly.
  4. Teach people what to do if there is a problem – Don’t just leave them hanging. For example, if ransomware pops up on someone’s computer, tell them to shut down their computer, shut down all of the other computers in the office, and turn off the server. Everything can be turned back on by the technicians.
  5. Be skeptical – Some of the most successful scams are the ones that include someone calling or emailing with a strange request. One invoicing scam involves the accounting department getting an email that says, “We got hacked. Your previous payment for invoice number 56845 is being returned. Please remit to bank number 986685105.” Of course, the new bank number belongs to the hacker and the money gets sent right to them.

This is not all that needs to be in your training, but these are important elements that are often forgotten.

The key to training is that it’s not a one-time thing. Everyone should get monthly reminders and annual follow-up training.

Keep cyber security awareness top-of-mind and you’re much less likely to have a problem.

Policies

What is Security Awareness Training - it is not a one time thingPolicies will not stop cyber attacks or the behavior that makes them possible. What policies can do is give everyone clear guidance on what to do if there is an attack and everything they can do to prevent it. Here are a few examples of effective policies that you can implement:

Every device, even personal ones, must have active anti-virus software

Provide your staff with antivirus software on their personal devices, like mobile phones and laptops. Often, employers will complain that this will cost money but the average cyber attack is breathtakingly expensive. Look at the IBM report above; the average data breach costs $3.62 million. In the light of this information the ROI on proper security awareness training is very high. It’s worth the investment.

All staff members must be trained to avoid problems

Everyone, including the CEO, must be trained to stay out of trouble. There is a term for scamming the CEO online; it’s called whaling. It has name because it has happened often enough to earn a name. The famous data breaches at the Democratic National Committee and high-level government officials in the US in 2016 were caused, not by a brute force attack, but by emails with malware in them. Everyone is vulnerable.

No one will get fired for making an honest mistake

This is an important policy. If your staff is afraid they’ll get terminated, they won’t tell you there’s a problem until it’s too late.

These are just a few ideas, but they should help you to get started.

Actions

There are a number of things that you can do to stay cyber secure:

Look for next-gen anti-virus software

Most traditional antivirus software is static. It updates once a day and only scans when it’s told to. New antivirus software is cloud-based. It is updated constantly as the maker updates their files online. The software is also constantly crawling your servers and workstations looking for problems.

Lock and guard your server room

One of the silliest ways that information gets stolen is when someone just goes into the server room and steals the data. Better yet, put your data in the cloud and you won’t have that worry.

Add new levels of security

Passwords are no longer enough. Add bio-metrics and extra layers of security to keep your network safe. This is especially important for any device that might leave the building and the possession of a staff member. Additionally laptops stolen from cars are notorious for lost data. Lock them down tight.

What is cyber security awareness?

Cyber security awareness the knowledge that your data is under threat and knowing what you can do about it. It’s not a “learn it and leave it” idea. It’s an ongoing battle to keep your data, and your customer’s data, safe.

Awareness training facts

Security awareness training is vital for businesses of all sizes. Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords. It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.

A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.

Here are 4 important security awareness tips that you need to know before you start training your employees.

Security Awareness Tip no. 1

71% of organizations were successfully spear phished in 2014

Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.

Spearphishing email on phone fact
Spear phishing, like most hacking attempts, is a behavior-based hack. Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.

The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. Then the hackers stole their password and data.

Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole passwords and emails that way.

Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.

Security Awareness Tip no. 2

Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it

Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn’t actively scan. Furthermore, most of the software scans only once or twice a day and it requires periodic updates. For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat. For this reason teaching staff to recognize phishing emails is imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.

Security Awareness Tip no. 3

Security awareness training can reduce a company’s exposure by up to 70%

Cost of security breach factFew things will give you the ROI that security awareness training does. According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record. Take a moment to consider that – that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.

If you can reduce your exposure to loss by 70%, why wouldn’t you do it?

Security Awareness Tip no. 4

Employee data is often stolen too

When we think of data breaches, we often only consider customer data – information entrusted to us by our customers. What many employees forget is that their data is on the company network as well.
Every employer has their employees’ social security numbers, but that’s not all they have. Employee’s personal email logins can be found on most systems. In addition there are addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.

If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.

What all of this means for your company and employees

All of this is important to understand as you start training your employees. Each of these security awareness tips is a lesson that needs to be clearly understood.

  • 71% of executives were successfully spear-phished in 2014 – Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
  • Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it – Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
  • Security awareness training can reduce a company’s exposure by up to 70% – The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
  • Employee data is often stolen too – This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.

Security awareness training is simply part of life in the modern computer age. It needs to happen.

Security awareness training is part of life in the connected world of the 21st century. Integrating agile security awareness training with your company’s policies and culture is the only way to make sure it works well for your needs.

What is security awareness training?
Security awareness training is nothing more than teaching employees what to look for and what to do to avoid being hacked or “phished”, such as clicking a link that will steal data or get their password.

The ROI of security awareness training is huge since average cost of a large scale breach is $3.86 million, according to IBM’s latest Cost of a Data Breach Study.

What is “agile” security awareness training?

Your security awareness training should be able to adapt not only to your company’s needs but also to the changes in security threats. Every day, hackers are looking for new ways to get into your system. Your policies need to adapt to that and be ready for everything.

In 2001, a group of software developers got together in Utah and decided that they needed to create a set of principles that would govern how software was being developed. They saw that software was big and clunky. Furthermore, it was being designed in a way that made it difficult to update and improve. And it was being created in a way that made cool-looking software that was actually a nightmare for users. They issued the Manifesto for Agile Software Development

“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.”


Making your security awareness training agile

Taking the principles of the Manifesto, we can see a clear path to creating an agile security awareness training program.

Individuals and interactions over processes and tools
Security awareness training is all about individuals and interactions. It’s a person’s interaction with an email or website that causes 90% of security breaches. Think of this training as an individual experience. You can frame information so that it can save your employees, not just at work, but at home, too.

Working software over comprehensive documentation
This is a warning against spending a lot of time on reports and data instead of spending it on actually doing. With security awareness training, this refers to how you handle an incident. You should spend almost no time blaming the person who created the breach and spend more time using it as a teaching moment.

Customer collaboration over contract negotiation
This training is not about sitting in a room and talking at people. On the contrary, training requires interaction and buy-in from the participants. While the contract negotiation concept might seem out of place, it is a contract. The contract is that you and your employees will protect the customers’ and the company’s assets.

Responding to change over following a plan
Cyber security is changing. This is not a static situation. Bad guys are always looking for new ways to get to your and your clients’ information and it needs to be clear to your employees that this is an ongoing battle. Your team should be prepared to learn constantly and adapt.

Making Cyber Security Awareness Part of your Policies

Company policies must be an honest reflection of how people use electronic devices and how cyber security is changing. If you’re looking for a tone to follow, look at Dell’s Global Social Media Policy.

Here’s an example:

Be Responsible
Ransomware encrypted computerMake sure you’re engaging in social media conversations the right way. If you aren’t an authority on a subject, send someone to the expert rather than responding yourself. Don’t speak on behalf of Dell if you aren’t giving an official Dell response and be sure your audience knows the difference.”

Dell recognizes that their employees will use social media, so they provide guidelines that are as simple as “Be Nice, Have Fun, and Connect.”
Start your agile security awareness training with a simple idea: people will use your network in ways that “they shouldn’t.” This means they will check their personal email whether or not you try to outlaw it. They will look at social media whether or not you tell them they can.

The most effective way to start your plan is with a statement similar to this:

“Hackers and thieves will try to steal our information. You will want to use your smartphone, look at your email, and check Facebook. While we want you to keep it to a minimum (after all, you’re not being paid to chat on Twitter), it’s even more important that you do it safely.” Then you can talk about what to click and not to click. You can also require that every phone connected to your wifi network has antivirus protection (preferably paid for by the company so you can guarantee that it’s up to date). In addition, you’ll want to have a conversation with your staff about the fact that their personal email and internet searches can infect the network, even from their phone or laptop. Although rare, there will come a time when viruses and malware will get through Apple watches and other connected devices.

Another important thing to discuss with staff is how to respond to ransomware attacksEstablish a procedure for handling ransomware and make sure that everyone in the company knows what to do, even those who aren’t often near computers.
Every company has to have policies and procedures in place, but those policies need to be flexible and honest about how people use the internet and their personal devices. 

Agile security awareness is at the heart of survival in the 21st century.

The threats will change, the technology will change, but the weakest link in your security wall will still be people. Make your policies flexible enough so that they can adapt as well. Provide simple and effective security awareness training to make them your strongest line of defense.

icon-ransomware-1You hear about it all the time, from your tech people to the evening news. Ransomware attacks seem be everywhere and it seems like there’s a new and nastier version out every day. The truth is that ransomware is very popular with criminals and it can be very difficult to beat once you’ve been infected. It is possible to prevent ransomware from getting onto your network in the first place and perhaps reset your system if you do get infected. Here’s what you need to know:

What is ransomware?

As a concept, ransomware is fairly simple. A criminal uses a piece of email that prompts someone to open a link or download an attachment to carry out the attack. The malware that is at that link or on the attachment contains instructions to encrypt the entire network. As the malware crawls over the network, it locks down all of the files, the software – everything.

A message appears on all of the infected screens that tells the owner to call a number or send money to an account number. In exchange, the criminals will send or apply an encryption key that will release the data.

The encryption system that they use is nearly unbreakable, being the same level of encryption that most banks and military installations use.

Why are ransomware attacks so popular?

Ransomware encrypted computerOne reason that ransomware has become so popular is that there are automated ransomware designers on the dark web. Anyone can go to one of these designers-as-a-service and create ransomware that they then deploy to the world. Ransomware is also popular for another reason, it gets cash for the criminal. Once you’ve paid the ransom, they might release your computers. You have no guarantee – and they’ve gotten away with your cash.

As much fun as simply destroying things is, the bad guys like getting money even more. There are even some indications that ransomware attacks are being used to fund terrorism and drug cartels.

Avoiding ransomware attacks

Over 90% of ransomware ends up in your network via email. It can be business email accounts or personal email accounts. Once someone has accessed that email and either downloaded an attachment or clicked a link, you’ve got ransomware in your network.
There are a number of steps that you can follow to prevent ransomware from ever making it onto your network:

1) Education

Most importantly, educate your people to never download anything unless they are 100% positive that they know where the email comes from. They should never open unsolicited emails or follow instructions in an email that seems out of place.

2) Next Generation Anti-Virus

Use a “next generation” antivirus program. Most anti-virus programs wait for an update to protect you from a new threat. Those downloads need to be prompted by the company that made the software. With next-gen antivirus, the system updates itself by tracking activity around the world 24/7 as well as actively scanning your network all the time rather than being activated by a user or the clock. Furthermore, most next-gen antivirus programs are cloud-based so any program updates can be handled instantly by the provider.

3) Regular and Consistent Backups

Make sure you backup at regular intervals. While most people know that they should back up their systems, few individuals and small businesses actually do. Larger businesses have begun to catch on. If you have a backup of your system that is current enough, your tech people can scrub your system and restore you to just a couple of hours before the attack.

4) 24/7 Monitoring

Get constant monitoring. Hire an outside firm or create an in-house team to monitor your network 24 hours a day. It can make a huge difference. They will be able to spot an attack, often before anyone else notices, enabling them to stop it before it spreads too far. This type of monitoring is especially effective against brute force attacks, where a hacker attempts to enter your system from the outside.

What to do when your system is held ransom?

If your system is infected, you’ll usually see the ransom message appear on one screen first, then another. The good news is that, if you are lucky, there might be a way to recover your files without paying the ransom.

Worst case scenario: you need a technology team to reset your computers and network.

The most important point

This is the most important point of them all:  with proper security awareness training, your company can avoid 90% or more ransomware attacks. That is why security awareness training is crucial for your business!

Your employee security awareness training should include:

Building awareness of the different types of scams out there: phishing, whaling, spear phishing, and more. With frequent news of cyber security breaches and hacks, one would be forgiven for thinking that people would know what is out there. But generally they don’t. And with businesses having security software and various technical precautions people may think they are pretty safe. But a lot of security breaches happen because of human mistakes that security software, no matter what kind, can’t do anything about. Furthermore, security breaches in businesses often originate with the hacker gaining access to an employee’s private account, and from there getting into the business network. Therefore, effective cyber security awareness training of your employees cannot be underestimated.

Know what to do in case of a ransomware attack. Computers and networks that are turned off don’t spread infection. You’ll want to listen to your own security staff, but for the most part, turning everything off is the first step once you discover you’ve been hacked.

Train your staff on the importance of email and social media policies. The policies that are put in place are designed to protect not only their devices but the company’s network overall. Make sure they are clear on what to do and what not to do.

Ransomware attacks and the 21st century

The idea that anyone with internet access and the ability to get to the dark web can create a ransomware program means that it’s likely that this type of activity won’t stop any time soon. Proactive efforts could save you and your organisation a lot of pain and hassle.

Ongoing education, next-generation antivirus protection, and cloud-based email programs are a significant leap forward in protecting your business. And, once again, education, education, education!

Security Awareness TopicsSecurity Awareness training is essential for companies but can be a daunting task. 

Recently the new General data protection regulation (GDPR) took effect in Europe.  Not only is GDPR compliance necessary for all companies, but this new regulation also makes it mandatory for many companies to assign a dedicated Data Protection Officer (DPO) to handle their data security affairs. There are a lot of things to consider with regards to GDPR, security awareness training program for your employees being one of the most crucial things. That’s where we can help.

What you need to know

It is crucial that all your employees are aware of the cyber security threats out there. Therefore, to give you an idea of what kinds of things your organisation is dealing with, I’ve compiled this Top 10 list of Cyber Security Awareness Topics – the kinds of things everyone in your organisation needs to be aware of today!

1. DATALEAKS

icon-dataleaksWe are human, and the fact is that behind all data leaks there is a human error.

Everyone makes mistakes but security awareness training guides employees on how to react to and report a leak. It can also be hard and embarrassing to admit mistakes. That’s why creating an environment that encourages employees to report mistakes and possible leaks is very important (even if it was an accident or not their responsibility).

Duration matters when it comes to data leaks. The longer a bucket of personal or sensitive information stays open the more significant the threat of the leak. Failure to report a leak can have severe consequences for the individual and lead to hefty fines for the company.

2. SOCIAL ENGINEERING

icon-socailengineering

You are at the largest yearly conference in your industry. You are having fun meeting other people in similar positions and discussing how they are doing things, sharing failures and achievements and learning from each other. However, after a few drinks, the sharing can go overboard, and sensitive information may be discussed and shared.

The intention of the sharing was not bad. You might not realize the serious consequences it can have if the other person is dishonest and shares classified information with someone else.

It is essential never to discuss confidential work issues with unauthorized people, even if you trust them.

3. PHISHING

icon-email-2If you open an email that happens to be a fraudulent phishing email you are just one of  8 million people in the same situation this very day.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity.

The word “Phishing” is a newly coined expression created as a homophone of fishing due to the similarity of using bait in an attempt to catch a victim.

Phishing attacks are typically carried out by email spoofing or instant messaging. They often direct users to enter personal information at a fake website which looks and feels identical to the legitimate one – the only difference may be the URL of the website in concern.

4. TAILGATING

icon-tailgaitingJohn, a former employee of the company you are working for, comes running just when you were about to close the door. He says he’s on his way to meet his former boss. You chat for a minute or two, and then he heads towards the bosses office.

If you remember correctly, John was pretty angry when he got laid off two months ago. What you might not realize is that John, who knows his way around the company, is about to steal some sensitive information as an act of revenge.

Tailgating threats used to be related to thieves stealing physical things by following an authorized person into a secure location. However, in today’s digital society tailgating is often combined with stealing sensitive information which can lead to serious financial consequences for companies.

The threat is usually associated with former employees, thieves, vandals or people that have issues with the company or employees.

5. PASSWORDS

icon-passwords

Your password expires in 2 days… “Ughhh…” you may think, “it’s that time again!” You need to come up with a password that you can easily remember, and it is getting harder and harder to come up with something innovative.

But passwords are crucial to protect your workstation. To create a secure password it is best to use a combination of lowercase, uppercase, symbols, and numbers.

It can make your life easier to come up with a sentence and use one letter from every word.

6. CEOSCAM

icon-ceoYou are browsing through your emails when you notice an email from your the CEO. He claims to be in a hurry and needs you to transfer money to his account quickly.

You quickly transfer the money… But then you notice something strange; his email address is not even from your company.

This scam is a type of phishing, where cyber criminals spoof company email accounts and try to fool an employee, especially in accounting or HR.

Always double check unusual requests from your boss, especially regarding a financial transfer.

7. RANSOMWARE

icon-ransomware-1

Ransomware is a malware or a virus that encrypts the data on your computer or in some cases your whole network. After that, you cannot access your files or pictures, until you pay the ransom, and in some cases not even then.

The most common delivery mechanism of ransomware is by using a phishing scam, attachments sent via email, masquerading as a file you should trust. After they are downloaded and opened, they can take over your computer.

In some cases, ransomware is delivered to your computer via compromised websites which you think you can trust.

If you get infected, there is a small chance you may be able to recover. Check out No More Ransom for instructions.

Best practices to guard against ransomware:

  • Keep a backup of your files and backup regularly.
  • Do not install software unless you know exactly what it is and what it does.
  • Update your operating system and programs when prompted.
  • Never run updates in a browser window.

8. PRINTOUTS

icon-printouts

Printing out documents is part of the job. But printers are sometimes located in open spaces where a lot of people can have access to them.

It is important to properly dispose of your unused documents, failed prints and not to leave them in the printer tray unsupervised for an extended period.

Information in these documents can be worth a lot of money to the wrong people.

9. DUMPSTERDIVING

icon-dumpsterMost companies make special efforts to keep certain types of information secret. This information can include customer lists, financial records, employee and payroll records, product development plans, and many other types of confidential information.

Methods used to protect confidential information can include high-security file cabinets, card reader systems used to control access to sensitive areas, and encrypted fax machines used to send and receive confidential information.

Despite precautions, the employees of many companies continue to throw sensitive information into the trash or recycle bins. If you don’t think this is a problem at your company, make random inspections of your outgoing waste – I guarantee you will be surprised!

It is important to understand that while the information found in your trash bin on any one day may not be significant, the cumulative information gathered over a period of time can be extremely damaging. For example, finding a copy of a few invoices in the trash wouldn’t provide your competitor with a complete list of your customers, but having several months worth of your invoices probably would.

Here are some tips for you to consider:

  • Conduct periodic inspections of your outgoing trash and recycle bins.
  • Provide awareness training for all employees concerning the proper handling and disposal of confidential information.
  • For best security, consider the use of a “DOD Specification” shredder.
  • If you have large volumes of documents that must be shredded, you may wish to consider the use of a “document destruction” service.
  • Watch out for information thrown in “recycle bins”.
  • Make sure that all shredded material is recycled.
  • Keep trash and recycle containers locked.

10. WIFI AT HOME & OPEN WIFI

icon-wifiA home network is often set up in a rush to get connectivity ready as soon as possible. Most people do not take any steps in securing their home network, which often makes them accessible to hackers. A router is usually just a small computer with its own operating systems, software and vulnerabilities. Routers often advertise their type and make directly in the Wireless name (SSID) which makes it easier for hackers to see which type the router is. This may even make it easier for them to get information about how to hack it.

Changing the router SSID and the admin username and password is the first step in securing a home WiFi. Updating a router’s firmware is something that should be done on a regular basis. Most routers fail in notifying users that an update is available even though those updates are essential to patch security holes. It can also be necessary to restart the router every once in a while.

A stolen mobile device is also a risk to both home and office WiFi as the device has direct access to the networks it is connected to. Remotely wiping a stolen device is something that should be done as soon as possible.

Open WiFi

Finally, using free public WiFi networks comes with a number of security risks, but an overwhelming majority of people use it without hesitation. The same features that make them desirable for consumers make them desirable for hackers. The most common threat to public WiFi is the possibility for the hacker to position himself between you and the connection point, making all your traffic go directly through the hacker’s computer. That way it is easy for them to catch passwords or data that is not encrypted.

Hackers can also use public WiFi to distribute malware. If you allow file sharing on your computer, it is quite easy for a hacker to plant infected software on your computer.

If you need any help introducing security culture to your organisation contact us. Our security awareness training videos will help you introduce these threats to your employees with minimum disruption and maximum impact.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity.

The word “Phishing” is a recently coined expression created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Phishing attempts are typically carried out by email spoofing or instant messaging. And they often direct users to enter personal information at a fake website. The look and feel of those websites can be identical to the legitimate ones and the only difference is the URL of the website in concern. Recognizing phishing emails before you get scammed is very important. 

Example of an email scam:

email-1

Fake social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may also contain links to websites that distribute malware.

There are ways to recognize phishing emails

Here are the most common indicators:

  1. Bad grammar
  2. Missing or strange fields in email.
  3. Salutation is missing.  This can be an indicator of phishing email.
  4. Aggressive call to action. Businesses do not regularly require you to update your payment information or your passwords. Be wary of emails that ask you for too much information or use aggressive wording.
  5. If it sounds to good to be true – it is!
  6. Graphic is fuzzy. Design and the layout of phishing email often gives it away.  Scammers rarely do their design work properly.

phishing-image-play

Check out our Phishing security awareness video

Key takeaways:

  • Be suspicious of emails that request sensitive information.
  • If in doubt, verify the origin of the email.
  • Think twice before you open attachments or click any links.

Payments available