AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Our focus has always been one of simplicity, ease of access and, time-saving. That‘s why our security awareness videos are short and our LMS platform simple to use. That‘s also why we offer a complete self service for our customers, if that‘s what they choose. We believe it‘s the simplest security awareness training platform today.

We have now launched a new LMS platform for our clients that is even simpler to use than before. Through vigorous testing and conversations with our clients we’ve designed a sleek LMS for security training deputies (be they CISOs, DPOs or part of the HR team) to use for employee training. You can try AwareGO Premium out now for free and without commitment!

Our security awareness training videos are still there, still of the highest quality, with short, easy to remember lessons that stick and only take a minute of the employee’s time.

Here‘s what‘s new

  • The overall LMS platform has a sleek new look that’s easy to navigate and understand for both admins and employees.
  • We’ve added a new wizard that makes creating new training programs both fast and easy. It also includes ready made training programs divided into several categories, such as Password handling, Out of Office, Email, Healt Care and Finance, to name a few.Screenshot from AwareGO Learning Management system showing creation of security awareness training program
  • Training programs containing several topics can be sent out to recipients all at once or spread automatically over several weeks.
  • The new LMS platform gives admins a better view of how the training is going over all and also by individual users.Screenshot from AwareGO security awareness training LMS platform showing training statistics
  • Admins can look at employee scores unrelated to which training programs they’ve received. They can also send out reminders to employees who have not participated in the training.
  • The employee view has been drastically changed and is now easier to navigate.
  • The report system has been updated and can now be downloaded as a PDF which can be handy to take into update meetings.Screenshot from AwareGO LMS security awareness platform showing a statistics report

 

As before our security awareness training solution can be implemented into any enterprise platform quickly and effectively.

Go check out the world‘s simplest security awareness training platform for free and be on your way to a more secure business and building a sustainable security culture within your company.

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

Boring security awareness lecture. Everyone falling asleep.
Don’t make your employees sit through long and windy security lectures.

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

Phishing simulation setting employee up for failure

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

  • After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
  • Have your IT team look at proven hacking incidents before and after training began.
  • Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
  • AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.Phishing simulation email on phone at work desk.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.Blurred group of business people representing the human risk in cyber security

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Why you should always double check new bank information

This June we published a new security awareness video to remind employees to always double check account numbers when paying out invoices. We have a good reason to focus on cyber security awareness for finance divisions as we have heard multiple first-hand accounts of fraudsters sending out bogus invoices. They have also been known to worming their way into correspondence and taking over as soon as there is a mention of invoices or payment.

Security awareness training for financial divisionThe amounts stolen in this manner can range from a few thousand dollars to hundreds of thousands. Perhaps not surprisingly, there is very little that local authorities can do about it. International law enforcement usually doesn’t investigate these matters unless the amount is considerable. Even then the chances of getting your money back are slim to none.

How it’s done

A finance division employee’s computer or a client’s computer might have been compromised by various means. Most likely it was done by a phishing or spear phishing email containing malicious links or attachments. Through that a hacker gained access to the employee’s email correspondence and could follow it closely. They can even glean the individual language and slang of the user. When an invoice is sent out, the hacker grabs that email and sends out another email with their own account information. If the employee on the other end is not vigilant the sum will be paid out to the hacker and not the rightful receiver. When this is discovered the hacker has covered their track and is gone with the funds. This is why companies need to pay special attention to cyber security awareness training for finance division employees. There is a lot to loose. Phishing email sent to financial division

Trust no one

It might sound cynical to say this but when it comes to invoices and account numbers, we should trust no one. Not even invoices issued in the name of companies we’ve been dealing with for years. If email accounts have been breached (or even if someone has gone through the company’s trash) it is possible for hackers to send out bogus invoices in the name of trustworthy companies. The only thing they’ve changed is the bank information for payment.

If the account number is the same as usual and has been paid to before without incident, it should be safe to continue with the payment. If a company suddenly changes its account number or you are making a payment to a new company the safest protocol to follow is to call that company directly and double check the invoice and the account number.Cyber security aware financial division employee double checks account numbers by phone.

Find the number to call through the company’s official web page or an official directory. Don’t trust any information provided in an email until it has been verified that the sender is who they say they are.

Not even your boss

It’s not always invoices in the name of another company that are sent out. Sometimes it’s important emails from a boss or a very high-ranking individual within the company such as the CEO or the CFO. They demand that funds be moved from one account to another ASAP. Such frauds are also known as CEO scams or Whaling.accounting division double check account number

No matter how urgent they might sound, or how often similar orders might have come in the past, such emails should always be verified with a phone call. A good CEO should encourage such vigilance from his employers. It means that the effort spent on cyber security training for the finance division has paid off. And it could wind up saving the company considerable sums.

 

 

 

There are multiple ways to keep customer information and other valuable data safe. For example: locking all computers when they are not in use and using multi-factor authentication for your data servers.

But wait, there’s more! Clear and concise protocols for employees to follow are a great way to ensure data safety. This means companies must have these protocols in place and teach their employees the right way to do things. How to move data from one place to another. Why they should use strong passwords. And how to recognize phishing emails so they don’t get hacked. How? Through security awareness training!

 

Data safety in car

Portable devices and printouts = less data safety

Many employees now use laptops and even bring them home to do additional work. They also use portable drives or flash drives to carry work documents between their home and workplace and to take into meetings. This can prove dangerous as often these devices do not have good encryption and are easy to steal. The same, of course, applies to printouts containing confidential information.

When carrying laptops or portable drives employees must always be aware of data safety. That’s why one of AwareGO’s latest awareness training videos is a reminder not to leave items containing private data in the car. It sounds very simple and should be common knowledge and yet the problem is big enough to dedicate a whole video reminder to this topic alone.

The problem is not that employees don’t care or that they don’t know cars can’t be stolen or broken into. The problem is that they usually don’t think beyond the car or the hardware. Or they believe their car alarm is enough to deter thieves from even trying. They’re not thinking about the valuable information that devices or printouts inside the car might hold and that this might be what the thieves are after.

 

Cars don't have enough data safety

No replacement for stolen data
While the car might not be so easy to steal the valuables inside the car surely are. It only takes a few seconds to get to them. No matter the alarm system the thief will be long gone when someone finally shows up.

The car and actual computer or hard drives might be well ensured or even easy to replace but the same does not apply to confidential data. Once data is out the damage is done. Cyber criminals can use the information to extort you, your clients or to launch spear phishing attacks using the information they just got.

As privacy laws are getting tighter losing private data can result in hefty fines. Then there is the matter of lost confidence from customers and business associates.

 

 

What is Security Awareness Training - it is not a one time thing

 

Every month AwareGO publishes 1-2 high-quality cyber security awareness training videos on various topics, such as data safety, phishing, physical safety, ransomware and more. Each video is designed to help organisations all over the world to keep cyber security top-of-mind and encourage good behavior and digital hygiene.

Ok, we’re pretty sure you’re not throwing a big party in celebration of GDPR’s anniversary, however, perhaps you should! After all, there are multiple benefits to GDPR

Last year companies in Europe and around the world worked hard to implement GDPR in their operations. This meant organisations needed to start thinking about how they collect and store data from their customers and/or subscribers.

Members of the general public will always value their privacy and, after 6 months of GDPR, according to Deloitte‘s findings, a perceptual change had taken place in consumer‘s minds. 44% of respondents believed that organisations cared more about their customer‘s privacy than before.

It gets better

Customer data and privacy are not the only things GDPR will help organisations with in the long rung. GDPR compliance requires organisations to offer cyber security training to their employees. The overall effect of this regulation will not only help them keep their customers‘ data safe but also their own data and their staff‘s.

News of major data breaches have been getting significant amount of coverage in the news over the past few year. Big multinational companies have lost large amounts of consumer data. 17% of Deloitte‘s survey respondents said they would stop using a service or buying from an organisation if they were subject to a data breach. A further 35% said they would make a decision on whether to stay or go based on how well they trust the organisation. A solid reputation clearly goes a long way. 

Having a history of a data breach would raise concerns for 70% of respondents and negatively impacted their level of trust. Consumers in general are obviously well aware of their rights and they do take a company’s reputation into consideration. 

Having a strong security culture in place will minimize the risk of a breach and also give employees clear guidelines on how to react should a breach occur. This can make all the difference between how consumers perceive the organisation and if they want to put their trust in it or not.

Online shopping and data securityArticle 39b of GDPR

If organisations adhere to article 39b of GDPR it means they will be training their employees in cyber security awareness. Those who take this part of the compliance seriously can reduce their risk of a data breach significantly. They also reduce the risk of damaging their reputation, loosing the trust of their customers and the risk of being subject to fines or class action law suits. Cyber security awareness training is not just a luxury reserved for big organisations. Companies with less than 1000 employees are at the greatest risk. Furthermore, according to TechJury, 43% of all cyber attacks seem to be aimed at small companies. 

Human error is the way in for 9 out of 10  successful data breaches, ransomware attacks and other types of cyber crimes. When employees are well trained in cyber security awareness they are less likely to fall for cyber criminals’ schemes, such as phishing. That is how cyber security training can turn employees from a risk to becoming the organisation’s biggest cyber security defense force.

GDPR anniversary 1 year in binary numbers with EU star circleHow have people and organisations responded to GDPR this past year?

  • Over 144,000 queries and complaints were sent to Data Protection Authorities in Europe. A significant increase compared to 2017. (EDPB)
  • 89,271 Data breach notifications were sent to DPA’s.
  • UK government’s Department for Digital, Culture, Media and Sport reported a reduction in the percentage of businesses suffering a cyber-breach or attacks. (IntelligentCISO)
  • 70% of organisations saw an increase in staff focused on GDPR compliance. (Deloitte)
  • 65% of organisations felt they had sufficient resources to sustain GDPR.
  • 87% of organisations now have a Data Protection Officer. (DPO)
  • Well over 70% of consumers are aware of their key rights regarding personal data.
  • The right to erasure had been used by 12% of consumers.
  • 20% of consumers said they had used their right to opt out of direct marketing
  • 60% of consumers are willing to share more data to receive personalised benefits and discounts.

GDPR 1 year anniversary data safety regulationHow to celebrate GDPR’s anniversary?

How about giving your employees and/or co-workers a free GDPR training, courtesy of AwareGO?

We are celebrating 1 year of GDPR with a free trial which includes 3 training videos focusing on data safety.

You can sign up for free and start the training within minutes. Our LMS platform is that easy!

 

Awareness training factsFor over 30 years companies have been connected to networks and the internet. And for almost all of that time they have been dealing with cyber security threats. From all this experience one thing has become absolutely certain … The best way to secure your network and keep your data safe is security awareness among employees. Equally important is the employee engagement in security awareness training.

ChiefExecutive.net wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” In reality, business owners often get great antivirus software and powerful firewalls and that’s great news. The bad news however, is that they forget to factor in the human element when it comes to cyber security. Security Awareness Training is an effective way to help avoid some of the cyber threats that exist in the world. Many of them will arrive on a business’s network via email attachments and malicious websites. Therefore, teaching your staff what to look for is an excellent way to reduce your company’s risk.

Why is employee buy-in so important?

We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees excited about a new loyalty card or the latest  computer program is difficult. Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Employees must understand that the impact of ignoring cyber security could mean the loss of their data or their jobs.

Employee engagement in cyber security because the cost of malware attack is high.
Threats to the company and employee jobs

According to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.
It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets. In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.

Threats to the employees’ data

One threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children’s social security numbers are on the company’s network. The same goes for their addresses, telephone numbers, emails and more. Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume. With any luck, all of this will bring home the idea that cyber security is in their best interests as well as the company’s.

Formatting training for employee buy-in

To ensure employee engagement in security awareness training, make the training short and entertaining. In addition it needs to be informative, but it doesn’t need to be boring. The classes can take place over several days or even weeks. Just keep in  mind that nothing annoys employees more than an 8-hour class on something that has nothing to do with their jobs. Therefore you should make the classes short and focus on one aspect of security at a time, such as email security, password security, etc.

The key is to deliver lessons in smaller portions so that everyone can learn what they need to without getting bored.

Another great way to make people aware is to use short security awareness training videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having them fill out a test. You could also use a log-in tracker that tells you who looked at the whole training and who didn’t.

Consider offering a reward for great behavior

Of course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous. However, it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.
Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.

The easiest way to ensure employee buy-in for cyber security awareness

The short and simple answer is to include your employees as if their livelihoods depended on it. Because they do!
Approach security awareness from the perspective that this is really their concern too. You’ll be able to speak to them in a way that makes them feel included and not simply lectured at.

Cost of Data Breach in 2018Cyber Security Awareness is more than simply knowing about cyber threats. It’s a series of training, policies, and actions that lead to a higher level of security culture in your business or organisation.

Why do you need cyber security awareness?

Rather than give you a lot of words, here’s the “Global Study at a Glance” from an IBM report:

The average total cost of data breach is $3.62 million

The average cost per lost or stolen records is $141 

The likelihood of a recurring material data breach over the next two years is 27.7% 

Training

“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.” – ChiefExecutive

The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to start with the humans in the organisation.

cyber attacks stem from human activity
There are a number of elements that your employee cyber security awareness training needs to have:
Awareness training facts

  1. A clear explanation of what cyber attacks are and what to look for – This includes letting them know what a dangerous link might look like and what a computer might do after being infected.
  2. In-depth explanations of the dangerous activities – Speak very clearly to the idea that clicking links, downloading attachments, and other actions can cause the problems. It’s also important to make it clear that it’s the action that causes the problem.
  3. Discuss alternative ways of getting things done – For example, if a staff member gets an email from the bank, they should call the bank or at least go to a browser and log into the bank directly.
  4. Teach people what to do if there is a problem – Don’t just leave them hanging. For example, if ransomware pops up on someone’s computer, tell them to shut down their computer, shut down all of the other computers in the office, and turn off the server. Everything can be turned back on by the technicians.
  5. Be skeptical – Some of the most successful scams are the ones that include someone calling or emailing with a strange request. One invoicing scam involves the accounting department getting an email that says, “We got hacked. Your previous payment for invoice number 56845 is being returned. Please remit to bank number 986685105.” Of course, the new bank number belongs to the hacker and the money gets sent right to them.

This is not all that needs to be in your training, but these are important elements that are often forgotten.

The key to training is that it’s not a one-time thing. Everyone should get monthly reminders and annual follow-up training.

Keep cyber security awareness top-of-mind and you’re much less likely to have a problem.

Policies

What is Security Awareness Training - it is not a one time thingPolicies will not stop cyber attacks or the behavior that makes them possible. What policies can do is give everyone clear guidance on what to do if there is an attack and everything they can do to prevent it. Here are a few examples of effective policies that you can implement:

Every device, even personal ones, must have active anti-virus software

Provide your staff with antivirus software on their personal devices, like mobile phones and laptops. Often, employers will complain that this will cost money but the average cyber attack is breathtakingly expensive. Look at the IBM report above; the average data breach costs $3.62 million. In the light of this information the ROI on proper security awareness training is very high. It’s worth the investment.

All staff members must be trained to avoid problems

Everyone, including the CEO, must be trained to stay out of trouble. There is a term for scamming the CEO online; it’s called whaling. It has name because it has happened often enough to earn a name. The famous data breaches at the Democratic National Committee and high-level government officials in the US in 2016 were caused, not by a brute force attack, but by emails with malware in them. Everyone is vulnerable.

No one will get fired for making an honest mistake

This is an important policy. If your staff is afraid they’ll get terminated, they won’t tell you there’s a problem until it’s too late.

These are just a few ideas, but they should help you to get started.

Actions

There are a number of things that you can do to stay cyber secure:

Look for next-gen anti-virus software

Most traditional antivirus software is static. It updates once a day and only scans when it’s told to. New antivirus software is cloud-based. It is updated constantly as the maker updates their files online. The software is also constantly crawling your servers and workstations looking for problems.

Lock and guard your server room

One of the silliest ways that information gets stolen is when someone just goes into the server room and steals the data. Better yet, put your data in the cloud and you won’t have that worry.

Add new levels of security

Passwords are no longer enough. Add bio-metrics and extra layers of security to keep your network safe. This is especially important for any device that might leave the building and the possession of a staff member. Additionally laptops stolen from cars are notorious for lost data. Lock them down tight.

What is cyber security awareness?

Cyber security awareness the knowledge that your data is under threat and knowing what you can do about it. It’s not a “learn it and leave it” idea. It’s an ongoing battle to keep your data, and your customer’s data, safe.

Awareness training facts

Security awareness training is vital for businesses of all sizes. Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords. It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.

A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.

Here are 4 important security awareness tips that you need to know before you start training your employees.

Security Awareness Tip no. 1

71% of organizations were successfully spear phished in 2014

Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.

Spearphishing email on phone fact
Spear phishing, like most hacking attempts, is a behavior-based hack. Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.

The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. Then the hackers stole their password and data.

Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole passwords and emails that way.

Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.

Security Awareness Tip no. 2

Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it

Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn’t actively scan. Furthermore, most of the software scans only once or twice a day and it requires periodic updates. For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat. For this reason teaching staff to recognize phishing emails is imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.

Security Awareness Tip no. 3

Security awareness training can reduce a company’s exposure by up to 70%

Cost of security breach factFew things will give you the ROI that security awareness training does. According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record. Take a moment to consider that – that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.

If you can reduce your exposure to loss by 70%, why wouldn’t you do it?

Security Awareness Tip no. 4

Employee data is often stolen too

When we think of data breaches, we often only consider customer data – information entrusted to us by our customers. What many employees forget is that their data is on the company network as well.
Every employer has their employees’ social security numbers, but that’s not all they have. Employee’s personal email logins can be found on most systems. In addition there are addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.

If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.

What all of this means for your company and employees

All of this is important to understand as you start training your employees. Each of these security awareness tips is a lesson that needs to be clearly understood.

  • 71% of executives were successfully spear-phished in 2014 – Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
  • Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it – Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
  • Security awareness training can reduce a company’s exposure by up to 70% – The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
  • Employee data is often stolen too – This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.

Security awareness training is simply part of life in the modern computer age. It needs to happen.

Security awareness training is part of life in the connected world of the 21st century. Integrating agile security awareness training with your company’s policies and culture is the only way to make sure it works well for your needs.

What is security awareness training?
Security awareness training is nothing more than teaching employees what to look for and what to do to avoid being hacked or “phished”, such as clicking a link that will steal data or get their password.

The ROI of security awareness training is huge since average cost of a large scale breach is $3.86 million, according to IBM’s latest Cost of a Data Breach Study.

What is “agile” security awareness training?

Your security awareness training should be able to adapt not only to your company’s needs but also to the changes in security threats. Every day, hackers are looking for new ways to get into your system. Your policies need to adapt to that and be ready for everything.

In 2001, a group of software developers got together in Utah and decided that they needed to create a set of principles that would govern how software was being developed. They saw that software was big and clunky. Furthermore, it was being designed in a way that made it difficult to update and improve. And it was being created in a way that made cool-looking software that was actually a nightmare for users. They issued the Manifesto for Agile Software Development

“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.”


Making your security awareness training agile

Taking the principles of the Manifesto, we can see a clear path to creating an agile security awareness training program.

Individuals and interactions over processes and tools
Security awareness training is all about individuals and interactions. It’s a person’s interaction with an email or website that causes 90% of security breaches. Think of this training as an individual experience. You can frame information so that it can save your employees, not just at work, but at home, too.

Working software over comprehensive documentation
This is a warning against spending a lot of time on reports and data instead of spending it on actually doing. With security awareness training, this refers to how you handle an incident. You should spend almost no time blaming the person who created the breach and spend more time using it as a teaching moment.

Customer collaboration over contract negotiation
This training is not about sitting in a room and talking at people. On the contrary, training requires interaction and buy-in from the participants. While the contract negotiation concept might seem out of place, it is a contract. The contract is that you and your employees will protect the customers’ and the company’s assets.

Responding to change over following a plan
Cyber security is changing. This is not a static situation. Bad guys are always looking for new ways to get to your and your clients’ information and it needs to be clear to your employees that this is an ongoing battle. Your team should be prepared to learn constantly and adapt.

Making Cyber Security Awareness Part of your Policies

Company policies must be an honest reflection of how people use electronic devices and how cyber security is changing. If you’re looking for a tone to follow, look at Dell’s Global Social Media Policy.

Here’s an example:

Be Responsible
Ransomware encrypted computerMake sure you’re engaging in social media conversations the right way. If you aren’t an authority on a subject, send someone to the expert rather than responding yourself. Don’t speak on behalf of Dell if you aren’t giving an official Dell response and be sure your audience knows the difference.”

Dell recognizes that their employees will use social media, so they provide guidelines that are as simple as “Be Nice, Have Fun, and Connect.”
Start your agile security awareness training with a simple idea: people will use your network in ways that “they shouldn’t.” This means they will check their personal email whether or not you try to outlaw it. They will look at social media whether or not you tell them they can.

The most effective way to start your plan is with a statement similar to this:

“Hackers and thieves will try to steal our information. You will want to use your smartphone, look at your email, and check Facebook. While we want you to keep it to a minimum (after all, you’re not being paid to chat on Twitter), it’s even more important that you do it safely.” Then you can talk about what to click and not to click. You can also require that every phone connected to your wifi network has antivirus protection (preferably paid for by the company so you can guarantee that it’s up to date). In addition, you’ll want to have a conversation with your staff about the fact that their personal email and internet searches can infect the network, even from their phone or laptop. Although rare, there will come a time when viruses and malware will get through Apple watches and other connected devices.

Another important thing to discuss with staff is how to respond to ransomware attacksEstablish a procedure for handling ransomware and make sure that everyone in the company knows what to do, even those who aren’t often near computers.
Every company has to have policies and procedures in place, but those policies need to be flexible and honest about how people use the internet and their personal devices. 

Agile security awareness is at the heart of survival in the 21st century.

The threats will change, the technology will change, but the weakest link in your security wall will still be people. Make your policies flexible enough so that they can adapt as well. Provide simple and effective security awareness training to make them your strongest line of defense.

So, you’re the Data Protection Officer? Congratulations! This means one of your primary duties is security awareness raising and the training of staff involved in processing operations. And that’s a simple task, right?

Considering the consequences of not complying with GDPR, one might think that every employee would be a team player, participating in every training on offer. Sadly this doesn’t seem to be the case but here are a few pointers on employee buy-in that might prove helpful.

There are two ways to guarantee that awareness campaigns are a success:

  • Using threats of consequences for not complying
  • Using short, easy to use messages

 

We believe in the latter and that’s why we started AwareGO. The job of the DPO can be a difficult task, we know. And some people just seem to have undying and unyielding faith when it comes to the ability of the IT department and firewalls. We really want to help you get started.  Here is a link to a demo video where you can see an example of how we at AwareGO help DPOs raise security awareness with employees all over the world.

Cyber Security Awareness video

You can also check out our security awareness raising video catalog on our website.

Payments available