Close the menu
AwareGO logo

AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Tag: security awareness

Our focus has always been one of simplicity, ease of access and, time-saving. That‘s why our security awareness videos are short and our LMS platform simple to use. That‘s also why we offer a complete self service for our customers, if that‘s what they choose. We believe it‘s the simplest security awareness training platform today.

We have now launched a new LMS platform for our clients that is even simpler to use than before. Through vigorous testing and conversations with our clients we’ve designed a sleek LMS for security training deputies (be they CISOs, DPOs or part of the HR team) to use for employee training. You can try AwareGO Premium out now for free and without commitment!

Our security awareness training videos are still there, still of the highest quality, with short, easy to remember lessons that stick and only take a minute of the employee’s time.

Here‘s what‘s new

  • The overall LMS platform has a sleek new look that’s easy to navigate and understand for both admins and employees.
  • We’ve added a new wizard that makes creating new training programs both fast and easy. It also includes ready made training programs divided into several categories, such as Password handling, Out of Office, Email, Healt Care and Finance, to name a few.Screenshot from AwareGO Learning Management system showing creation of security awareness training program
  • Training programs containing several topics can be sent out to recipients all at once or spread automatically over several weeks.
  • The new LMS platform gives admins a better view of how the training is going over all and also by individual users.Screenshot from AwareGO security awareness training LMS platform showing training statistics
  • Admins can look at employee scores unrelated to which training programs they’ve received. They can also send out reminders to employees who have not participated in the training.
  • The employee view has been drastically changed and is now easier to navigate.
  • The report system has been updated and can now be downloaded as a PDF which can be handy to take into update meetings.Screenshot from AwareGO LMS security awareness platform showing a statistics report

 

As before our security awareness training solution can be implemented into any enterprise platform quickly and effectively.

Go check out the world‘s simplest security awareness training platform for free and be on your way to a more secure business and building a sustainable security culture within your company.

Why you should always double check new bank information

This June we published a new security awareness video to remind employees to always double check account numbers when paying out invoices. We have a good reason to focus on cyber security awareness for finance divisions as we have heard multiple first-hand accounts of fraudsters sending out bogus invoices. They have also been known to worming their way into correspondence and taking over as soon as there is a mention of invoices or payment.

Security awareness training for financial divisionThe amounts stolen in this manner can range from a few thousand dollars to hundreds of thousands. Perhaps not surprisingly, there is very little that local authorities can do about it. International law enforcement usually doesn’t investigate these matters unless the amount is considerable. Even then the chances of getting your money back are slim to none.

How it’s done

A finance division employee’s computer or a client’s computer might have been compromised by various means. Most likely it was done by a phishing or spear phishing email containing malicious links or attachments. Through that a hacker gained access to the employee’s email correspondence and could follow it closely. They can even glean the individual language and slang of the user. When an invoice is sent out, the hacker grabs that email and sends out another email with their own account information. If the employee on the other end is not vigilant the sum will be paid out to the hacker and not the rightful receiver. When this is discovered the hacker has covered their track and is gone with the funds. This is why companies need to pay special attention to cyber security awareness training for finance division employees. There is a lot to loose. Phishing email sent to financial division

Trust no one

It might sound cynical to say this but when it comes to invoices and account numbers, we should trust no one. Not even invoices issued in the name of companies we’ve been dealing with for years. If email accounts have been breached (or even if someone has gone through the company’s trash) it is possible for hackers to send out bogus invoices in the name of trustworthy companies. The only thing they’ve changed is the bank information for payment.

If the account number is the same as usual and has been paid to before without incident, it should be safe to continue with the payment. If a company suddenly changes its account number or you are making a payment to a new company the safest protocol to follow is to call that company directly and double check the invoice and the account number.Cyber security aware financial division employee double checks account numbers by phone.

Find the number to call through the company’s official web page or an official directory. Don’t trust any information provided in an email until it has been verified that the sender is who they say they are.

Not even your boss

It’s not always invoices in the name of another company that are sent out. Sometimes it’s important emails from a boss or a very high-ranking individual within the company such as the CEO or the CFO. They demand that funds be moved from one account to another ASAP. Such frauds are also known as CEO scams or Whaling.accounting division double check account number

No matter how urgent they might sound, or how often similar orders might have come in the past, such emails should always be verified with a phone call. A good CEO should encourage such vigilance from his employers. It means that the effort spent on cyber security training for the finance division has paid off. And it could wind up saving the company considerable sums.

 

 

 

There are multiple ways to keep customer information and other valuable data safe. For example: locking all computers when they are not in use and using multi-factor authentication for your data servers.

But wait, there’s more! Clear and concise protocols for employees to follow are a great way to ensure data safety. This means companies must have these protocols in place and teach their employees the right way to do things. How to move data from one place to another. Why they should use strong passwords. And how to recognize phishing emails so they don’t get hacked. How? Through security awareness training!

 

Data safety in car

Portable devices and printouts = less data safety

Many employees now use laptops and even bring them home to do additional work. They also use portable drives or flash drives to carry work documents between their home and workplace and to take into meetings. This can prove dangerous as often these devices do not have good encryption and are easy to steal. The same, of course, applies to printouts containing confidential information.

When carrying laptops or portable drives employees must always be aware of data safety. That’s why one of AwareGO’s latest awareness training videos is a reminder not to leave items containing private data in the car. It sounds very simple and should be common knowledge and yet the problem is big enough to dedicate a whole video reminder to this topic alone.

The problem is not that employees don’t care or that they don’t know cars can’t be stolen or broken into. The problem is that they usually don’t think beyond the car or the hardware. Or they believe their car alarm is enough to deter thieves from even trying. They’re not thinking about the valuable information that devices or printouts inside the car might hold and that this might be what the thieves are after.

 

Cars don't have enough data safety

No replacement for stolen data
While the car might not be so easy to steal the valuables inside the car surely are. It only takes a few seconds to get to them. No matter the alarm system the thief will be long gone when someone finally shows up.

The car and actual computer or hard drives might be well ensured or even easy to replace but the same does not apply to confidential data. Once data is out the damage is done. Cyber criminals can use the information to extort you, your clients or to launch spear phishing attacks using the information they just got.

As privacy laws are getting tighter losing private data can result in hefty fines. Then there is the matter of lost confidence from customers and business associates.

 

 

What is Security Awareness Training - it is not a one time thing

 

Every month AwareGO publishes 1-2 high-quality cyber security awareness training videos on various topics, such as data safety, phishing, physical safety, ransomware and more. Each video is designed to help organisations all over the world to keep cyber security top-of-mind and encourage good behavior and digital hygiene.

Did you think GDPR compliance was done at your company once you got your mailing-list subscribers to opt-in? Or once you fixed a few things on your website? From now on it is your organisation’s duty to protect any and all personal information you client or subscriber might give you. Furthermore, you must implement certain data protection principles within your company. These are the basic facts of GDPR and the ones most companies have already complied with. But wait, there‘s more!

Stamp that says GDPR compliant

GDPR is in effect everywhere in the EU. It also applies to every organization that does business with citizens of the EU. According to the GDPR, any company that handles personal data of any kind (be it a European company or non-EU company handling EU citizen‘s personal data), must now implement measures to keep this data as safe as possible. This means that data protection measures need to be in place both within the company‘s systems (such as by encryption) and within the company‘s culture.

GDPR and good security culture

GDPR compliance or not, it always makes sense to take data privacy seriously. Part of complying with GDPR will actually help organisations protect themselves against cyber attacks. Cyber attacks are expensive. Even more expensive than paying those GDPR non compliance fines! When organisations raise their cyber security awareness through active security culture and training, they minimize the threat of attacks. As a result they help safeguard the personal data they are legally obligated to protect under the GDPR laws.

Security training for GDPR compliance
For many companies, implementing a security culture falls onto the DPO‘s role but for others it is the responsibility of the HR or the IT department. Depending on the size of your organisation, resources to implement cyber security awareness training vary greatly but one thing is for certain: If you don‘t have the time or the money to implement security awareness training, you definitely do not have the time or the money to deal with a security breach, fines and loss of data.

Comply with GDPR in no-time

Security Awareness TopicsWe’re here to help! AwareGO has created an easy to use cloud-based Learning Management System (LMS) with high quality security awareness videos that you can start using right away. Adding users to the system is quick and easy and so is sending out security awareness campaigns. Admins can even plan the whole employee training for the year ahead.

Each training video is around 1 minute in length. This minimizes the interruption to your employees and keeps them focused throughout the whole training. We release two new awareness training videos a month on topics ranging from phishing and CEO scams to physical safety such as tailgating and unattended computers. For small and medium businesses our LMS and security awareness training videos are available directly via our website and our prices are very compatible. You can become GDPR compliant in no time.

We believe in our product and we are dedicated to improve cyber security awareness for a safer workplace. That‘s why you can test our learning management system for free and send your employees two of our security awareness training videos as well.

Sign up for a free trial to see what we‘re all about.

Cost of Data Breach in 2018Cyber Security Awareness is more than simply knowing about cyber threats. It’s a series of training, policies, and actions that lead to a higher level of security culture in your business or organisation.

Why do you need cyber security awareness?

Rather than give you a lot of words, here’s the “Global Study at a Glance” from an IBM report:

The average total cost of data breach is $3.62 million

The average cost per lost or stolen records is $141 

The likelihood of a recurring material data breach over the next two years is 27.7% 

Training

“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.” – ChiefExecutive

The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to start with the humans in the organisation.

cyber attacks stem from human activity
There are a number of elements that your employee cyber security awareness training needs to have:
Awareness training facts

  1. A clear explanation of what cyber attacks are and what to look for – This includes letting them know what a dangerous link might look like and what a computer might do after being infected.
  2. In-depth explanations of the dangerous activities – Speak very clearly to the idea that clicking links, downloading attachments, and other actions can cause the problems. It’s also important to make it clear that it’s the action that causes the problem.
  3. Discuss alternative ways of getting things done – For example, if a staff member gets an email from the bank, they should call the bank or at least go to a browser and log into the bank directly.
  4. Teach people what to do if there is a problem – Don’t just leave them hanging. For example, if ransomware pops up on someone’s computer, tell them to shut down their computer, shut down all of the other computers in the office, and turn off the server. Everything can be turned back on by the technicians.
  5. Be skeptical – Some of the most successful scams are the ones that include someone calling or emailing with a strange request. One invoicing scam involves the accounting department getting an email that says, “We got hacked. Your previous payment for invoice number 56845 is being returned. Please remit to bank number 986685105.” Of course, the new bank number belongs to the hacker and the money gets sent right to them.

This is not all that needs to be in your training, but these are important elements that are often forgotten.

The key to training is that it’s not a one-time thing. Everyone should get monthly reminders and annual follow-up training.

Keep cyber security awareness top-of-mind and you’re much less likely to have a problem.

Policies

What is Security Awareness Training - it is not a one time thingPolicies will not stop cyber attacks or the behavior that makes them possible. What policies can do is give everyone clear guidance on what to do if there is an attack and everything they can do to prevent it. Here are a few examples of effective policies that you can implement:

Every device, even personal ones, must have active anti-virus software

Provide your staff with antivirus software on their personal devices, like mobile phones and laptops. Often, employers will complain that this will cost money but the average cyber attack is breathtakingly expensive. Look at the IBM report above; the average data breach costs $3.62 million. In the light of this information the ROI on proper security awareness training is very high. It’s worth the investment.

All staff members must be trained to avoid problems

Everyone, including the CEO, must be trained to stay out of trouble. There is a term for scamming the CEO online; it’s called whaling. It has name because it has happened often enough to earn a name. The famous data breaches at the Democratic National Committee and high-level government officials in the US in 2016 were caused, not by a brute force attack, but by emails with malware in them. Everyone is vulnerable.

No one will get fired for making an honest mistake

This is an important policy. If your staff is afraid they’ll get terminated, they won’t tell you there’s a problem until it’s too late.

These are just a few ideas, but they should help you to get started.

Actions

There are a number of things that you can do to stay cyber secure:

Look for next-gen anti-virus software

Most traditional antivirus software is static. It updates once a day and only scans when it’s told to. New antivirus software is cloud-based. It is updated constantly as the maker updates their files online. The software is also constantly crawling your servers and workstations looking for problems.

Lock and guard your server room

One of the silliest ways that information gets stolen is when someone just goes into the server room and steals the data. Better yet, put your data in the cloud and you won’t have that worry.

Add new levels of security

Passwords are no longer enough. Add bio-metrics and extra layers of security to keep your network safe. This is especially important for any device that might leave the building and the possession of a staff member. Additionally laptops stolen from cars are notorious for lost data. Lock them down tight.

What is cyber security awareness?

Cyber security awareness the knowledge that your data is under threat and knowing what you can do about it. It’s not a “learn it and leave it” idea. It’s an ongoing battle to keep your data, and your customer’s data, safe.

Awareness training facts

Security awareness training is vital for businesses of all sizes. Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords. It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.

A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.

Here are 4 important security awareness tips that you need to know before you start training your employees.

Security Awareness Tip no. 1

71% of organizations were successfully spear phished in 2014

Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.

Spearphishing email on phone fact
Spear phishing, like most hacking attempts, is a behavior-based hack. Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.

The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. Then the hackers stole their password and data.

Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole passwords and emails that way.

Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.

Security Awareness Tip no. 2

Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it

Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn’t actively scan. Furthermore, most of the software scans only once or twice a day and it requires periodic updates. For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat. For this reason teaching staff to recognize phishing emails is imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.

Security Awareness Tip no. 3

Security awareness training can reduce a company’s exposure by up to 70%

Cost of security breach factFew things will give you the ROI that security awareness training does. According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record. Take a moment to consider that – that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.

If you can reduce your exposure to loss by 70%, why wouldn’t you do it?

Security Awareness Tip no. 4

Employee data is often stolen too

When we think of data breaches, we often only consider customer data – information entrusted to us by our customers. What many employees forget is that their data is on the company network as well.
 Every employer has their employees’ social security numbers, but that’s not all they have. Employee’s personal email logins can be found on most systems. In addition there are addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.

If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.

What all of this means for your company and employees

All of this is important to understand as you start training your employees. Each of these security awareness tips is a lesson that needs to be clearly understood.

  • 71% of executives were successfully spear-phished in 2014 – Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
  • Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it – Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
  • Security awareness training can reduce a company’s exposure by up to 70% – The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
  • Employee data is often stolen too – This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.

Security awareness training is simply part of life in the modern computer age. It needs to happen.

Security awareness training is part of life in the connected world of the 21st century. Integrating agile security awareness training with your company’s policies and culture is the only way to make sure it works well for your needs.

What is security awareness training?
Security awareness training is nothing more than teaching employees what to look for and what to do to avoid being hacked or “phished”, such as clicking a link that will steal data or get their password.

The ROI of security awareness training is huge since average cost of a large scale breach is $3.86 million, according to IBM’s latest Cost of a Data Breach Study.

What is “agile” security awareness training?

Your security awareness training should be able to adapt not only to your company’s needs but also to the changes in security threats. Every day, hackers are looking for new ways to get into your system. Your policies need to adapt to that and be ready for everything.

In 2001, a group of software developers got together in Utah and decided that they needed to create a set of principles that would govern how software was being developed. They saw that software was big and clunky. Furthermore, it was being designed in a way that made it difficult to update and improve. And it was being created in a way that made cool-looking software that was actually a nightmare for users. They issued the Manifesto for Agile Software Development

“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.”


Making your security awareness training agile

Taking the principles of the Manifesto, we can see a clear path to creating an agile security awareness training program.

Individuals and interactions over processes and tools
Security awareness training is all about individuals and interactions. It’s a person’s interaction with an email or website that causes 90% of security breaches. Think of this training as an individual experience. You can frame information so that it can save your employees, not just at work, but at home, too.

Working software over comprehensive documentation
This is a warning against spending a lot of time on reports and data instead of spending it on actually doing. With security awareness training, this refers to how you handle an incident. You should spend almost no time blaming the person who created the breach and spend more time using it as a teaching moment.

Customer collaboration over contract negotiation
This training is not about sitting in a room and talking at people. On the contrary, training requires interaction and buy-in from the participants. While the contract negotiation concept might seem out of place, it is a contract. The contract is that you and your employees will protect the customers’ and the company’s assets.

Responding to change over following a plan
Cyber security is changing. This is not a static situation. Bad guys are always looking for new ways to get to your and your clients’ information and it needs to be clear to your employees that this is an ongoing battle. Your team should be prepared to learn constantly and adapt.

Making Cyber Security Awareness Part of your Policies

Company policies must be an honest reflection of how people use electronic devices and how cyber security is changing. If you’re looking for a tone to follow, look at Dell’s Global Social Media Policy.

Here’s an example:

Be Responsible
Ransomware encrypted computerMake sure you’re engaging in social media conversations the right way. If you aren’t an authority on a subject, send someone to the expert rather than responding yourself. Don’t speak on behalf of Dell if you aren’t giving an official Dell response and be sure your audience knows the difference.”

Dell recognizes that their employees will use social media, so they provide guidelines that are as simple as “Be Nice, Have Fun, and Connect.”
Start your agile security awareness training with a simple idea: people will use your network in ways that “they shouldn’t.” This means they will check their personal email whether or not you try to outlaw it. They will look at social media whether or not you tell them they can.

The most effective way to start your plan is with a statement similar to this:

“Hackers and thieves will try to steal our information. You will want to use your smartphone, look at your email, and check Facebook. While we want you to keep it to a minimum (after all, you’re not being paid to chat on Twitter), it’s even more important that you do it safely.” Then you can talk about what to click and not to click. You can also require that every phone connected to your wifi network has antivirus protection (preferably paid for by the company so you can guarantee that it’s up to date). In addition, you’ll want to have a conversation with your staff about the fact that their personal email and internet searches can infect the network, even from their phone or laptop. Although rare, there will come a time when viruses and malware will get through Apple watches and other connected devices.

Another important thing to discuss with staff is how to respond to ransomware attacksEstablish a procedure for handling ransomware and make sure that everyone in the company knows what to do, even those who aren’t often near computers.
Every company has to have policies and procedures in place, but those policies need to be flexible and honest about how people use the internet and their personal devices. 

Agile security awareness is at the heart of survival in the 21st century.

The threats will change, the technology will change, but the weakest link in your security wall will still be people. Make your policies flexible enough so that they can adapt as well. Provide simple and effective security awareness training to make them your strongest line of defense.

So, you’re the Data Protection Officer? Congratulations! This means one of your primary duties is security awareness raising and the training of staff involved in processing operations. And that’s a simple task, right?

Considering the consequences of not complying with GDPR, one might think that every employee would be a team player, participating in every training on offer. Sadly this doesn’t seem to be the case but here are a few pointers on employee buy-in that might prove helpful.

There are two ways to guarantee that awareness campaigns are a success:

  • Using threats of consequences for not complying
  • Using short, easy to use messages

 

We believe in the latter and that’s why we started AwareGO. The job of the DPO can be a difficult task, we know. And some people just seem to have undying and unyielding faith when it comes to the ability of the IT department and firewalls. We really want to help you get started.  Here is a link to a demo video where you can see an example of how we at AwareGO help DPOs raise security awareness with employees all over the world.

Cyber Security Awareness video

You can also check out our security awareness raising video catalog on our website.

Every October is the annual Cyber Security Month. But should security awareness only be on the agenda once a year?

I for one sure hope not. I hope cyber security is a subject that’s on “on” every month of the year. Cyber security should be on a constant reminder for all organisations complete with employee training all year round. And October should come with an extra oomph. Information about the latest cyber threats and the right response and actions to take will stay fresh in the employee’s mind always, not just one month a year. Cyber security is a subject far more important than that.

It’s your job too!

It’a common misconception that IT specialists and great firewalls can keep a company safe. Firewalls and code are also not the places hackers of today use to get into your system. Nope! They use people. Nine out of 10 successful data breaches have been carried out through the manipulation of unsuspecting humans. Regular people that weren’t aware that a link could be wrong, that a PDF was a malware in disguise, that an email was phishing and hit home. This is how hackers get into your company. Security breaches are no longer done by obscure hacking while sitting in a dark an techno filled basement.

All year round we see ads on TV or on social media to use seat belts or to not text and drive, vital messages you’ll all agree, right? Well, people are in constant threat of being breached, hacked, fooled or lured into some criminal schemes to get their personal or their company’s data. We need to be constantly aware of those threats as well so we’ll stay vigilant when handling sensitive data, our passwords and our company’s information.

It’s been proven that us humans can be the best protection, a virtual human firewall, with the right training. We’ll be ready and we won’t be fooled.

So why don’t we have security awareness month, every month?

Payments available