AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

Boring security awareness lecture. Everyone falling asleep.
Don’t make your employees sit through long and windy security lectures.

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

Phishing simulation setting employee up for failure

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

  • After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
  • Have your IT team look at proven hacking incidents before and after training began.
  • Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
  • AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.Phishing simulation email on phone at work desk.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.Blurred group of business people representing the human risk in cyber security

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Awareness training factsFor over 30 years companies have been connected to networks and the internet. And for almost all of that time they have been dealing with cyber security threats. From all this experience one thing has become absolutely certain … The best way to secure your network and keep your data safe is security awareness among employees. Equally important is the employee engagement in security awareness training.

ChiefExecutive.net wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” In reality, business owners often get great antivirus software and powerful firewalls and that’s great news. The bad news however, is that they forget to factor in the human element when it comes to cyber security. Security Awareness Training is an effective way to help avoid some of the cyber threats that exist in the world. Many of them will arrive on a business’s network via email attachments and malicious websites. Therefore, teaching your staff what to look for is an excellent way to reduce your company’s risk.

Why is employee buy-in so important?

We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees excited about a new loyalty card or the latest  computer program is difficult. Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Employees must understand that the impact of ignoring cyber security could mean the loss of their data or their jobs.

Employee engagement in cyber security because the cost of malware attack is high.
Threats to the company and employee jobs

According to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.
It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets. In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.

Threats to the employees’ data

One threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children’s social security numbers are on the company’s network. The same goes for their addresses, telephone numbers, emails and more. Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume. With any luck, all of this will bring home the idea that cyber security is in their best interests as well as the company’s.

Formatting training for employee buy-in

To ensure employee engagement in security awareness training, make the training short and entertaining. In addition it needs to be informative, but it doesn’t need to be boring. The classes can take place over several days or even weeks. Just keep in  mind that nothing annoys employees more than an 8-hour class on something that has nothing to do with their jobs. Therefore you should make the classes short and focus on one aspect of security at a time, such as email security, password security, etc.

The key is to deliver lessons in smaller portions so that everyone can learn what they need to without getting bored.

Another great way to make people aware is to use short security awareness training videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having them fill out a test. You could also use a log-in tracker that tells you who looked at the whole training and who didn’t.

Consider offering a reward for great behavior

Of course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous. However, it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.
Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.

The easiest way to ensure employee buy-in for cyber security awareness

The short and simple answer is to include your employees as if their livelihoods depended on it. Because they do!
Approach security awareness from the perspective that this is really their concern too. You’ll be able to speak to them in a way that makes them feel included and not simply lectured at.

Cost of Data Breach in 2018Cyber Security Awareness is more than simply knowing about cyber threats. It’s a series of training, policies, and actions that lead to a higher level of security culture in your business or organisation.

Why do you need cyber security awareness?

Rather than give you a lot of words, here’s the “Global Study at a Glance” from an IBM report:

The average total cost of data breach is $3.62 million

The average cost per lost or stolen records is $141 

The likelihood of a recurring material data breach over the next two years is 27.7% 

Training

“Overall, the research found that about 90% of all cyber claims stemmed from some type of human error or behavior.” – ChiefExecutive

The above statement has been repeated in one way or another for years. If 9 out of 10 cyber attacks stem from human activity, the first logical step is to start with the humans in the organisation.

cyber attacks stem from human activity
There are a number of elements that your employee cyber security awareness training needs to have:
Awareness training facts

  1. A clear explanation of what cyber attacks are and what to look for – This includes letting them know what a dangerous link might look like and what a computer might do after being infected.
  2. In-depth explanations of the dangerous activities – Speak very clearly to the idea that clicking links, downloading attachments, and other actions can cause the problems. It’s also important to make it clear that it’s the action that causes the problem.
  3. Discuss alternative ways of getting things done – For example, if a staff member gets an email from the bank, they should call the bank or at least go to a browser and log into the bank directly.
  4. Teach people what to do if there is a problem – Don’t just leave them hanging. For example, if ransomware pops up on someone’s computer, tell them to shut down their computer, shut down all of the other computers in the office, and turn off the server. Everything can be turned back on by the technicians.
  5. Be skeptical – Some of the most successful scams are the ones that include someone calling or emailing with a strange request. One invoicing scam involves the accounting department getting an email that says, “We got hacked. Your previous payment for invoice number 56845 is being returned. Please remit to bank number 986685105.” Of course, the new bank number belongs to the hacker and the money gets sent right to them.

This is not all that needs to be in your training, but these are important elements that are often forgotten.

The key to training is that it’s not a one-time thing. Everyone should get monthly reminders and annual follow-up training.

Keep cyber security awareness top-of-mind and you’re much less likely to have a problem.

Policies

What is Security Awareness Training - it is not a one time thingPolicies will not stop cyber attacks or the behavior that makes them possible. What policies can do is give everyone clear guidance on what to do if there is an attack and everything they can do to prevent it. Here are a few examples of effective policies that you can implement:

Every device, even personal ones, must have active anti-virus software

Provide your staff with antivirus software on their personal devices, like mobile phones and laptops. Often, employers will complain that this will cost money but the average cyber attack is breathtakingly expensive. Look at the IBM report above; the average data breach costs $3.62 million. In the light of this information the ROI on proper security awareness training is very high. It’s worth the investment.

All staff members must be trained to avoid problems

Everyone, including the CEO, must be trained to stay out of trouble. There is a term for scamming the CEO online; it’s called whaling. It has name because it has happened often enough to earn a name. The famous data breaches at the Democratic National Committee and high-level government officials in the US in 2016 were caused, not by a brute force attack, but by emails with malware in them. Everyone is vulnerable.

No one will get fired for making an honest mistake

This is an important policy. If your staff is afraid they’ll get terminated, they won’t tell you there’s a problem until it’s too late.

These are just a few ideas, but they should help you to get started.

Actions

There are a number of things that you can do to stay cyber secure:

Look for next-gen anti-virus software

Most traditional antivirus software is static. It updates once a day and only scans when it’s told to. New antivirus software is cloud-based. It is updated constantly as the maker updates their files online. The software is also constantly crawling your servers and workstations looking for problems.

Lock and guard your server room

One of the silliest ways that information gets stolen is when someone just goes into the server room and steals the data. Better yet, put your data in the cloud and you won’t have that worry.

Add new levels of security

Passwords are no longer enough. Add bio-metrics and extra layers of security to keep your network safe. This is especially important for any device that might leave the building and the possession of a staff member. Additionally laptops stolen from cars are notorious for lost data. Lock them down tight.

What is cyber security awareness?

Cyber security awareness the knowledge that your data is under threat and knowing what you can do about it. It’s not a “learn it and leave it” idea. It’s an ongoing battle to keep your data, and your customer’s data, safe.

Security Awareness TopicsSecurity Awareness training is essential for companies but can be a daunting task. 

Recently the new General data protection regulation (GDPR) took effect in Europe.  Not only is GDPR compliance necessary for all companies, but this new regulation also makes it mandatory for many companies to assign a dedicated Data Protection Officer (DPO) to handle their data security affairs. There are a lot of things to consider with regards to GDPR, security awareness training program for your employees being one of the most crucial things. That’s where we can help.

What you need to know

It is crucial that all your employees are aware of the cyber security threats out there. Therefore, to give you an idea of what kinds of things your organisation is dealing with, I’ve compiled this Top 10 list of Cyber Security Awareness Topics – the kinds of things everyone in your organisation needs to be aware of today!

1. DATALEAKS

icon-dataleaksWe are human, and the fact is that behind all data leaks there is a human error.

Everyone makes mistakes but security awareness training guides employees on how to react to and report a leak. It can also be hard and embarrassing to admit mistakes. That’s why creating an environment that encourages employees to report mistakes and possible leaks is very important (even if it was an accident or not their responsibility).

Duration matters when it comes to data leaks. The longer a bucket of personal or sensitive information stays open the more significant the threat of the leak. Failure to report a leak can have severe consequences for the individual and lead to hefty fines for the company.

2. SOCIAL ENGINEERING

icon-socailengineering

You are at the largest yearly conference in your industry. You are having fun meeting other people in similar positions and discussing how they are doing things, sharing failures and achievements and learning from each other. However, after a few drinks, the sharing can go overboard, and sensitive information may be discussed and shared.

The intention of the sharing was not bad. You might not realize the serious consequences it can have if the other person is dishonest and shares classified information with someone else.

It is essential never to discuss confidential work issues with unauthorized people, even if you trust them.

3. PHISHING

icon-email-2If you open an email that happens to be a fraudulent phishing email you are just one of  8 million people in the same situation this very day.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity.

The word “Phishing” is a newly coined expression created as a homophone of fishing due to the similarity of using bait in an attempt to catch a victim.

Phishing attacks are typically carried out by email spoofing or instant messaging. They often direct users to enter personal information at a fake website which looks and feels identical to the legitimate one – the only difference may be the URL of the website in concern.

4. TAILGATING

icon-tailgaitingJohn, a former employee of the company you are working for, comes running just when you were about to close the door. He says he’s on his way to meet his former boss. You chat for a minute or two, and then he heads towards the bosses office.

If you remember correctly, John was pretty angry when he got laid off two months ago. What you might not realize is that John, who knows his way around the company, is about to steal some sensitive information as an act of revenge.

Tailgating threats used to be related to thieves stealing physical things by following an authorized person into a secure location. However, in today’s digital society tailgating is often combined with stealing sensitive information which can lead to serious financial consequences for companies.

The threat is usually associated with former employees, thieves, vandals or people that have issues with the company or employees.

5. PASSWORDS

icon-passwords

Your password expires in 2 days… “Ughhh…” you may think, “it’s that time again!” You need to come up with a password that you can easily remember, and it is getting harder and harder to come up with something innovative.

But passwords are crucial to protect your workstation. To create a secure password it is best to use a combination of lowercase, uppercase, symbols, and numbers.

It can make your life easier to come up with a sentence and use one letter from every word.

6. CEOSCAM

icon-ceoYou are browsing through your emails when you notice an email from your the CEO. He claims to be in a hurry and needs you to transfer money to his account quickly.

You quickly transfer the money… But then you notice something strange; his email address is not even from your company.

This scam is a type of phishing, where cyber criminals spoof company email accounts and try to fool an employee, especially in accounting or HR.

Always double check unusual requests from your boss, especially regarding a financial transfer.

7. RANSOMWARE

icon-ransomware-1

Ransomware is a malware or a virus that encrypts the data on your computer or in some cases your whole network. After that, you cannot access your files or pictures, until you pay the ransom, and in some cases not even then.

The most common delivery mechanism of ransomware is by using a phishing scam, attachments sent via email, masquerading as a file you should trust. After they are downloaded and opened, they can take over your computer.

In some cases, ransomware is delivered to your computer via compromised websites which you think you can trust.

If you get infected, there is a small chance you may be able to recover. Check out No More Ransom for instructions.

Best practices to guard against ransomware:

  • Keep a backup of your files and backup regularly.
  • Do not install software unless you know exactly what it is and what it does.
  • Update your operating system and programs when prompted.
  • Never run updates in a browser window.

8. PRINTOUTS

icon-printouts

Printing out documents is part of the job. But printers are sometimes located in open spaces where a lot of people can have access to them.

It is important to properly dispose of your unused documents, failed prints and not to leave them in the printer tray unsupervised for an extended period.

Information in these documents can be worth a lot of money to the wrong people.

9. DUMPSTERDIVING

icon-dumpsterMost companies make special efforts to keep certain types of information secret. This information can include customer lists, financial records, employee and payroll records, product development plans, and many other types of confidential information.

Methods used to protect confidential information can include high-security file cabinets, card reader systems used to control access to sensitive areas, and encrypted fax machines used to send and receive confidential information.

Despite precautions, the employees of many companies continue to throw sensitive information into the trash or recycle bins. If you don’t think this is a problem at your company, make random inspections of your outgoing waste – I guarantee you will be surprised!

It is important to understand that while the information found in your trash bin on any one day may not be significant, the cumulative information gathered over a period of time can be extremely damaging. For example, finding a copy of a few invoices in the trash wouldn’t provide your competitor with a complete list of your customers, but having several months worth of your invoices probably would.

Here are some tips for you to consider:

  • Conduct periodic inspections of your outgoing trash and recycle bins.
  • Provide awareness training for all employees concerning the proper handling and disposal of confidential information.
  • For best security, consider the use of a “DOD Specification” shredder.
  • If you have large volumes of documents that must be shredded, you may wish to consider the use of a “document destruction” service.
  • Watch out for information thrown in “recycle bins”.
  • Make sure that all shredded material is recycled.
  • Keep trash and recycle containers locked.

10. WIFI AT HOME & OPEN WIFI

icon-wifiA home network is often set up in a rush to get connectivity ready as soon as possible. Most people do not take any steps in securing their home network, which often makes them accessible to hackers. A router is usually just a small computer with its own operating systems, software and vulnerabilities. Routers often advertise their type and make directly in the Wireless name (SSID) which makes it easier for hackers to see which type the router is. This may even make it easier for them to get information about how to hack it.

Changing the router SSID and the admin username and password is the first step in securing a home WiFi. Updating a router’s firmware is something that should be done on a regular basis. Most routers fail in notifying users that an update is available even though those updates are essential to patch security holes. It can also be necessary to restart the router every once in a while.

A stolen mobile device is also a risk to both home and office WiFi as the device has direct access to the networks it is connected to. Remotely wiping a stolen device is something that should be done as soon as possible.

Open WiFi

Finally, using free public WiFi networks comes with a number of security risks, but an overwhelming majority of people use it without hesitation. The same features that make them desirable for consumers make them desirable for hackers. The most common threat to public WiFi is the possibility for the hacker to position himself between you and the connection point, making all your traffic go directly through the hacker’s computer. That way it is easy for them to catch passwords or data that is not encrypted.

Hackers can also use public WiFi to distribute malware. If you allow file sharing on your computer, it is quite easy for a hacker to plant infected software on your computer.

If you need any help introducing security culture to your organisation contact us. Our security awareness training videos will help you introduce these threats to your employees with minimum disruption and maximum impact.

So, you’re the Data Protection Officer? Congratulations! This means one of your primary duties is security awareness raising and the training of staff involved in processing operations. And that’s a simple task, right?

Considering the consequences of not complying with GDPR, one might think that every employee would be a team player, participating in every training on offer. Sadly this doesn’t seem to be the case but here are a few pointers on employee buy-in that might prove helpful.

There are two ways to guarantee that awareness campaigns are a success:

  • Using threats of consequences for not complying
  • Using short, easy to use messages

 

We believe in the latter and that’s why we started AwareGO. The job of the DPO can be a difficult task, we know. And some people just seem to have undying and unyielding faith when it comes to the ability of the IT department and firewalls. We really want to help you get started.  Here is a link to a demo video where you can see an example of how we at AwareGO help DPOs raise security awareness with employees all over the world.

Cyber Security Awareness video

You can also check out our security awareness raising video catalog on our website.

If you are a CISO or a DPO, chances are you’re responsible for security awareness training. But you’re not a teacher. Am I right?

So why are you responsible for training, when it is your responsibility to protect the company’s data?

The truth is, hackers, like most people, tend to choose the path of least resistance when they compromise the security of organisations. This path is very often through people, and cyber security threats are exploited through human behavior. It is usually the uninformed employees that lead to the breaches. Unfortunately human behavior is predictable and we are thus vulnerable to attacks. The good news is that through training and awareness the risk from these threats can be reduced. 

Back to the training part. What you need to understand is that some of your employees are lazy. They might recognize that security awareness training is essential, but they want it to be over as fast as possible. Employees don’t want to struggle to read and digest boring security awareness text. They want to be able to understand it quickly and efficiently and continue with their day-to-day job. Just because they want to absorb this content quickly doesn’t mean quick training programs are ineffective. A video, however, is a tool that can take your security training from boring to exciting. 30 seconds of video is capable of conveying much more information than any text. 

Videos have been used for marketing purposes for some time now. According to HubSpot, video is here to stay [1]. YouTube is also the world’s second largest search engine, which supports that. According to a report from HubSpot Research, 54% of consumers want to see videos from brands they support. [1]

branded-content-people-want-chart

 So it’s strange, then, that some people don’t understand how useful it is to include videos in their training program. In the same way, people use images to separate points and make text easier to understand, people use video to hold people’s attention. Especially when an employee needs to go through several security awareness topics. (Remember I said some employees are lazy when it comes to security training.) When people are presented with a wall of text, the first thing they will do is try to avoid it and find excuses for not participating in the training. Even if your security study material isn’t as long as in other companies, if it looks too difficult to read, they are not going to bother. Even though the actual study material is the same, which of the two pieces of training below would you like to take part in?

Example 1: Everyone makes mistakes. Even as simple as forgetting to shut the faucet… or sending an email to the wrong person. But it‘s what you do next that matters. If you lose, or leak classified information. It is your responsibility to report it, even though it was an accident or not even your responsibility… By not reporting the leak your company might be liable to fines or get other people into trouble. Be extra careful when working with personal information even if only one record leaks out it can have severe consequences for that individual and can lead to hefty fines for the company.

Or example 2:

 

The video is infinitely easier to consume and comprehend. According to HubSpot, video content was the most memorable (43%) in comparison to text (18%) and images (36%). [1]

most memorable content

 This is good news because you want people to remember the training material and be able to put their training into action. The attention competition We all know there is a massive competition for peoples attention today. Just because a video is easy to watch, it doesn’t mean people will. But, the shorter the video training and by using effective storytelling, you will get more people to complete the whole training versus just a few seconds.  

So why aren’t you using video?

Payments available