AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

Boring security awareness lecture. Everyone falling asleep.
Don’t make your employees sit through long and windy security lectures.

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

Phishing simulation setting employee up for failure

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

  • After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
  • Have your IT team look at proven hacking incidents before and after training began.
  • Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
  • AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.Phishing simulation email on phone at work desk.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.Blurred group of business people representing the human risk in cyber security

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Awareness training facts

Security awareness training is vital for businesses of all sizes. Many businesses rely on software and policies to keep their data secure, but that’s not enough. According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking related breaches used weak or stolen passwords. It’s simple: Employees are the biggest gap in your security wall. No matter how great your software is, it only takes one person to click the wrong link, and you have a massive security breach that costs an average of $100,000 to recover from.

A security awareness training program is key to helping employees understand how to avoid problems and how not to be the person who puts the entire network at risk.

Here are 4 important security awareness tips that you need to know before you start training your employees.

Security Awareness Tip no. 1

71% of organizations were successfully spear phished in 2014

Spear phishing is a targeted attempt to gain access to an executive’s credentials, like passwords. This is contrasted with just-plain phishing where a trap is laid in the hopes that someone will fall into it.
Spear phishers target executives, often a specific executive, in an attempt to get into a certain system.

Spearphishing email on phone fact
Spear phishing, like most hacking attempts, is a behavior-based hack. Many business owners think of hackers as using software to break past a firewall or trying to find a backdoor into a piece of software. In truth, over 90% of all hacks occur because someone clicked a link in an email, opened an infected attachment on an email or went to a malicious website.

The 2016 US Presidential campaign hacks were the result of spear phishing attacks. An email was sent out by hackers saying the user needed to change their password. The user did, but it was on a bogus site. Then the hackers stole their password and data.

Another technique which was used was to infect the network with spyware that was able to observe online activity and the hackers stole passwords and emails that way.

Over ⅔ of executives have been successfully spear phished. This means that it’s not about intelligence or education; security awareness training is about knowing what to look for in emails and on websites.

Security Awareness Tip no. 2

Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it

Antivirus and anti-malware software are vital, but they’re not foolproof. Even if a program is actively scanning your system, it might not find a phishing attack for hours, days or it might not find it at all. Most antivirus software doesn’t actively scan. Furthermore, most of the software scans only once or twice a day and it requires periodic updates. For an average of almost 18 hours phishing emails will hang in someone’s inbox, waiting to be opened, before anti-malware software finds it and neutralizes the threat. For this reason teaching staff to recognize phishing emails is imperative. Lots of folks figure, “We have antivirus software, so if it’s in my inbox, it must be okay.” Dispelling this myth needs to be part of your training.

Security Awareness Tip no. 3

Security awareness training can reduce a company’s exposure by up to 70%

Cost of security breach factFew things will give you the ROI that security awareness training does. According to the most recent IBM Cost of a Data Breach Study, on average, a breach costs $148 per stolen record. Take a moment to consider that – that means that if you have 100 records stolen, it will cost your company $14,800. A thousand records would be $148,000!
What’s the average size of your spreadsheets or data files that contain client or staff information? Multiply that by $148 and see if you’re willing to pay that amount or the cost of a good security awareness program.

If you can reduce your exposure to loss by 70%, why wouldn’t you do it?

Security Awareness Tip no. 4

Employee data is often stolen too

When we think of data breaches, we often only consider customer data – information entrusted to us by our customers. What many employees forget is that their data is on the company network as well.
Every employer has their employees’ social security numbers, but that’s not all they have. Employee’s personal email logins can be found on most systems. In addition there are addresses, phone numbers, social security numbers of children and spouses, medical data, emergency contacts’ personal data and more is sitting on the company’s network.

If the network is hacked, there’s a very real chance that employees’ personal data will be taken as well.

What all of this means for your company and employees

All of this is important to understand as you start training your employees. Each of these security awareness tips is a lesson that needs to be clearly understood.

  • 71% of executives were successfully spear-phished in 2014 – Unless one is to assumes that 71% of executives have below average intelligence, being smart has nothing to do with your vulnerability. It has to do with attention to messages and knowing what to look for.
  • Phished people were exposed to an attack for an average of 17.5 hours before antivirus software discovered it – Staff can’t rely on antivirus/anti-malware software to protect them. They must be vigilant.
  • Security awareness training can reduce a company’s exposure by up to 70% – The ROI of security awareness training far outweighs any costs incurred. In fact, other than locking the front door, there isn’t anything a staff member can do that can save the company more money.
  • Employee data is often stolen too – This is personal. Each employee needs to understand that the company’s servers contain their data as well. They need to know that they are as vulnerable as anyone else.

Security awareness training is simply part of life in the modern computer age. It needs to happen.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by disguising as a trustworthy entity.

The word “Phishing” is a recently coined expression created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim. Phishing attempts are typically carried out by email spoofing or instant messaging. And they often direct users to enter personal information at a fake website. The look and feel of those websites can be identical to the legitimate ones and the only difference is the URL of the website in concern. Recognizing phishing emails before you get scammed is very important. 

Example of an email scam:

email-1

Fake social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may also contain links to websites that distribute malware.

There are ways to recognize phishing emails

Here are the most common indicators:

  1. Bad grammar
  2. Missing or strange fields in email.
  3. Salutation is missing.  This can be an indicator of phishing email.
  4. Aggressive call to action. Businesses do not regularly require you to update your payment information or your passwords. Be wary of emails that ask you for too much information or use aggressive wording.
  5. If it sounds to good to be true – it is!
  6. Graphic is fuzzy. Design and the layout of phishing email often gives it away.  Scammers rarely do their design work properly.

phishing-image-play

Check out our Phishing security awareness video

Key takeaways:

  • Be suspicious of emails that request sensitive information.
  • If in doubt, verify the origin of the email.
  • Think twice before you open attachments or click any links.

If you are a CISO or a DPO, chances are you’re responsible for security awareness training. But you’re not a teacher. Am I right?

So why are you responsible for training, when it is your responsibility to protect the company’s data?

The truth is, hackers, like most people, tend to choose the path of least resistance when they compromise the security of organisations. This path is very often through people, and cyber security threats are exploited through human behavior. It is usually the uninformed employees that lead to the breaches. Unfortunately human behavior is predictable and we are thus vulnerable to attacks. The good news is that through training and awareness the risk from these threats can be reduced. 

Back to the training part. What you need to understand is that some of your employees are lazy. They might recognize that security awareness training is essential, but they want it to be over as fast as possible. Employees don’t want to struggle to read and digest boring security awareness text. They want to be able to understand it quickly and efficiently and continue with their day-to-day job. Just because they want to absorb this content quickly doesn’t mean quick training programs are ineffective. A video, however, is a tool that can take your security training from boring to exciting. 30 seconds of video is capable of conveying much more information than any text. 

Videos have been used for marketing purposes for some time now. According to HubSpot, video is here to stay [1]. YouTube is also the world’s second largest search engine, which supports that. According to a report from HubSpot Research, 54% of consumers want to see videos from brands they support. [1]

branded-content-people-want-chart

 So it’s strange, then, that some people don’t understand how useful it is to include videos in their training program. In the same way, people use images to separate points and make text easier to understand, people use video to hold people’s attention. Especially when an employee needs to go through several security awareness topics. (Remember I said some employees are lazy when it comes to security training.) When people are presented with a wall of text, the first thing they will do is try to avoid it and find excuses for not participating in the training. Even if your security study material isn’t as long as in other companies, if it looks too difficult to read, they are not going to bother. Even though the actual study material is the same, which of the two pieces of training below would you like to take part in?

Example 1: Everyone makes mistakes. Even as simple as forgetting to shut the faucet… or sending an email to the wrong person. But it‘s what you do next that matters. If you lose, or leak classified information. It is your responsibility to report it, even though it was an accident or not even your responsibility… By not reporting the leak your company might be liable to fines or get other people into trouble. Be extra careful when working with personal information even if only one record leaks out it can have severe consequences for that individual and can lead to hefty fines for the company.

Or example 2:

 

The video is infinitely easier to consume and comprehend. According to HubSpot, video content was the most memorable (43%) in comparison to text (18%) and images (36%). [1]

most memorable content

 This is good news because you want people to remember the training material and be able to put their training into action. The attention competition We all know there is a massive competition for peoples attention today. Just because a video is easy to watch, it doesn’t mean people will. But, the shorter the video training and by using effective storytelling, you will get more people to complete the whole training versus just a few seconds.  

So why aren’t you using video?

Payments available