AwareGO security blog

Stay up to date on security threats. AwareGO focuses on security awareness training, we help prevent phishing, tailgaiting, social engineering and multile other threats. Find our Threat-list here

Our focus has always been one of simplicity, ease of access and, time-saving. That‘s why our security awareness videos are short and our LMS platform simple to use. That‘s also why we offer a complete self service for our customers, if that‘s what they choose. We believe it‘s the simplest security awareness training platform today.

We have now launched a new LMS platform for our clients that is even simpler to use than before. Through vigorous testing and conversations with our clients we’ve designed a sleek LMS for security training deputies (be they CISOs, DPOs or part of the HR team) to use for employee training. You can try AwareGO Premium out now for free and without commitment!

Our security awareness training videos are still there, still of the highest quality, with short, easy to remember lessons that stick and only take a minute of the employee’s time.

Here‘s what‘s new

  • The overall LMS platform has a sleek new look that’s easy to navigate and understand for both admins and employees.
  • We’ve added a new wizard that makes creating new training programs both fast and easy. It also includes ready made training programs divided into several categories, such as Password handling, Out of Office, Email, Healt Care and Finance, to name a few.Screenshot from AwareGO Learning Management system showing creation of security awareness training program
  • Training programs containing several topics can be sent out to recipients all at once or spread automatically over several weeks.
  • The new LMS platform gives admins a better view of how the training is going over all and also by individual users.Screenshot from AwareGO security awareness training LMS platform showing training statistics
  • Admins can look at employee scores unrelated to which training programs they’ve received. They can also send out reminders to employees who have not participated in the training.
  • The employee view has been drastically changed and is now easier to navigate.
  • The report system has been updated and can now be downloaded as a PDF which can be handy to take into update meetings.Screenshot from AwareGO LMS security awareness platform showing a statistics report

 

As before our security awareness training solution can be implemented into any enterprise platform quickly and effectively.

Go check out the world‘s simplest security awareness training platform for free and be on your way to a more secure business and building a sustainable security culture within your company.

Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?

What do phishing simulations do?

In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?

Boring security awareness lecture. Everyone falling asleep.
Don’t make your employees sit through long and windy security lectures.

The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.

Why do you want to do a phishing simulation?

It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.

Phishing simulation setting employee up for failure

There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.

What to do instead of a phishing simulation

Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.

  • After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
  • Have your IT team look at proven hacking incidents before and after training began.
  • Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
  • AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.

Raise awareness, not hackles

There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.Phishing simulation email on phone at work desk.

If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.

Building a strong security culture

What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.Blurred group of business people representing the human risk in cyber security

This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.

Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.

Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.

With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.

Why you should always double check new bank information

This June we published a new security awareness video to remind employees to always double check account numbers when paying out invoices. We have a good reason to focus on cyber security awareness for finance divisions as we have heard multiple first-hand accounts of fraudsters sending out bogus invoices. They have also been known to worming their way into correspondence and taking over as soon as there is a mention of invoices or payment.

Security awareness training for financial divisionThe amounts stolen in this manner can range from a few thousand dollars to hundreds of thousands. Perhaps not surprisingly, there is very little that local authorities can do about it. International law enforcement usually doesn’t investigate these matters unless the amount is considerable. Even then the chances of getting your money back are slim to none.

How it’s done

A finance division employee’s computer or a client’s computer might have been compromised by various means. Most likely it was done by a phishing or spear phishing email containing malicious links or attachments. Through that a hacker gained access to the employee’s email correspondence and could follow it closely. They can even glean the individual language and slang of the user. When an invoice is sent out, the hacker grabs that email and sends out another email with their own account information. If the employee on the other end is not vigilant the sum will be paid out to the hacker and not the rightful receiver. When this is discovered the hacker has covered their track and is gone with the funds. This is why companies need to pay special attention to cyber security awareness training for finance division employees. There is a lot to loose. Phishing email sent to financial division

Trust no one

It might sound cynical to say this but when it comes to invoices and account numbers, we should trust no one. Not even invoices issued in the name of companies we’ve been dealing with for years. If email accounts have been breached (or even if someone has gone through the company’s trash) it is possible for hackers to send out bogus invoices in the name of trustworthy companies. The only thing they’ve changed is the bank information for payment.

If the account number is the same as usual and has been paid to before without incident, it should be safe to continue with the payment. If a company suddenly changes its account number or you are making a payment to a new company the safest protocol to follow is to call that company directly and double check the invoice and the account number.Cyber security aware financial division employee double checks account numbers by phone.

Find the number to call through the company’s official web page or an official directory. Don’t trust any information provided in an email until it has been verified that the sender is who they say they are.

Not even your boss

It’s not always invoices in the name of another company that are sent out. Sometimes it’s important emails from a boss or a very high-ranking individual within the company such as the CEO or the CFO. They demand that funds be moved from one account to another ASAP. Such frauds are also known as CEO scams or Whaling.accounting division double check account number

No matter how urgent they might sound, or how often similar orders might have come in the past, such emails should always be verified with a phone call. A good CEO should encourage such vigilance from his employers. It means that the effort spent on cyber security training for the finance division has paid off. And it could wind up saving the company considerable sums.

 

 

 

There are multiple ways to keep customer information and other valuable data safe. For example: locking all computers when they are not in use and using multi-factor authentication for your data servers.

But wait, there’s more! Clear and concise protocols for employees to follow are a great way to ensure data safety. This means companies must have these protocols in place and teach their employees the right way to do things. How to move data from one place to another. Why they should use strong passwords. And how to recognize phishing emails so they don’t get hacked. How? Through security awareness training!

 

Data safety in car

Portable devices and printouts = less data safety

Many employees now use laptops and even bring them home to do additional work. They also use portable drives or flash drives to carry work documents between their home and workplace and to take into meetings. This can prove dangerous as often these devices do not have good encryption and are easy to steal. The same, of course, applies to printouts containing confidential information.

When carrying laptops or portable drives employees must always be aware of data safety. That’s why one of AwareGO’s latest awareness training videos is a reminder not to leave items containing private data in the car. It sounds very simple and should be common knowledge and yet the problem is big enough to dedicate a whole video reminder to this topic alone.

The problem is not that employees don’t care or that they don’t know cars can’t be stolen or broken into. The problem is that they usually don’t think beyond the car or the hardware. Or they believe their car alarm is enough to deter thieves from even trying. They’re not thinking about the valuable information that devices or printouts inside the car might hold and that this might be what the thieves are after.

 

Cars don't have enough data safety

No replacement for stolen data
While the car might not be so easy to steal the valuables inside the car surely are. It only takes a few seconds to get to them. No matter the alarm system the thief will be long gone when someone finally shows up.

The car and actual computer or hard drives might be well ensured or even easy to replace but the same does not apply to confidential data. Once data is out the damage is done. Cyber criminals can use the information to extort you, your clients or to launch spear phishing attacks using the information they just got.

As privacy laws are getting tighter losing private data can result in hefty fines. Then there is the matter of lost confidence from customers and business associates.

 

 

What is Security Awareness Training - it is not a one time thing

 

Every month AwareGO publishes 1-2 high-quality cyber security awareness training videos on various topics, such as data safety, phishing, physical safety, ransomware and more. Each video is designed to help organisations all over the world to keep cyber security top-of-mind and encourage good behavior and digital hygiene.

Awareness training factsFor over 30 years companies have been connected to networks and the internet. And for almost all of that time they have been dealing with cyber security threats. From all this experience one thing has become absolutely certain … The best way to secure your network and keep your data safe is security awareness among employees. Equally important is the employee engagement in security awareness training.

ChiefExecutive.net wrote an article entitled, “Almost 90% of Cyber Attacks are Caused by Human Error or Behavior.” In reality, business owners often get great antivirus software and powerful firewalls and that’s great news. The bad news however, is that they forget to factor in the human element when it comes to cyber security. Security Awareness Training is an effective way to help avoid some of the cyber threats that exist in the world. Many of them will arrive on a business’s network via email attachments and malicious websites. Therefore, teaching your staff what to look for is an excellent way to reduce your company’s risk.

Why is employee buy-in so important?

We talk a lot about buy-in in almost everything that we do with staff. In every training, we hope to get employees emotionally invested in what we’re doing. The problem is that getting employees excited about a new loyalty card or the latest  computer program is difficult. Cyber security awareness can impact every employee, customer, manager, and the company as a whole. Employees must understand that the impact of ignoring cyber security could mean the loss of their data or their jobs.

Employee engagement in cyber security because the cost of malware attack is high.
Threats to the company and employee jobs

According to Accenture, the average cost of a malware attack on a company is $2.4 million. In fact, most small businesses are out of business within six months after a breach. Larger businesses can suffer permanent reputation damage from a breach of customer data.
It shouldn’t take much to explain to the staff that $2.4 million is a significant portion of salaries. It can mean the difference between a raise and no raise, layoffs, and lack of help, regardless of how busy everyone gets. In other words, cyber threats are not an abstract concept, but a very real and dangerous threat to the company and to every employee.

Threats to the employees’ data

One threat that most employees don’t think of is their personal data. Every employees’ social security number, their spouses’ and children’s social security numbers are on the company’s network. The same goes for their addresses, telephone numbers, emails and more. Their resumes can also be on the company network. Phishing scams on them, their spouses, or their children can all be easily done with the data that is on their resume. With any luck, all of this will bring home the idea that cyber security is in their best interests as well as the company’s.

Formatting training for employee buy-in

To ensure employee engagement in security awareness training, make the training short and entertaining. In addition it needs to be informative, but it doesn’t need to be boring. The classes can take place over several days or even weeks. Just keep in  mind that nothing annoys employees more than an 8-hour class on something that has nothing to do with their jobs. Therefore you should make the classes short and focus on one aspect of security at a time, such as email security, password security, etc.

The key is to deliver lessons in smaller portions so that everyone can learn what they need to without getting bored.

Another great way to make people aware is to use short security awareness training videos that provide them with learning without even needing to leave their desks. You can confirm that they took the course by having them fill out a test. You could also use a log-in tracker that tells you who looked at the whole training and who didn’t.

Consider offering a reward for great behavior

Of course, not all breaches are obvious, but in most cases, it’s easy to tell how a virus or other piece of malware entered the network. Offering everyone a raise might seem a little outrageous. However, it will probably cost you less than $2.4 million and millions more recovering the company’s reputation.
Let employees teach the classes or appoint superusers that can deliver security knowledge to their peers. Anything that “comes down from on high” is immediately tainted with boredom and strange policies that have no context. If you have an office full of machinists, it will be easier for a machinist to explain to them the importance of cyber security.

The easiest way to ensure employee buy-in for cyber security awareness

The short and simple answer is to include your employees as if their livelihoods depended on it. Because they do!
Approach security awareness from the perspective that this is really their concern too. You’ll be able to speak to them in a way that makes them feel included and not simply lectured at.

Security awareness training is part of life in the connected world of the 21st century. Integrating agile security awareness training with your company’s policies and culture is the only way to make sure it works well for your needs.

What is security awareness training?
Security awareness training is nothing more than teaching employees what to look for and what to do to avoid being hacked or “phished”, such as clicking a link that will steal data or get their password.

The ROI of security awareness training is huge since average cost of a large scale breach is $3.86 million, according to IBM’s latest Cost of a Data Breach Study.

What is “agile” security awareness training?

Your security awareness training should be able to adapt not only to your company’s needs but also to the changes in security threats. Every day, hackers are looking for new ways to get into your system. Your policies need to adapt to that and be ready for everything.

In 2001, a group of software developers got together in Utah and decided that they needed to create a set of principles that would govern how software was being developed. They saw that software was big and clunky. Furthermore, it was being designed in a way that made it difficult to update and improve. And it was being created in a way that made cool-looking software that was actually a nightmare for users. They issued the Manifesto for Agile Software Development

“We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value:

  • Individuals and interactions over processes and tools
  • Working software over comprehensive documentation
  • Customer collaboration over contract negotiation
  • Responding to change over following a plan

That is, while there is value in the items on the right, we value the items on the left more.”


Making your security awareness training agile

Taking the principles of the Manifesto, we can see a clear path to creating an agile security awareness training program.

Individuals and interactions over processes and tools
Security awareness training is all about individuals and interactions. It’s a person’s interaction with an email or website that causes 90% of security breaches. Think of this training as an individual experience. You can frame information so that it can save your employees, not just at work, but at home, too.

Working software over comprehensive documentation
This is a warning against spending a lot of time on reports and data instead of spending it on actually doing. With security awareness training, this refers to how you handle an incident. You should spend almost no time blaming the person who created the breach and spend more time using it as a teaching moment.

Customer collaboration over contract negotiation
This training is not about sitting in a room and talking at people. On the contrary, training requires interaction and buy-in from the participants. While the contract negotiation concept might seem out of place, it is a contract. The contract is that you and your employees will protect the customers’ and the company’s assets.

Responding to change over following a plan
Cyber security is changing. This is not a static situation. Bad guys are always looking for new ways to get to your and your clients’ information and it needs to be clear to your employees that this is an ongoing battle. Your team should be prepared to learn constantly and adapt.

Making Cyber Security Awareness Part of your Policies

Company policies must be an honest reflection of how people use electronic devices and how cyber security is changing. If you’re looking for a tone to follow, look at Dell’s Global Social Media Policy.

Here’s an example:

Be Responsible
Ransomware encrypted computerMake sure you’re engaging in social media conversations the right way. If you aren’t an authority on a subject, send someone to the expert rather than responding yourself. Don’t speak on behalf of Dell if you aren’t giving an official Dell response and be sure your audience knows the difference.”

Dell recognizes that their employees will use social media, so they provide guidelines that are as simple as “Be Nice, Have Fun, and Connect.”
Start your agile security awareness training with a simple idea: people will use your network in ways that “they shouldn’t.” This means they will check their personal email whether or not you try to outlaw it. They will look at social media whether or not you tell them they can.

The most effective way to start your plan is with a statement similar to this:

“Hackers and thieves will try to steal our information. You will want to use your smartphone, look at your email, and check Facebook. While we want you to keep it to a minimum (after all, you’re not being paid to chat on Twitter), it’s even more important that you do it safely.” Then you can talk about what to click and not to click. You can also require that every phone connected to your wifi network has antivirus protection (preferably paid for by the company so you can guarantee that it’s up to date). In addition, you’ll want to have a conversation with your staff about the fact that their personal email and internet searches can infect the network, even from their phone or laptop. Although rare, there will come a time when viruses and malware will get through Apple watches and other connected devices.

Another important thing to discuss with staff is how to respond to ransomware attacksEstablish a procedure for handling ransomware and make sure that everyone in the company knows what to do, even those who aren’t often near computers.
Every company has to have policies and procedures in place, but those policies need to be flexible and honest about how people use the internet and their personal devices. 

Agile security awareness is at the heart of survival in the 21st century.

The threats will change, the technology will change, but the weakest link in your security wall will still be people. Make your policies flexible enough so that they can adapt as well. Provide simple and effective security awareness training to make them your strongest line of defense.

If you are a CISO or a DPO, chances are you’re responsible for security awareness training. But you’re not a teacher. Am I right?

So why are you responsible for training, when it is your responsibility to protect the company’s data?

The truth is, hackers, like most people, tend to choose the path of least resistance when they compromise the security of organisations. This path is very often through people, and cyber security threats are exploited through human behavior. It is usually the uninformed employees that lead to the breaches. Unfortunately human behavior is predictable and we are thus vulnerable to attacks. The good news is that through training and awareness the risk from these threats can be reduced. 

Back to the training part. What you need to understand is that some of your employees are lazy. They might recognize that security awareness training is essential, but they want it to be over as fast as possible. Employees don’t want to struggle to read and digest boring security awareness text. They want to be able to understand it quickly and efficiently and continue with their day-to-day job. Just because they want to absorb this content quickly doesn’t mean quick training programs are ineffective. A video, however, is a tool that can take your security training from boring to exciting. 30 seconds of video is capable of conveying much more information than any text. 

Videos have been used for marketing purposes for some time now. According to HubSpot, video is here to stay [1]. YouTube is also the world’s second largest search engine, which supports that. According to a report from HubSpot Research, 54% of consumers want to see videos from brands they support. [1]

branded-content-people-want-chart

 So it’s strange, then, that some people don’t understand how useful it is to include videos in their training program. In the same way, people use images to separate points and make text easier to understand, people use video to hold people’s attention. Especially when an employee needs to go through several security awareness topics. (Remember I said some employees are lazy when it comes to security training.) When people are presented with a wall of text, the first thing they will do is try to avoid it and find excuses for not participating in the training. Even if your security study material isn’t as long as in other companies, if it looks too difficult to read, they are not going to bother. Even though the actual study material is the same, which of the two pieces of training below would you like to take part in?

Example 1: Everyone makes mistakes. Even as simple as forgetting to shut the faucet… or sending an email to the wrong person. But it‘s what you do next that matters. If you lose, or leak classified information. It is your responsibility to report it, even though it was an accident or not even your responsibility… By not reporting the leak your company might be liable to fines or get other people into trouble. Be extra careful when working with personal information even if only one record leaks out it can have severe consequences for that individual and can lead to hefty fines for the company.

Or example 2:

 

The video is infinitely easier to consume and comprehend. According to HubSpot, video content was the most memorable (43%) in comparison to text (18%) and images (36%). [1]

most memorable content

 This is good news because you want people to remember the training material and be able to put their training into action. The attention competition We all know there is a massive competition for peoples attention today. Just because a video is easy to watch, it doesn’t mean people will. But, the shorter the video training and by using effective storytelling, you will get more people to complete the whole training versus just a few seconds.  

So why aren’t you using video?

Payments available