The Importance of Security Awareness Training
Cyber security has been a major topic of discussion throughout 2016, with no signs of cyber attacks slowing down. Several organisations have faced high-end data breaches with millions of stolen credentials. Across the world, hackers are taking control of networks, locking away files and demanding sizable ransoms to return data to the rightful owner. From phishing attacks to ransomware and advanced persistent threats attacks, these days it is not a case of if companies get breached, but more of when.
The most basic thing that every organisation needs is security awareness training. Security awareness training is all about teaching your colleagues and employees to understand the risks and threats around the ever evolving cyber world. The main purpose is to ensure that these people realise that hackers within organised gangs of cyber criminals will try to deliberately attack, steal, damage or misuse your organisation’s systems and information, and that therefore everyone within the organisation needs to be aware of the associated risk, and thus work to adequately protect the organisation against these risks.
Security awareness training also ensures that employees are fully awake to the consequences of failing to protect the organisation from outside attackers. Such consequences span from criminal penalties to large scale economic damage to the company and the loss of employment. Finally, when the employees are fully aware of why securing data is important, and what systems they need to protect, your security awareness training program should highlight the key ways in which attackers can gain entry to your network, and the necessary steps to curtail these risks.
Before we go on explaining the benefits of security awareness training, let’s take a look two attack scenarios.
- Whaling Attacks
A whaling attack is a targeted attempt to steal sensitive information from a company such as financial information or personal details about employees, typically for malicious reasons. A whaling attack specifically targets senior management that hold power in companies, such as the CEO, CFO, or other executives who have complete access to sensitive data. A recent survey by Mimecast said that 55 per cent of firms experienced a whaling attack whereby a senior member of the finance team had received an email claiming to be from the company’s CEO, which attempted to con staff into transferring large sums of money out of the company’s accounts. The most popular attack method for this is domain spoofing, which accounts for 70% of all whaling attacks.
You might remember the massive whaling attack that happened back in February this year. The CEO of FACC Operations GmbH and the CFO have been sacked after the company lost €40.9 million (£31 million) to this attack.
Security awareness training would educate an organisation’s employees and would actively engage users to identify safe waters and damaging phishing emails through the use of simulated phishing attacks.
- Ransomware Attacks
The ransomware epidemic continues to rage on, encrypting files of private and enterprise users alike. Ransomware has become a global problem. According to the FBI, the accumulated revenue in the first three months of 2016 was over $209 million.
The two best methods to prevent ransomware are data backup and security awareness training. Learning not to click on malicious links can save your files from being encrypted by a hacker. Email security is very important.
Security awareness training is an important process in educating all company employees, and failing to implement a precise program can often result in significantly higher reports of intrusions and ultimately the loss of company data and revenues.
So, what type of areas does a security awareness training entail?
These areas typically include:
- Password best practices – why passwords are important, how passwords should be used, common password exploitations, two-factor authentication and how to create strong, memorable passwords.
- Email and browser security – how to spot sceptical email messages, modern web browser security features, ability to identify malware/viruses, how phishing is a huge threat and best practices to alleviate the biggest risks.
- Social engineering – what social engineering is and how this works, the risks of social engineering attacks, the most commonly used social engineering techniques and methods to protect you from social engineering attacks.
- Avoiding malicious downloads – the consequences of deploying malicious downloads, best practices for keeping software updated, and installing new applications, ability to identify if a system has been infected with malicious software, web browsing configuration for better security and how to deploy internet/email security software.
- Mobile security – the most common threats to mobile devices, how mobile POS (Point of Sale) systems work and the risks they come with, appropriate procedures for cardholder data while using mobile systems, how to ensure that mobile devices are secured and the security risks associated by using personal mobile devices at work BOYD (bring your own device)
- Social media security – the best way to use social media, the privacy and security parameters offered by social media, risks of using social media at work and at home, ways to minimise social media hacks and the acceptable use of social media when at work.
- Anti-virus and software updates – the function of anti-virus software, methods to keep both software and operating systems up-to-date, how to use windows update securely, how to install, configure and update anti-virus software and methods to secure mobile devices as stringently as other devices.
- Secure remote working – the most common risks and threats associated with accessing company data and systems while working remotely, the technology and software available to make remote working more secure and protected, how to handle private data when working remotely and what steps to take when mobiles devices are lost or stolen.
- Physical security – the importance of physical security for both devices and applications, the advantages of using screen privacy protectors, the importance of wearing an identity badge, how to report any violations to physical security and keys steps to proceed with if an individual either attempts to, or successfully breaches physical security.
- Protecting cardholder data – the function of PCI standards and why compliance is so important, identifying the most sensitive pieces of information on a credit/debit card, determining what and who needs to comply with PCI standards, explanation of how card transactions work and how to handle credit/debit card data in a secure fashion.
Smarttech have partnered with Security Innovation to deliver the best security awareness training program that will keep your organisation safe and cyber-aware. We are now offering a FREE 7-day trial of the training program. Click here to learn more.
To inquire about requesting a special in-person computer security awareness training for your organisation, please contact us on 0818272727 or firstname.lastname@example.org