As every year passes, the cyber threat landscape continues to evolve and along with that, the need for cyber security awareness training to deal with them increases. This past year was no different. The change is that ransomware declined, crypto-mining has risen, and 92 percent of malware was delivered by email, according to a CSO article. It reported that fileless malware is replacing the old .exe files that were attached to emails. Fileless attacks exploit software already installed on the victim’s computer, such as executing in a browser plugin, MS Office macros, or exploit vulnerabilities in server programs to inject malicious code. The result of this shift in threats has resulted in 1,027 breaches and over 57 million records being exposed as of the October 31, 2018 Identity Theft Resource Center (ITRC) report. When you see the change and increase in cyber threats, how trained are you and your organization to deal with them?
We see that the threats continue to advance in order to give the cyber criminals the ability to exploit the increased complexity and connectivity of critical infrastructure systems. In addition, cybersecurity risks continue to affect a company’s bottom line by driving up costs, negatively impacting revenue, causing harm to an organization’s ability to innovate, and to gain and maintain customers. With this constant evolution and risk comes a constant need for cyber security awareness training for an organization’s employees. But what makes for an effective training program that both the organization and employees can benefit from? One that will keep the company secure and give it an acceptable return on investment (ROI)? What about those individuals and organizations that can’t run a corporate cyber security awareness training program, what can they do to get training?
Who should receive training?
Training should be provided to anyone with access to the organization’s infrastructure. This includes new employees, longtime employees, executives, and contractors. If you allow someone access to your infrastructure, they need to receive regular training.
Why are you doing it?
The way to approach creating a successful cyber security awareness training program is to start by establishing clear and definable goals. If you’re going to do training merely for the purpose of having it or just to check a box in an audit, it is not going to have any lasting benefit for anyone. You need concrete outcomes and it needs to be a part of a long-term plan. Change in security awareness will not happen overnight.
The purpose of this training is to create a strong security culture that will breed employee engagement. In order for this to work it has to come from the top down, from the CEO all the way down the corporate ladder. To get the buy-in from the C-suite one company performed a team building exercise in which they split the executives into red and blue teams. In a gamified environment, one group performed a denial-of-service attack on the Domain Name Server (DNS) while the other had to figure out how to defend against it. (Sounds fun, right?) Once the executives are involved, all members of the organization will follow.
Remember, making a successful cyber security awareness training program involves changing the culture of the organization into a security focused culture. Doing a CBT module once a year will not affect change, more is involved. If you were training to be a boxer or an MMA fighter would you depend on just watching videos before entering a match? Can you imagine the outcome? The same is with an awareness training program, real life exposure is needed, such as using a simulation program to send real phishing emails and to do vishing, in addition to doing CBTs.
Everyone in an organization has a stake in keeping it secure. So, even though one person may be the only one officially assigned the task of running the training program, one or more senior leaders need to champion the program. This will help build confidence in the program and make it more visible. You can even involve the communications and marketing teams to help you in creating material and messaging that is engaging and captivating to your audience.
If one is going to influence change in behavior and culture and allow the training to have a lasting effect, post-training reinforcement needs to be established. Ongoing communications and content should be produced monthly not just once a year. So, build a catalog of content and available resources, build a portal where newsletters can be posted along with alerts and videos, and make the program fun.
What about the little guy?
Building a successful program takes time and resources. What should an organization do where resources are limited or for individuals where they don’t get the training from a corporate training program? Where time and resources are limited, start small and grow as your program gains credibility and more resources become available. Use small wins to demonstrate value. There are also plenty of free resources available. Use resources like the Social Engineering Framework that provides plenty of examples and psychological principles of social engineering attacks, and access to tools such as the Social Engineer Toolkit that can be used to test the human element in an organization. Another free tool is the community edition of Lucy which can do basic phishing campaigns. If you want to test your network and your users, you can use the free tools from KnowBe4. Subscribe to industry newsletters, such as this one, and follow blogs such as the Social-Engineer.org blog and the Social-Engieer.com blog that discusses timely information on what is happening in the world of social engineering and how to be cyber security aware.
As a community we can all do our part to help in getting cyber security awareness training to others. One thing I’ve done, to help in training others that may not get the benefits of cyber security awareness training at a company, is to openly discuss with friends and family about phishing, smishing, vishing, and all aspects of social engineering attacks that they need to be aware of. The result is that many will come and show me phish they received or tell me about a call they thought was “phishy”. As you get educated, spread the word to others and this will help everyone get some cyber security awareness training.
Social engineering attacks will not be ending any time soon and they will constantly evolve. Therefore, we will always need regular cyber security awareness training to combat these attacks. Remember your training program needs to be adaptive when dealing with the ever- changing cyber threats and it needs to continue to train your organization how to deal with them. What is your program going to look like for 2019? Let us know.
Stay safe and secure.
Written By: Mike Hadnagy
*** This is a Security Bloggers Network syndicated blog from Security Through Education authored by Social-Engineer.Org. Read the original post at: https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-111/