In this Article:

Cyber security awareness training is a relatively new but rapidly expanding service industry built around combating phishing and other malicious social engineering tactics used by hackers. Social engineering is the use of psychological manipulation to obtain the trust of an unwitting end user. With targeted personal attacks to businesses, especially small to medium-sized businesses, becoming more prevalent, these security awareness training programs attempt to train human error out of the equation.

For this post, we picked the brains of the senior technicians and management at Capital Network Solutions to offer some security awareness training answers and advice. Every business is a little bit different, but the practices and strategies outlined in this article are based on our 30 years of experience providing managed IT services and network security solutions to businesses throughout the Sacramento area.

What are your biggest cyber security risks?

We all know the terrifying true-life tales of mass data breaches and other heinous cyber security crimes. Threat actors both foreign and domestic are evolving every day, developing ever more sophisticated methods and state-of-the-art technologies to penetrate past your security protocols. Hackers are attacking everything from school systems to local governments, independent businesses to international corporations, looking for private information to either hold for ransom or sell on the “dark web.”

Still, the greatest cyber security threat in the modern world comes not from outside your organization, but rather from within.

According to recent studies, the biggest cyber security risk to American businesses is employee negligence. In other words, simple human error. Phishing, or the process of creating fraudulent emails to obtain confidential information, targets untrained and unsuspecting end users. Meanwhile, the more personalized attacks known as spear phishing have become increasingly prevalent. And even with spam filters and other basic security measures in place, a whopping 10.5 to 15 percent of phishing emails still reach your employee inboxes.

THE WEAKEST LINKS

Inattentive, poorly trained employees who are unfamiliar with basic IT practices can unknowingly create security vulnerabilities in your network. Hackers are trying to steal passwords, steal banking account information, install malware, hijack your data and initiate fraudulent wire transfers. Your employees may be the last line of defense against a phishing attack, but without proper security awareness training, they could also be the weakest link that allows the bad guys in the door:

  • 92 % of organizations reported that their biggest security concern is their own employees;
  • 47 % of business leaders reported that human error caused a data breach at their organization;
  • According to Microsoft research, 43 % of cyberattacks target small and medium-sized businesses;
  • Security software firm Trend Micro found that 91 % of cyberattacks and the resulting data breach started with a spear phishing email;
  • A study by Okta found that 49 % of employees never participated in security training at work;
  • Data breaches cost companies an average of $3.6 million globally in 2017, but lost money from phishing attacks is recovered only 4 % of the time.

Despite these scary statistics, many organizations lack the budget and training to properly safeguard against these threats. Half of all workers admit to clicking on unknown links from suspicious senders, but as a business leader, you have no idea which half. That’s why there is a fast-growing industry that offers security awareness training programs, with the intent of turning vulnerable end users into human firewalls.

How does cyber security awareness training work?

There are many different vendors offering security awareness training programs, but they all work in largely the same way.

ASSESSMENT

Microsoft Operations Management Suite

Security awareness training begins with a baseline test to measure the “phish-prone” percentage of your organization and your employees.  KnowBe4, one of the top security awareness training vendors on the market, estimates an “Initial Baseline Phish-prone Percentage” of 27 percent for their clients.  That means that without proper training, 27 percent of employees across all industries are likely to fall for a phishing scam.

TRAINING

Interactive training modules educate employees about various forms of social engineering scams, how to recognize suspicious emails, and why they should not click on potentially malicious links from unknown senders.  End users are taught that every email is a potential phishing attack.

SIMULATED PHISHING ATTACKS

Persistent vulnerabilities are exposed through “simulated social engineering testing,” as security awareness software randomly sends fake phishing emails to employees.  The employees either successfully flag and report the mock attack, or they click a malicious link and a potential catastrophe turns into a teaching moment.  Spam email templates and infinite customization options are available, allowing you to mimic the types of phishing lures most likely to be dangled before your employees.

REAL-TIME STATISTICAL REPORTING

Executives receive real-time statistical data showing which workers in which departments are clicking on these fake phishing scam emails and how often.

FOLLOW-UP AND REMEDIATION

With security awareness programs, training is not just a passive, one-time event without follow-up.  The important thing to remember is that end users are not IT experts, but by teaching security issues through real-world situations and providing instant feedback, complex concepts become relatable and easier to understand.

What is the importance of cyber security awareness?

What is the importance of cybersecurity awareness?It only takes one thoughtless click to sink your small business, and it is more cost-effective to train workers about operations security, safeguarding passwords and recognizing malicious emails than to risk a security incident.

According to FBI statistics, business email compromise (BEC) and email account compromise (EAC) scams have cost businesses over $12.5 billion worldwide since October 2013.  BEC/EAC scams have been reported in all 50 states and 150 countries across the globe, and the problem is only getting worse.  Identified global losses increased 136 percent in the period between December 2016 and May 2018.

French film production company and cinema chain Pathé fell victim to a costly phishing scam in 2017.  Pathé lost $21 million after the two-person senior management team for its Amsterdam-based subsidiary fell victim to a BEC attack.  Hackers spoofed the email of Pathé CEO Marc Lacan and sent a message to senior management asking for money to be wired to an account in Dubai.  It took three weeks after the initial attack for Pathé to spot the fraud, and the finance director and managing director were suspended and ultimately fired.

What are some of the most common social engineering scams?

An alarming 98 percent of cyberattacks rely on social engineering, a practice that uses psychological manipulation to obtain the trust of an unwitting user.  The Pathé story offers a recent, high-profile example of CEO fraud, one of the most common social engineering scams out there.

Here are some of the other social engineering methods widely used by modern hackers:

Phishing

Attempting to steal passwords or other credentials by sending fake emails that pretend to be from reputable sources.  According to the most recent Microsoft Security Intelligence Report, inbound emails that were phishing messages increased 250 percent between January and December 2018.  Phishing takes many forms, including the more personally targeted attacks known as spear phishing, as well as domain spoofing, user impersonation and text lures.

Ransomware

Malicious software that seizes or lock up your data, which is then ransomed back to you by the hacker.  Enterprise Strategy Group research found that 63 percent of organizations experienced an attempted ransomware attack in 2017, while 22 percent said that it happened on a weekly basis.  While attacks declined sharply in 2018, ransomware threatens not just your internal machines but your cloud data as well.

Malware

Another type of malicious software, this time designed to gain access to and harm your system.  Instead of attempting to expose a technical flaw in the system, 97 percent of malware attacks use some type of social engineering scheme.

Brute-force attacks

Trial-and-error password-guessing sessions performed rapidly by a specialized program that uses your personal information.

Spidering

The practice of gathering information from company websites or social media sites such as Facebook and LinkedIn to come up with word lists, which are then used to perform brute-force attacks.

What departments are the most vulnerable to phishing scams?

Everyone with an email account and online access is a potential target, but hackers tend to go after people with the most access to funds and sensitive information like passwords and social security numbers.  Therefore, these four departments are most often targeted by hackers:

  1. Finance department
  2. Executive management (e.g., CEOs or CFOs)
  3. IT department
  4. Human Resources department

Ultimately, every department in every industry is vulnerable to attack, which only underlines the importance of getting your entire company involved with the task of information security.

What are some basic cyber security awareness tips?

Improve password security – A study by Okta found that 40 percent of respondents use and reuse the same two to four passwords, while 10 percent admitted they only use one password for everything.  Insist on more password complexity from your employees, and consider instituting Multifactor Authentication, which blocks attackers from gaining access to your network and brute-forcing into cloud-based email accounts.

Think before you click – There are a few ways to easily identify a spam email:

  • Look at the Sent address. Much of the time, the domain will be one or two letters, numbers or symbols different from the correct address.
  • Make sure the email is in HTML format. If you receive an email in plaintext or rich text format, that’s something to raise an eyebrow over.
  • Be suspicious of attachments. If you’re not expecting a shipment from Amazon, don’t click a suspicious delivery link.  Stop, think and process the available information before you click.

Take the time to communicate offline – In our thirty years as a managed service provider to businesses throughout the Sacramento region, we have seen it all here at Capital Network Solutions.  Our Director of IT Operations and Virtual CIO Lauren Hermle tells this story:

Cybersecurity Awareness Tips“One problem is people don’t communicate effectively.  We’ve seen where two people who sit in the office right next door to each other, one will initiate a wire transfer to an unknown company, and the other one does it.  All they had to do was walk two feet over and ask the other person if they really initiated the wire transfer.  We see a lot of breakdown in communication within an organization because people become so dependent on email.”

Beware the Internet of Things – With everything from refrigerators to thermostats now web-enabled, a small level of convenience can lead to a huge level of vulnerability.  Web-enabled appliances are easily accessible to hackers, yet companies willingly put them on secure networks.  If you are an enterprise organization, take precautions on what appliances you enable and how you do it.

Secure ironclad data backup protection – Reliable and regularly monitored data backups are the only way to truly recover after a malicious data breach.  Despite this fact, a report by Storage Magazine found that one in three companies do not test their backups.  At Capital Network Solutions, we exclusively use Barracuda Backup products to protect your data on-premises and in the cloud.

Invest in cyberbreach insurance – Protect your organization against claims arising from ransomware and phishing attacks, especially if your business maintains or processes personal data like social security numbers and dates of birth, or protected health information like medical record numbers.  A small business may not believe that the data they store is “sensitive,” but regardless of size, most businesses store valuable information like email addresses, billing addresses and phone numbers.

What are some of the top cyber security awareness training vendors?

Security awareness training is one of the fastest-growing sectors in the world of IT, as more companies are realizing that standard security measures like spam filters, antivirus software and firewalls aren’t enough on their own anymore.  Here are three of the top vendors in this rapidly expanding sphere:

Celebrity hacker Kevin Mitnick serves as the Chief Hacking Officer for this Clearwater, Florida-based company, which specializes in the field of security awareness training.   The company’s slogan: “Human Error.  Conquered.”

This British corporation first started offering antivirus and encryption products in 1985.  Today, Sophos helps secure the networks of over 100,000 businesses, including Pixar, Xerox, Ford, Avis and Toshiba.  Their security training awareness software is called Phish Threat.

Barracuda was founded in 2003 and is headquartered in Campbell, California.   A long-time leader in the data backup protection field, Barracuda has now entered the security awareness training sphere with PhishLine.

What else do I need to protect my business against security threats?

At Capital Network Solutions, we do a lot more than just “manage” your IT services.  We proactively combat the threats of today and continuously evolve to meet the threats of tomorrow.  Our certified technicians can monitor and update your system’s firewall, antivirus software, Windows security patches, onsite and offsite data storage and backup protection to help keep the bad guys out.

To set up a free consultation to discuss your online security needs, call Capital Network Solutions at (916) 366-6656.