Recent research shows that human error is responsible for more than 90% of data breaches. 90%. Let that sink in for a minute. For any business, large or small, that’s a pretty frightening statistic. No organization is immune to the risk of a cyber-attack. A social engineering scam needs only one thing to be successful, and that is for an employee to fail to recognize they are being deceived. The simple fact is that one mistake by a single employee could compromise an entire network. If your employees are not aware or prepared for social engineering cyber-attacks, your organization is vulnerable.
How do I train my employees for cyber security?
Effective cyber security training is all in the approach. The goal here is to change the way your employees go about their daily work by educating them on the various forms of attack and instilling best practice behaviors to protect themselves and your business. On average, it takes two months of daily practice for a habit to form, which means a one-off training session where attendees are bombarded with information and then sent on their way is simply not effective.
An ongoing training program that is regularly updated to keep up with the evolving threat landscape and incorporate new security protocols is key. Most people learn best with a more hands on approach, so backing up the theoretical training with simulations which allow employees to practice safe online behavior will help to reinforce the training and improve its effectiveness.
In order for employees to be able to identify a potential security threat, it’s necessary to provide an overview of the different forms of cyber scams and how they work. A comprehensive training program should cover the various types of online security threats, and how they present. As a basis, this might include social engineering scams, like phishing and spear phishing. It should also cover malware, baiting, vishing, smishing, Business Email Compromise (BEC) and water holing attacks. For additional topics and information, please see the Fraudwatch International website to find out more about our world leading Security Awareness Training.
Phishing and spear phishing
Show real examples of phishing scams to demonstrate what a fabricated email or text message might look like, and explain what tactics are used to draw someone in. This might be an email requiring an urgent action, tricking a user into clicking on a malicious link, or a more targeted spear phishing attack where a fraudster impersonates the organizations IT manager and contacts a specific individual requesting a password update.
Trojans are typically sent via email; however, they can also be downloaded through a visit to an infected website and require an action by their victim to take effect. A popular trojan is one which masquerade as an antivirus program which, when run by the unsuspecting user, attacks and damages their device and steals information. Red flags which may indicate the presence on a virus can include delayed start up and slow performance, low storage space, missing files and crashes and error messages.
A malware program, typically a trojan, infects a device through a visit to a compromised website, or via phishing email. Users are prevented from accessing their systems or data through encryption. Cyber criminals then use this to leverage financial gain from the affected person or business.
An effective method of installing malware, baiting uses physical media (flash drives, optical drives) which have been infected with malicious software. Cyber criminals leave these items in public spaces frequented by their targets such as cafes, bathrooms or car parks, hoping an employee may find and use the device, thereby unknowingly installing malware on their workstation.
Vishing and Smishing
Derivatives of phishing, smishing and vishing are types of social engineering fraud where the attacker uses either SMS messaging (smishing) or a phone call (vishing) in an attempt to gain access to private personal or financial information. As with phishing, these methods also rely on creating a sense of urgency in the victim in an attempt to obtain their personal data.
Business Email Compromise (BEC)
An online scam where the fraudster impersonates a trusted business representative to trick an employee, a vendor or a client into revealing personal information, or even transferring funds to the attacker.
Water holing/Water hole attack
This targeted method of attack seeks to compromise a specific user by infecting websites they are known to visit frequently. The goal is to infect a legitimate website and use it to gain access to the wider network through the employees’ workstation.
What is the main purpose of security awareness training?
Social engineering attacks have overtaken malware as the preferred method of compromising data by cyber criminals. A recent study showed that a whopping 76% of businesses experienced phishing attacks in 2018. The assumption can sometimes be that in the event of a malicious attack, only systems and technology will be impacted, but that is far from the case. If preventative action is not taken, the damage to your business can be significant. The potential for loss of confidential client data, defacement of websites, or identity theft could result in a decline in consumer confidence, reputational damage, fines, lawsuits or even bankruptcy.
Training and education designed to create a security focused working culture is the best way to protect your business. Some of the benefits of cyber security awareness training include:
- Employees who feel confident and empowered through training and established security protocols are less likely to make mistakes which may allow a data breach. Simulations and awareness campaigns allow you to track the progress of employees and identify any individuals who may require additional training
- Security protocols should be adaptive and proactive. Ongoing training and simulations allow you to gather hard statistics to determine which attack methods are the most successful, and modify security protocols accordingly
- Prevention is always better than cure, and a security aware workforce could save your business valuable time and money. Prevent downtime and lost revenue by adopting a proactive approach to security training
Cybersecurity is a shared responsibility. All employees have a duty to protect a company’s network and data, but for a protocol to be effective, the first step must be education. Don’t let your business become a statistic. Take preventative action and protect yourself and your clients from potential cyber security breaches.