Awareness training

“Amateur hacker systems, professional hacker people” – Bruce Schneier

 

The biggest threat in IT security is the employees. If employees never click on a link or open an attachment from the criminals, much of the threat would be mitigated.

The statistics say that 90% of all hacker attacks start with an email. The remaining 10% are a number of other approaches, such as a hacked website, port scan, etc.

There are various ways, that you can train your employees. Many organizations have tried to send out mails with warnings that there is a specific campaign running ransomware, and maybe you have a seminar on IT security. It is a good idea to do these things – it is just far from enough.

People do not learn to tell things – people learn from their experiences.

Typically, we start the awareness training with a startup course, that contains the following lessons (takes about 20 minutes to complete):

  • Introduction to awareness training
  • Passwords
  • Routines for wireless networks and workstations
  • Phishing

After the startup process, users receive a lesson per month (takes about 5-7 minutes to complete) about a selected topic. We continuously prepare the lessons so that relevant / current examples are included as part of the lessons.

The most effective form of awareness training when we speak cyber attacks are simulated phishing mails. In this process, users put in a scenario that is realistic about how an attack by cybercriminals could look.

The table below shows how we find that users are getting better and more proficient to wonder if an email is an attack:

Therefore, if you only make a single campaign, you will not get the full value. At the same time, knowledge is something you need to update – otherwise it will be lost. In addition, in most organizations, employees are replaced, which means that it is necessary to repeat the process. Our recommendation is 4 times a year as the simulated cyber attacks are adapted to the attacks we see in the market.

Depending on the amount of business you want to do, you have the opportunity, for example, to create competitions between the departments, which also include elements like pressing a key on an unlocked computer, see how many use a USB plug in a PC, etc.

All this can be gathered on a campaign site, so the user/department /company can see how well they manage and follow the progress.

Together with awareness training, we recommend that procedures be set up for how your company handles real cyber attacks. Our recommendation is that you create an email where suspicious mails, phone calls, etc. is being reported so that it may be an indicator of a major attack and/or clarifying the criticality of the attack that affects the company.

It is also important to have procedures in place regarding data storage. Perhaps, it is a big challenge for the company if users use their private Dropbox, save CVs to different file drives and place confidential documents in folders how many users have access to this data. Therefore, in the context of awareness training, it is a good idea to update the IT Security Guide and spend 10 minutes at a half-yearly or annual meeting to inform about your company’s data policy.

By working structured with awareness, your company has taken one of the most important steps to reduce your cybercrime risk.