As network security becomes more difficult to get past, the bad guys, be they hacking groups or low-level lone wolves, target a vulnerability they know they can exploit: people. Reckless employees are often the leading cause of data breaches. According to a report by the Sydney Morning Herald; social engineering scams — whereby cybercriminals manipulate users into giving away sensitive information or downloading malware; — have netted $260,000 from Australian internet users within the past 6 months.
The best way to defend against this is to ensure everyone in your company follows security best practices. However, as any security expert will tell you; achieving this takes more than one training session.
The case for ongoing training
New threats emerge in minutes, security and compliance regulations frequently change, and businesses are constantly introducing new processes and updating their software. Training programmes should be performed as frequently as possible to; address the changes within your ever-evolving IT landscape.
Additionally, learning is more effective when you spread out your training curriculum throughout the year; and focus on a few key concepts each time. This gives your employees more time to really digest what they hear in your interactive training sessions; and keep them conscious of their online activities. This is is one of the key ways to save your firm from being compromised by hackers.
Design a curriculum
Unlike a one-off session, ongoing security training requires a thorough 4-step process for planning how you’ll cover all aspects of defending your network. First, consider how many seminars you’ll hold throughout the year so you can work out a schedule accordingly. Then, document the objectives for each seminar. For instance, your social engineering course may have an objective like: “Staff must be able to identify the difference between legitimate and phishing emails.”
Next, think about how you will present your ideas. Will you do a regular lecture format, use e-learning materials, or create interactive games/exercises? Whatever you choose, make sure it’s engaging for your employees, as they will likely tune out if the training sessions feel canned or impersonal. Finally, explain basic terms and concepts like phishing, malware, data breaches, and account hijacking before delving into key topics discussed below.
1. Social engineering
There needs to be a focus on the different types of social engineering techniques like phishing, vishing, and smishing, and how to identify them. Everyone knows not to click on emails from Nigerian princes or pop-up ads offering free iPhones, so make sure you’re providing more current real-life examples.
The recent Windows 10 tech support phishing scam or last year’s wave of fake Netflix ‘account authentication’ emails are great examples of modern-day phishing campaigns. Knowing this will prepare your employees for similar threats in the future.
2. Password management
Considering that “123456” and “password” are still the most frequently used passwords; educate employees about setting up a strong password. By the end of this session, staff must be capable of using strong passwords/passphrases that include a combination of letters, numbers, and symbols. Employees must also be advised that using the same passwords across multiple accounts and/or sharing passwords with colleagues; exposes them to data breach.
3. Data policies
Providing adequate training to employees around data security is crucial. This stage of the curriculum should focus on data access rules and policies. To minimise data leaks, ensure employees are trained to; keep their desks clean of any important information and logout of accounts after work. Highly regulated companies should also train employees about how to comply with industry-specific data legislations. Those that store and manage credit card information, for example, must be educated on PCI-DSS guidelines, secure data destruction, data classification, and breach notification procedures.
4. Device security
Mobile devices allow employees to work from any location but; they’re prone to being compromised. Advise employees about then ecessary security rules; if your company has BYOD and flexible work policies. This includes educating your staff about the risks of leaving their devices unattended and unlocked, and encouraging them to quickly report a lost or stolen device apart from general security best practices such as avoiding public Wi-Fi hotspots.
Last but not least; your security awareness programme must include information on what malware is; how exactly it behaves, how to recognise it, and how to respond on being compromised. Again, it’s best to tie in current examples, so if you’re talking about ransomware, include facts and figures about WannaCry or Petya; and explain how these attacks could have been prevented. Also; ensure all systems have been updated and patched and data is securely backed up to an external location.
Critical to every security programme is testing. Thirty-to-sixty days after every lesson, consider quizzing your employees to evaluate their security awareness. For more practical testing, create role-playing scenarios where employees have to work as a team to identify the threat and respond to it.
Furthermore, if your goal is to help employees be more aware of phishing scams, you can hire security experts to simulate fake emails and record how many employees click on the links provided. This will help you measure the success of your training sessions and determine areas in which your employees need to improve.
If you don’t think you have the expertise or materials necessary to conduct an ongoing security training programme, contact Empower IT. As part of our managed IT services programme we provide security best practices material that help business leaders educate staff and raise awareness about these issues. For a free IT vulnerability assessment call 1300 797 888.