We believe that training our clients and their teams about the best cybersecurity practices is no longer optional – it’s necessary! Not only is cyber security training a vital investment that will protect your business under “normal” circumstances, but ever since the pandemic moved workers into their homes with less cyber protection, hackers have pounced more aggressively than before.
The best way to secure your organization’s sensitive data and protect employee devices is to implement successful, extensive cybersecurity training!
Many organizations recognize the importance of delivering Security Awareness Training but lack the expertise or resources to deploy and manage a training program that follows these best practices. That’s when it’s time to seek out education from your trusted managed service providers (MSPs), like Computers Nationwide!
“The shift to working from home during the COVID-19 pandemic brought with it a 300% increase in cybercrime. Wandera’s 2020 Mobile Threat Landscape Report stated that every three minutes new phishing sites pop up. And in April of this year, 18 million phishing attempts were blocked by Google each day for a week. Cybercriminals are enjoying the dispersed work environment and making good use of the chaos, curiosity, and uncertainty. Without the structures of the work environment, employees are relaxing their diligence in cybersecurity awareness and criminals are taking advantage of it.
The scarcity and conflicting narratives in media allow phishing to thrive during this global pandemic. By leveraging highly searched information, criminals create new ways to trick the curious into clicking on unknown and dangerous links. Further exploiting the chaos and uncertainty of COVID-19, bad actors convincingly spoofed large, international organizations and websites, like the World Health Organization (WHO) and the Center for Disease Control (CDC), to smaller, local, and regional health reports.
Combine this trend with the shift to workers working from home in their different stages of alertness and focus. Maintaining vigilance is hard enough in a known setting, but balance it with parenting, teaching, and family demands while shifting through emails on couches, hallways, and makeshift offices in bedrooms — it becomes easy to let down one’s guard for the sake of speed or convenience. That is even if they remember the training — which could have been a year or more ago for some due to shifts in scheduling and availability of training with the pandemic.” Security Info Watch
When employees are left to fend for themselves and cyber threats are ignored, it increases the likelihood that they will fall victim to attacks and jeopardize your business. Fortunately, this can be prevented by making the effort to provide your team with the best cybersecurity education and support! As an organization, it’s important that everyone stands together on their commitment to strengthening cyber resilience together.
“It’s been a momentous year for everyone working in cybersecurity. But while the pandemic has caused pain, misery and disruption on a quite unimaginable scale, there are also some positives we can take with us into 2021. The rapid shift to remote working and adjustments that many companies were forced to make to continue serving customers highlighted the importance of digital transformation. But they have also hopefully reminded business leaders of the critical need for effective cybersecurity baked-in from the start. The stakes couldn’t be higher: cyber risk in today’s environment represents nothing short of an existential challenge for organisations.” Barracuda Networks
What does successful cybersecurity training entail and why is it important? Learn from our trusted network affiliates that are leaders in the industry…
“Over three-quarters (78%) of the cybersecurity leaders and 65% of CEOs surveyed admit to clicking on a link they should not have. That same survey also finds, not surprisingly, that half the data breaches that companies admitted to experiencing in the previous 18 months have been caused by employees.
Given all the headlines security breaches now generate it’s hard to argue that end users are ignorant of the risks they face. Time and again a combination of laziness and fatigue results in end-users doing something that appears benign only to discover, for example, that every file the organization has is now suddenly encrypted by some cybercriminal halfway around the world demanding thousands of dollars for the keys to decrypt those files.
Almost everybody by now knows somebody who has been targeted by this type of attack so perhaps cybersecurity awareness is no longer the primary issue. Rather, the focus now needs to be squarely on training. After all, if end users are not trained to recognize a phishing attack all the awareness about cybersecurity issues in the world is not likely to make much of a difference. Talking about cybersecurity is not nearly going to generate the same result as putting end-users through a phishing simulation drill that makes it simpler for them to identify potential threats.”
“Did you know that a staggering 90 percent of successful breaches are caused by human error, making it critical for your organization to have ongoing Security Awareness Training as part of its security strategy? Lack of training in basic cybersecurity practices can cause your employees to fall victim to malicious social engineering and cause the spread of dangerous cyber threats in your network.
Adding a Security Awareness Training program can benefit your organization in many ways, such as:
- Expanding awareness to reduce threats: Proactive training helps your employees learn how to recognize and avoid cyberattacks, significantly reducing cybersecurity risks.
- Minimizing successful phishing attacks: Phishing attacks account for more than 80 percent of reported cybercrime incidents. Training can dramatically reduce your organization’s phishing exposure.
- Reducing costs: Cyberattacks are expensive. A well-developed Security Awareness Training program can reduce the risks of costly data breaches, downtime, reputational harm, and more. For many organizations, the ability to outsource Security Awareness Training ensures that affordable, up-to-date training is delivered reliably without draining vital internal IT resources.
- Phishing Simulations: To execute phishing attacks, criminals send emails impersonating your organizations internal IT department or well-known companies such as Microsoft, Google, Amazon, Paypal, Bank of America, etc. Any user that “takes the bait” by clicking on a link is directed to additional training materials to help them understand how to better recognize phishing emails and prevent clicks in the future.
- Monthly Training Courses: The TPx Security Awareness Training program consists of monthly online courses covering a range of topics from general security awareness to best practices and regulatory compliance. A few topics include: Password security, Safe web browsing, Social engineering, Malware, and Mobile security.
- Management Reports: Weekly management reports are automatically emailed to recipients. These reports track important metrics regarding phishing activity and training adoption which will help you measure progress toward your training goals.
Security Awareness Training is key to having strong cybersecurity across your organization. In fact, data from Infosec Inc. indicates that nearly 29 percent of untrained end users are susceptible to phishing attacks and will fail phishing tests. However, after one year of monthly simulated phishing tests and regular training, that rate drops to as low as 1 percent. That shows a real change in user behavior and illustrates why training programs like the one offered by TPx are so valuable.”
“Training is outside the skillset for most IT admins, and the level of effort to set up and run a program of training courses, compliance accreditations and phishing simulations can be daunting. To help you get started, here are our top 5 recommendations for starting your security awareness program so you can maximize the impact of your efforts.
- Get buy-in from stakeholders: While you probably already have some combination of security tools in place, such as endpoint protection, DNS or web filtering, etc., the 2020 Verizon Data Breach Investigations Report states that phishing and social engineering are still the primary tactics used in successful cybersecurity breaches. Make sure your stakeholders understand these threats. Send an email introducing the program to management and clearly explain the importance of educating users and measuring and mitigating your risk of exposure to phishing and other social engineering attacks.
- Start with a baseline phishing campaign: When you run your first phishing campaign, you establish your starting point for measuring and demonstrating improvement over time. (You can also use this real-world data to accurately show the need for improvement to any still-skeptical stakeholders.) Ideally this initial campaign should be sent to all users without any type of forewarning or formal announcement, including members of leadership teams. Make sure to use an option that simply shows a broken link to users who click through, instead of alerting them to the campaign, so you can prevent word-of-mouth between employees from skewing the results.
- Set up essential security and compliance training: Create training campaigns to cover essential cybersecurity topics including phishing, social engineering, passwords and more. Establish which compliance courses are appropriate (or required) for your organization and which employees need to complete them.
- Establish a monthly phishing simulation and training cadence: Repetition and relevance are key for a successful security awareness training program. By setting up a regular simulation and training schedule, you can more easily measure progress and keep an eye on any high-risk users who might need extra attention. Using our shorter 4-5-minute modules in between more substantial training is an effective tactic to keep security top of mind while avoiding user fatigue. And if you can’t run phishing simulations monthly, strive for a quarterly cadence. If you get pushback on sending emails to everyone, then we recommend you prioritize testing users who failed the previous round.
- Communicate results: A great way to raise awareness and increase the impact of your phishing campaigns is to share the results across the organization. Keep in mind, the goal is to capitalize on collective engagement and share aggregate results, not to call out individuals. (Your “offenders” will recognize themselves anyway.)
The critical piece is seeing the statistics on where the organization stands as a whole. After the baseline phishing simulation, send out an email to all employees with the results and the reasoning for the campaign. Communicating these numbers will not only help show improvement over time, it’ll also demonstrate the value of the program overall and reinforce to employees that cyber resilience isn’t just IT’s job – it’s a responsibility we all share.”
“These days, nobody is safe. But vigilance is your remedy. Here are several proactive ways you can curb ransomware through internal training.
- Host Training Sessions: Your users must understand that ransomware attacks may appear to come from someone they work with. Email addresses may look almost identical to your corporate domain. Emails may appear to have legitimate requests from co-workers. You must teach your team exactly how these scams work and show them examples so they can see for themselves how convincing an attack can look. Prepare some training materials and schedule a formal meeting to help teach users about ransomware and phishing—and their role in prevention.
- Message More, Email Less: While ransomware is typically the result of phishing attacks, other phishing emails contain devious works of social engineering. A surprisingly simple way to prevent successful phishing emails is to rely less on email for internal communications. Many businesses will instead share their work and collaborate through productivity apps like Slack or Microsoft Teams. When peer-to-peer messages are hosted inside a secure platform, it’s much more difficult for scammers to succeed.
- Test Users With Fake Phishing Attacks: Teaching users is one thing. Testing them is another. Since ransomware often comes through email, consider using a tool that allows you to send fake phishing emails to your users. This is a great way to find out who’s being vigilant and who might need some extra help spotting ransomware. Many of these tools also allow you to conduct other kinds of security-focused tests so users can be prepared for many kinds of threats.
- Teach Users About Spam Filters: Spam filters from vendors like Barracuda are a great way to make sure ransomware emails never make it into user inboxes at all. With quarantine features, it’s easy for users to review sketchy emails without worrying about clicking on something they shouldn’t. If you haven’t implemented one already put a spam filter in place and make sure users understand how to use it effectively.
- Teach Decision Makers About Effective Backup and DR Plans: Decision makers in your organization must understand the ransomware threat. It’s up to you to show them what it takes to keep your business safe should education and proactive measures fail. Make sure they know that backups can save the day if a user mistakenly invites ransomware into your network. Restoring a recent backup is the best way to get data back without paying cyber-scammers. Be sure your plan includes concrete goals: Recovery time objectives (RTO) ensure that if you do get hit by a ransomware attack, you can restore your data before downtime is too much to take. Meanwhile, a recovery point objective (RPO) will ensure that you’re never losing more data than you can tolerate.”
Don’t let your employees fall for an attack! In addition to implementing the most reliable cyber security solutions available today, we highly recommend that you empower your people for success with comprehensive cyber security awareness training.
Arming your team with the best security practices is a wise decision that will benefit your business immensely. Now is not the time to slack off. Hackers aren’t taking a break and neither are we!
“As prominent attacks and the flow of threats continue, SMBs will look to MSPs to protect their businesses and help them achieve cyber resilience. This creates a unique opportunity for MSPs to guide customers through the maze of cybersecurity and data protection solutions and ensure they are receiving relevant education on protecting the business. MSPs can ensure that customers have defense in depth by offering ongoing security awareness training as well as endpoint protection.” Webroot
As you can see, there are a variety of reasons to implement cyber security awareness training at every organization, no matter how small or large your business is. Protect your workplace with essential, innovative solutions from our network partners and feel confident as your organization stays ahead of attacks!
According to Security Magazine: “Over 65% of employees think that large businesses are more likely to be victims of a cyberattack than small businesses. While cybersecurity has become an increasingly important focus for small businesses around the world, the survey suggests there is still a lack of understanding about the most vulnerable types or organizations, which could potentially lead to employees letting their guard down.
“Every organization has a responsibility to provide employees with a secure setup, whether they’re office-based or working from home. This secure setup is not just hardware and software, it also extends to training,” said Lindsey Pyle, VP SMB at Avast. “There is a heightened reliance on information sharing by IT and security departments as bad actors increase the volume of attacks intended to deceive unsuspecting employees.
For example, updates on the latest phishing campaigns and how to spot spear phishing emails should be consistently communicated across a company to prevent data breaches and infections from malware. The findings from our survey indicate there’s room to improve the dissemination of information to small business employees. SMB owners should put in place clear policies for employees to follow to help them gain a better understanding of what constitutes good security practice, and that they are not to blame should something go wrong.”