I’m sitting at my desk checking email and notice I’ve received a message from my favorite coffee shop: “We appreciate you being a loyal customer. To say thank you, click the link below for a $10 gift certificate.” As I eagerly prepare to redeem my reward, I hear that voice in my head saying, “BEWARE!”
The scenario above is played out thousands of times every single day and is referred to as a phishing attack. The attacker is using this scheme to get you to click so that malware or other devious software can be downloaded to your computer. Afterward, all chaos could break out, or the attacker could stay silent and collect valuable data that you would never knowingly provide, such as credit card or bank account login information.
In another phishing example, you receive an email from an executive in your company: “Hey Bob, I need the attached invoice paid immediately. I’m currently on the road, so please take care of this. The company will reimburse you.” Bob, being a good soldier, puts the “invoice payment” on his credit card only to see his manager walk by ten minutes later.
There are numerous other schemes hackers use to get the unjust reward they seek, the majority of which can be handled via a strong cyber defense. If your organization has an IT department with knowledgeable resources, or if your organization contracts with a managed service provider, the reasonable assumption is that they are taking the necessary steps to keep the intruders out. However, caveat emptor, let the buyer beware. My strong recommendation is to have a trusted cybersecurity professional evaluate your internal or external service provider offering so that any gaps or inadequacies can be identified and remedied.
However, a strong cyber defensive posture alone is not enough. Most industry experts agree that a large percentage of cyberattacks start with human error inside the organization. Said in simpler terms, we may have a strong defense but we tend to invite the intruders in. Clicking on links we shouldn’t click on, responding to unusual or inappropriate requests, maintaining weak passwords, unknowingly releasing company confidential information, inadequate wireless access control, inappropriate web browsing and numerous other mishaps become a huge welcome sign to the unlocked doors that intruders are looking for.
We often make their jobs easier without even knowing it. What’s the solution for such an ongoing dilemma? Cybersecurity end-user awareness training.
Training topics and approach
Cybersecurity end-user awareness training focuses on the “end-user” of your organization’s IT Services. This excludes the typical IT professional, with the assumption that the IT resources are well aware of cybersecurity best practices. End-user awareness training focuses on those IT service users that may not be cyber aware and need an ongoing reminder of good cybersecurity hygiene.
There are a number of approaches to providing cybersecurity end-user awareness training to your organization, but I’d like to focus on two, each of which involves bringing in a subject matter expert and certified instructor to assist in the planning and delivery of such training.
The first approach is instructor lead training (ILT) where an instructor comes to your facility and delivers a half-day or full-day session. This could also be delivered as a virtual instructor lead training (VILT) online session. The value of VILT is that it is a dedicated session with everyone together (or multiple sessions for larger organizations.) The course can be customized to your organization’s specific needs and these sessions typically generate a lot of discussion among the group participants. Disadvantages include business interruptions, participants getting pulled out and the amount of material covered in a short amount of time can be difficult to absorb. Although attendees get a lot out of these sessions, many return to the same old bad habits shortly after the training.
My personal preferred approach is working with your cybersecurity professional(s) to develop an ongoing training program designed specifically for your company. Training topics and training paths can be laid out for individual departments, training progress and knowledge checks can be tracked, and adjustments can be made based on identified vulnerable areas. Programs like this are typically presented on a learning management system (LMS) platform. The LMS includes several 15-20 minute sessions which cover a much broader selection of topics than could be covered in a single 4-8 hour session. This approach allows you to set up schedules for training, perhaps one 20-minute topic per week or a couple a month, providing ongoing reinforcement of good cybersecurity hygiene.
A cybersecurity training program that allows you to cover a large range of topics, measure progress, simulate a wide range of attacks, measure human response and customize and adjust as needed by the organization tends to have the biggest payback.
As always, if you have interest and/or need assistance with establishing such a program, don’t hesitate to reach out. I’m always happy to participate.