Information & Cyber Security Awareness

We’ve heard it many a time that the weak link in cybersecurity is the human component. This coupled with the rise and rise in the number and sophistication of cyber-attacks continues to carry needs to ring a bell in someone’s head at corporate. Do not shortchange your staff on effective Information Security training, because you’ll only be shooting yourself in the foot. The main word that should stand out in the last point is EFFECTIVE. I have come across all manner of Information Security training in my day and most are just a re-hash of what the last one was saying. If the method was effective that wouldn’t be a problem, but the copy and paste methods are hastily drawn together with no in-depth look into it suitability for the target audience. The most grievous offenders are the ones that take the one-size-fits-all approach cramming in jargon after jargon. I believe that thought must be but into Information Security awareness training as there are deviations in people and processes across different sectors and individual organizations. In a nutshell, the most effective security solution is training.  You want your staff to recognize attacks and make the right decisions, but you don’t want to give them so much information that you overwhelm them. 

Looking at Proof point’s State of the Phish Report 2020 a lot of things jump out at you. For instance, a significant number of workers worldwide have little to no understanding of what cybersecurity professionals may consider basic terminology. In fact, only 61% understood the term phishing, with just 31% familiar with ransomware. In fact, if you try to update the terms to reflect more modern threats, there’s yet more grim readings. Just 30% of the global workforce understand the term smishing, and only 25% were familiar with vishing. But like I stated, knowledge of jargon is not a measure of Information Security awareness, but the basics like these are a definite need to know. There is a common perception that Millennials and Gen X’ers rule the roost when it comes new technology and that this automatically translates to Information Security. Yeah, nope they seemed to have missed the memo. These numbers are quite concerning to say the least. Far from ushering in a new breed of security-savvy employees, those under 40 are less informed about basic security threats. Just 47% of those aged 18 to 22, and 55% aged 23 to 38 recognized the term phishing, compared with 65% and 66% of those aged 29 to 54, and 55+ respectively. This can only suggest a sheer lack of awareness in basic cybersecurity knowledge. 

  • Security awareness program success factors  

1. Evaluating the threat landscape. 

2. Training employees to recognize a phishing attack with different examples. Recent Microsoft Security Intelligence Report claims a massive 250% increase in phishing attacks from the previous year and indicates that phishing attacks are now, by far, one of the most frequent attack vectors in an organization.  

3. Getting creative with content and keeping things interesting. Most people roll their eyes when training is mentioned. 

4. Training is a continuous process. 

5. Turning to data to measure effectiveness because having a process to measure training and awareness effectiveness is essential. One approach to measuring the impact of training is by counting the number of security incidents that have befallen your organization before you implement your formal training program, and then quarterly afterward. 

6. Ensure your program is compliant with regulations. 

7. Get C-level buy-in. 

Any cultural change starts at the top of the organization. 

  • Security awareness efficiency  

First off, as mentioned in the section above, it is crucial to start by cultivating a security-first culture through a continuous, company-wide training program that acknowledges everyone’s role in keeping your organization safe. We often talk about the consequences of poor cybersecurity from a business point of view. Rarely do we discuss the consequences of bad practice on individual employees. That said, the consequence training model is gaining traction as organizations have started punishing users who regularly fall for phishing attacks. Consequences can range from additional in-person training to official warnings and monetary penalties. Entities are very wary of punishing workers for mistakes, fearing that it may foster unneeded negativity around cybersecurity training. However, proponents of the consequence model believe that without some form of deterrent, users may not take their responsibilities seriously. 

Start by cultivating a security-first culture. This means a continuous, company-wide training programme that acknowledges everyone’s role in keeping your organization safe. Everyone must feel and know that they are in this together and cannot be the weak link in the chain. 

With this as a foundation, you can then provide tailored training to those who are most actively targeted by cyber threats. These are sometimes referred to as your VAPs (Very Attacked People). By knowing where the likelihood of an attack is most likely to originate, counter measures to stop or mitigate the threat can be put in place. 

Measuring training effectiveness is the final step in assessing whether the learning process inspired users to apply what they have learned. 

  • Did they transfer lessons learned to their jobs?  
  • Did training produce results (e.g., fewer cyber-attack breaches, fewer cyber-related losses)?  
  • What is the return on investment associated with any reduction in cybersecurity attacks? 

This information derived from targeted training programs provides invaluable feedback for improving program content, methods, outcomes, and results. 

  • Security awareness program content  

Security awareness program content should contain these topics as a baseline with more being added when dealing with specialized or targeted information security awareness programs. As I cannot go into detail, this is only a sliver of is needed as a starting point. 

Email scams (SPAM, Phishing, Spoofing, etc.)  

Malware (adware, bots, bugs, rootkits, spyware, Trojan horses, viruses, worms, etc) 

Password security (password length, complexity, expiration, and non-reusability) 

Removable media dangers (data security, malware infections, copyright infringement, hardware failures) 

Safe internet habits (keep personal information professional and limited, keep your privacy settings on, practice safe browsing, make sure your internet connection is secure, be careful what you download, choose strong passwords, etc) 

Social networking dangers (overexposure of sensitive {personal or official} information via location data, pictures & videos or just by running your mouth, etc)  

Physical security and environmental controls 

Clean desk policy (passwords, official & personal documents, etc should not be left on your desk) 

Data management and privacy  

Bring-your-own-device (BYOD) policy 

Social Engineering (a topic that I believe is regularly overlooked and skimmed through, even though most phishing attacks can be classed as social engineering) 

  • Security awareness by eLearning  

With the issues surrounding COVID-19 (especially working from home) coming to the fore in the past few months, this has really sped up an already buoyant sector, eLearning. The use of eLearning was already on the rise, and the issues surrounding COVID-19 has just accelerated that further. 

I believe that eLearning will streamline Information Security awareness training greatly, BUT and it’s a big but, most of these eLearning offers might not be exactly what you need for your organization or personnel.  

A hybrid approach will work well to support any specific deficiencies that the eLearning approach might have. 

At the same time eLearning comes with many benefits that other approaches cannot match. 

Benefits of eLearning 

1. Flexibility for Employees 

2. Customized Learning Experiences 

3. Enhanced Learning 

4. Reduced Costs  

5. Detailed Feedback and Reporting 

Security awareness during with from home 

As we all know by now, working from home is no longer the exception but the rule, whether be it a temporary inconvenience or a permanent fixture in our lives moving forward. 

These are just a few tips to help keep your data and yourself secure during this time. If you have a chance to go out to a coffee shop or something, avoid public Wi-Fi; if necessary, use personal hotspots or some way to encrypt your web connection. 

Try to keep work data on work computers. Do not start mixing and matching the devices used for work and your own personal devices. You might be held liable for exposing sensitive data as per company policy. 

The encryption of sensitive data in emails and on your device. If I’m being totally honest this is something the ICT guys at the office should’ve set up, be it full disk encryption + LVM (Linux) or using Bitlocker (Windows). 

Sending emails with sensitive data is always going to be a risk. It could be intercepted or seen by a third party. If you encrypt the data attached to an email, it will prevent an unintended recipient from viewing the information. Also, be sure your device is set to have all stored data encrypted in the case of theft or erased.  

Don’t forget to lock your doors. It might seem like a common sense thing, but I have seen people taking pictures all over their homes showing all of their sensitive equipment like access points, locks, etc. Showing off things like that is a call to action for thieves and malicious actors. Especially if you are being targeted because of a position you hold in your office or in government. This post gives a candid view of this issue. (https://www.linkedin.com/posts/dorian-collier1_samsunggalaxys20-cybersecurity-computersecurity-activity-6647066411845853184-Sty1) 

Also, as a rule of thumb never EVER leave your devices or laptop in the car and do not use random thumb drives. These are definitely common-sense moves that we all should follow. Leaving your electronic device unattended in a public space is also a serious security faux pas. It could lead to devise theft, tampering, bugging, and a host of other compromises. 

Always remember this, when it comes to information security awareness simplicity is key! 

Ref:  

  1. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiYzuqzpKLsAhXGxYUKHch3Br0QFjACegQIBxAC&url=https%3A%2F%2Fusa.kaspersky.com%2Fresource-center%2Fpreemptive-safety%2Ftop-10-internet-safety-rules-and-what-not-to-do-online&usg=AOvVaw3-tA02mX5MI5RqLfH3WWJl 
  1. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwj9wqPeuZ3sAhUdD2MBHVb-CGYQFjAEegQICBAC&url=https%3A%2F%2Fwww.quostar.com%2Fblog%2Fbusiness-scam-email-examples%2F&usg=AOvVaw09CigKGcuLlu1Y6D5pqBnH 

The uick brown fox 

Dorian Collier 

Cybersecurity Analyst 

 Sierra Leone 

Click to rate this post!
[Total: 1 Average: 5]

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *