We live in a very different world today than we did just a few short months ago. With many people working from home, the line between home and office technology has never been as blurred as it is today. Securing today’s workforce could not be more complicated, presenting new challenges that require rapid adaptation and new tactics — however, the basics still stand.
Engaging in cybersecurity training for our clients, focusing on proficiency in recognizing, identifying, and responding to cybersecurity threats, is a basic measure that always pays off dividends.
In every briefing I have received from my FBI and Secret Service partners, the topic of training end users is discussed.
The reason is that, no matter how well the technology works, we (the humans) remain exploitable because we all have vulnerabilities.
The most exploited human vulnerabilities are:
1. Ignorance – not knowing a cyber thieves’ tactics makes us susceptible to their schemes.
We know the common burglar will exploit a door without a lock, so we ensure our outdoor entries have locks and we use them. The same goes for our digital life.
When we take the time to educate ourselves on cyber thieves’ tactics, we become a human firewall that is capable of thwarting even the most complicated of attacks.
2. Emotion – our initial reaction to an e-mail can often be weaponized and turned on us.
Cyber thieves know this, so they send us e-mails that are designed to get us angry or scared. In our fear or anger, we take the bait and move on to the next move they would like us to make.
This results in us clicking a link to verify the password to our bank account or opening the attached invoice for that amount we are so sure we do not owe.
Recently, I received a voice message from my power company telling me that my electricity will be cut off if we don’t bring our account current. They left a number to be called within 30 minutes, hoping I would fall for their scheme.
3. Resignation – believe it or not, I still see clients who have pretty much given up and resigned to the fact that we are all vulnerable so there is no point in protection.
So much so, that his passwords are STILL on the list of compromised passwords and it does not seem to matter to him!
Keeping these common vulnerabilities in mind, how can we leverage Cybersecurity training to address them?
Here are 3 key steps to successfully implementing training with clients:
1. Do it regularly – there are many great products out there that will automatically deliver training on a weekly, monthly, and annual basis.
They will also quiz each user and report on users that are most vulnerable. These trainings can also be automated, which removes the effort on the part of the administrator and makes for a consistent delivery.
Many professions even have a regulatory, contractual, and/or legal requirement to complete regular training and our services can often satisfy them.
Regular cybersecurity training for clients is critical because repetition is key. In addition to commercially available training programs, we have employed an e-mail sequence using our e-mail marketing tool.
This sequence includes a rotation of 50 weekly tips that subscribers receive each Monday at 8am.
This way, they will start the week with a cyber security reminder fresh on their minds and you can even use the sequence as a prospecting tool!
2. Perform surveillance – this piece is, in my opinion, the crowning jewel of a comprehensive protection and training program.
Dark Web Monitoring empowers clients to see a compromised password correlated to their e-mail address from a publicly available database, and the effect on the end-user can be sobering.
It is akin to having a warning that your car key was copied and that you should have the locks and ignition re-keyed. It will also reinforce the training and remind clients to be aware regarding the re-use of passwords across sites.
As with training, commercial products are available for resale and can be re or co-branded.
We use multiple products with differing sources to ensure a comprehensive view of the threat landscape. It is not rare for one system to alert but not another, or to have one system alert sooner than the other.
The key here is to have at least one in place – and don’t forget to eat your own dog food!
3. Spot check – run regular simulated phishing attacks.
This simulated attack should be done without forewarning to anyone in the organization (but with at least one executive’s written consent) and a good one will catch one or two people.
Running the attack will give you additional surveillance on which end users are higher risk and should get additional cliennt cybersecurity training attention.
Be sure to preview the simulated attacks, as some providers may use dated e-mails that are easy to spot. Also, be strategic and launch the attacks in a staggered fashion.
The effect is minimized if someone “catches on” and spreads the word. Finally, be as random and discreet as possible.
The more natural this exercise appears to be, the better the data you’ll capture and the greater the odds are that you can properly target your higher-risk end users with the training and resources they’ll need to protect the organization.
It is important to note that there are no silver bullets. One other human vulnerability we are dealing with is the feeling of helplessness that can come from being the victim of an attack or from failing a simulated phishing attempt.
The key here is to understand that the goal is to get iteratively better and not to be punitive. It is only in such a growth environment that cybersecurity training can thrive and become an effective tool against cybercrime.
Angel Rojas, Jr. is a member of the ASCII Group. Learn more about them here.