Well folks, summer is about officially to begin in about to begin in just a little over a week!!! To me, it is has officially started. With the rush of the warm weather that is happening upon us, many people all over this great land of ours will be outside, especially during the long weekend of the 4th of July.
But unfortunately, as states have started to reopen, the cases of COVID19 have also gone up dramatically. Because of this, the financial markets took a huge dive late last week.
I do have my opinions on this, but I think that would be best left for a personal blog. Anyways, as employees and clients start to return back to the brick and mortar type of setting, there are a number of key issues that CIOs and CISOs will be (or at least should be) addressing. One them is the need for Security Awareness training for employees.
This is an aspect that I have touched upon before, but with the way that the WFH transpired, the way the messaging is delivered in the training will have to be fine tuned and changed in such a way that employees will need to remember what they have been taught in case another wave of COVID19 hits again.
Because of this pandemic, the Cyberattacker now as a much greater attack surface to prey upon, especially using the fear and panic techniques in order to lure victims into giving up their Personal Identifiable Information (PII).
But whatever is being used, the same threat vectors are still out there, but have been changed around in such a way that it is close to impossible, even for a seasoned Cyber professional, to tell the difference between a legitimate website and a spoofed up one.
For example, Phishing attacks, especially in the way of Spear Phishing and Business Email Compromise (BEC), impacted 90% of all companies in 2019. This is according to a recent study that was conducted by a Cyber company known as Proofpoint. Their study can be downloaded at this link:
But as mentioned previously, your Security Awareness Training program has to be made specific to what your company has experienced so far this year. You simply cannot replicate another program that another company has used, because more than likely it will not work for you. So, how do you exactly craft your Security Awareness training program? Here are some insights:
*You need to identify the risk(s) that you have experienced, are experiencing, and what you will anticipate for the future:
Obviously during these few months, you probably have experienced things in terms of Cybersecurity that perhaps other companies have not. In this regard, you really need to, once you are back at the office, need to conduct a detailed Risk Assessment study to see what has transpired, and which of your digital and physical assets are at high risk for a Cyberattack. Of course, once you have this information and data at hand, your first priority is to shore up your lines of defenses so that the chances that these high-risk assets of being hacked are substantially reduced. But also, you can take the results of what you have garnered from the Risk Analysis and use that to specifically hone in on your messaging to your employees. For example, if you discover that your database servers are at high risk, then not only do you need to implement a Multifactor Authentication (MFA) to protect it, but then from there, you need to hone in your Security Awareness training program so that you teach your employees how to use the MFA tools effectively, so that if they have to WFH again, they can access the shared resources that reside on those on those databases in a safe and secure manner. Obviously, you do not want to disclose to your employees what the Risk Analysis revealed in your Security Awareness training, but you get my point.
*Change the behavior of your employees:
Ok, I have to admit that this is probably the hardest thing that can be accomplished in a Security Awareness Training program. You want your employees to feel motivated about not only maintaining a proactive mindset, but they should also walk out of that session with immediately starting good habits on maintaining “Cyber Hygiene”. But you are dealing with the minds of other people, and of course you cannot force them to change, unless you threaten them with job loss or other disciplinarian actions of, they do not abide by your Security Policies. But in the end, invoking fear only works to a certain extent, and in the end, will only backfire on you, and make things even worse. So, why not take the flip side of this, and motivate your employees with praise, compliments, and even extra financial compensation to reward them for keeping with good “Cyber Hygiene” habits? In a way, this can be viewed loosely as bribery, but in today’s world, this is the only thing that will truly work for you. Obviously, all companies no matter how large or how small, are trying to conserve cash flows the best ways that they can. Your compensation to your employees does not have to elaborate, just a simple gift card to Panera Bread or Starbuck’s will help to do the trick. Remember, the human spirit has been designed in such a way that even just small amounts of recognition and reward will go an exceptionally long way. Try this out and see what happens. You will be incredibly surprised. Also, during the course of the Security Awareness Training program, you need to motivate your employees as well. This can be done by creating a sense of competitiveness, by implementing the concepts of “Gamification”.
*Cut down on the amount of Cyber risk exposure:
There are many ways that this can be done, and in all honesty, your best bet would be to a hire a seasoned Cybersecurity consultant to help you out with this, especially that of a vCISO. On the technical side, of course you can implement firewalls, routers, network intrusion devices, etc. all that you deem are, as necessary. But keep in mind that the more tools you deploy, the more of a nightmare it is going to be for your IT Security staff to keep up with the constant bombardment of warnings and messages that they get from them. For example, many of them will produce false positives, which have no real significance behind them. So in this regard, you probably should implement some of Artificial Intelligence (AI) tools that will help your IT Security team to weed out through all of these false positives, thus eliminating the phenomenon known as “Alert Fatigue”. You should also make use of what is known as a “Security Information and Event Management” tool, also known as a “SIEM”. This can connect easily to your AI tools so that all of the real messages and warnings can be accessed and viewed from one central point. But try this old traditional method as well: Why not simply also implement a dedicated phone number and Email address so that employees in your company can report, anonymously, any suspicious behavior? This will come in very handy, especially when it comes to reporting Insider Attacks, which are so difficult to pick up and detect. Remember, in the end that technology will only carry you so far, you need human eyes (and lots of them) also.
*You need to implement metrics:
Yes, I am a person that hates to be judged by metrics to the core. But guess what? You need them to in order to determine how well your Security Awareness training is progressing. So, here are some key metrics that you should consider deploying after each and every training session that you hold:
*The number of Phishing Emails that have been reported should increase. Obviously, you do not want this to happen, but on the flip side, it is actually a good thing also. For example, it means that you are employees are recognizing to a much greater degree what a Phishing Email looks like and are either deleting them or are forwarding them to your IT Security team for further review.
*If your employees are truly maintaining good levels of Cyber Hygiene, then over time, you should see some decrease in the amount of potential Cyberattacks that your company is experiencing.
*If the above-mentioned metric holds true, then the total amount of hours that your IT Security team spends on resolving Cyber issues should decrease over time as well.
My Thoughts On This
Well, there you have it, four key takeaways that you can use in order to help you to create an effective Security Awareness training program. But there are some key things you have to keep in mind.
First, as mentioned, you must keep your training so that it specifically meets the needs of your business and your employees. It is especially important to get away from that thinking of that “One Size Fits All” way of thinking.
Second, you simply cannot have one training session and call it quits. You have to keep doing it in on a regular cycle, I would day at least once every two months.
Third, keep your training programs short, about 30 minutes in length (that is actually about the attention span of any human being). Keep your training easy to understand, fun, and engaging.
Fourth, keep fine tuning your techniques so they reflect the most recent trends from the Cyber Threat Landscape.
Think these tips do not work? Well, the study, as cited previously, actually discovered that over time, 78% of the respondents actually witnessed a decrease in the total number of Phishing attacks experienced.