By: Nick Santora
With the outbreak of COVID-19, around the world we’ve seen a spike in another deadly force: cyber crimes. According to various reports, there’s been a 500% increase in cyber attacks since the Coronavirus turned our world upside down.
Some of these email phishing scams are directly related to COVID and prey upon scared people. There have been reports of hackers posing as someone from the IRS or the U.S. Treasury claiming to have a stimulus check but requiring “additional information” thus using social engineering tactics to lure someone into a scam.
Unfortunately, there’s no cure or vaccine in cyber security, and there’s no silver bullet in security training. Hackers are taking advantage of this difficult time we are all going through. We have seen so many phishing attacks targeting employees that are now part of a massive remote workforce, and the lack of cyber preparedness is apparent.
During the pandemic, IT heroes across the globe have been doing everything they can to keep employees productive while working remotely, but it is becoming harder and harder for IT teams to wear every single hat all while keeping their employees safe and secure online.
This is why now, more than ever, cyber security awareness is of the utmost importance. Your company’s employees have to become the first line of defense against potential hackers, and that is where security awareness comes in to play.
Security awareness is much different than training. The definition of security awareness is having or showing realization, perception, or knowledge of cyber security concepts. Essentially this means surrounding your personnel with constant insights into cyber security risks.
With security awareness training, you’re teaching employees on how to defend themselves with actionable tactics.
The #1 most effective cybersecurity strategy is to train your employees at every level in the company on what to look for in a suspicious email, potential phishing scam, or even a ransomware attack.
You may already know a lot about cybersecurity, but what about your employees and all the other members on your team? You’re all in this together to help defend against cyber threats. It’s about learning and working as a united front, because hackers only care about themselves.
However, most security awareness training is packed with technical terms, legal language, and boring dry content.Bad security programs cause breaches, and IT leaders will spend more time cleaning up a breach than preventing one. Your employees tune out in ‘Death by PowerPoint’ presentations and try to simply complete their required training as quickly as possible. That’s not very helpful when they’re supposed to be learning new information about defending against hackers.
Just doing annual training for compliance isn’t going to cut it. How can you change the perspective so your employees get engaged and actually learn from their training? Afterall, you’re relying on them to help protect your organization from cyber attacks.
So how can your security awareness program be more effective? Well, let’s look at the big picture.
Phishing is getting a lot of attention right now, but how to stop it is not. A lot of CISOs and IT teams are treating the potential phishing problem like any other technology equation. It’s not.
Each and every employee needs to develop the soft skills that are needed on the cyber side to really understand how to block the bad guys attempting to hack someone through phishing and social engineering.
A phishing scam starts with the hacker targeting one or more employees. The hacker will send a suspicious email, often using strong language such as “urgent” or “action required” to compel your team member to act before thinking.
These tactics work all too well to convince someone to give up proprietary information, like their social security number, or their credentials for a work account. The Marriott data breach that impacted approximately 500 million people started with just a few employees becoming compromised via email.
Security awareness and phishing prevention training (LINK to phishing training page) go hand-in-hand. We have to teach people how to recognize and defend themselves against hackers. Phishing simulation tests are a great way to measure employees on their real-world ability to spot a potential cyber attack.
Constant communication helps, such as reiterating ‘see something, say something’ to alert management if someone receives a suspicious email.Prevention of fraud starts at the frontlines, which is most often an employee’s email inbox.
In the next five years, we are going to have a major shift in the way we understand and educate employees on this topic of security awareness. Think of how much our society has evolved over the past decade. Our attention span is shorter than ever and content is coming at us from every possible direction. Adult learning needs pivot to see any significant impact, especially when it comes to security.
This oversight truly comes from the executive team. It’s important for leaders in the C-suiteto take ownership of their security awareness training program because in the event of a data breach, guess who will be held responsible.
Executive leadership, IT, and even HR all need to work together to implement a security awareness training program for the whole company.A robust cyber security awareness training program includes the following:
- Content – educating your team on potential cyber threats
- Phishing tests – running email simulations to see how many employees would click or report the suspicious email
- Password management – making sure employees know how to protect their passwords using a password manager (‘vault’) and to not use passwords that are easy for someone to guess
- Audits – you may already run an annual audit for compliance, but what about a monthly check-in to ensure there are no new vulnerabilities in your systems?
Just like any other part of your business, taking pause to look at potential pitfalls will help prevent bad outcomes. And especially during COVID, education of how bad these cyber threats are will help to keep everyone safer.
(The author is the Chief Executive Officer of Curricula, an US-based cyber security awareness training company)