Cyber Security Awareness: Employee Handbook
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Aug 29 2023
Aug 11 2023
A white hat hacker, with over 30 years of experience as a cybersecurity analyst at a major Silicon Valley company, talks about why he turned his back on black hat hacking for the greater good. He talks about the reality of just how vulnerable our systems are – from the very real threat of hackers taking the American power grid or medical facilities offline to how easily accessible our private information is to anyone with Wi-Fi and some time on their hands.
The number of businesses falling victim to ransomware attacks each year is snowballing. Hackers have realized how lucrative these attacks are, with ransoms in the millions regularly being paid out. This documentary examines how hackers make their money and how much a victim can lose. Cyber security experts tell us how cybercriminals carry out the attacks and who is helping them.
For weeks, a cyberattack paralyzed the German district of Anhalt-Bitterfeld in 2021, bringing its whole administration to a standstill. It was a stark illustration of how hackers can knock out entire communities in milliseconds — and how digital technology has become vital for running our societies. DW investigates how a criminal industry makes billions by taking computers hostage — and how governments can use similar methods as a political weapon.
A shadow war is a war that, officially, does not exist. Shadow wars are rising as mercenaries, hackers, and drones take over the role armies once played. States are evading their responsibilities and driving the privatization of violence. War in the grey zone is a booming business: Mercenaries and digital weaponry regularly carry out attacks while those giving orders remain in the shadows.
Millions of Australians have had their data stolen in malicious attacks, costing some businesses tens of millions of dollars in ransom. Four Corners investigates the cyber gangs behind these assaults, cracking open their inner operations and speaking to a hacker who says he targets Australians.
Look behind the cheerful veneer of social media, communication apps, and platforms that have made our lives easier and more connected, and you’ll find criminals using the same apps and platforms to run illicit and dangerous activities.
Singapore aims to be a “Smart Nation” but the more it depends on IT, the more it opens itself to cyber threats. This is the cybersecurity dilemma. Explore global incidents of cyber espionage, disinformation, disruption and pandemics and how they endanger nations.
In this documentary, learn about white hat hackers, and the U.S. Secret Service’s cybercrime division working to protect us from the risks associated with persistent connectivity.
The rise of cyber conflict as the primary way nations now compete and sabotage each other.
InfoSec tools | InfoSec services | InfoSec books
Jul 25 2023
The lack of resources can pose significant risks to security in various contexts, including personal, organizational, and national security. Here are some ways in which a lack of resources can impact security:
To mitigate these risks, it’s crucial for individuals, organizations, and governments to recognize the importance of investing in security measures and resource allocation. Proactive planning and strategic allocation of resources can help strengthen security and reduce vulnerabilities in various domains.
InfoSec books | InfoSec tools | InfoSec services
Jun 14 2023
With the rise of modern trends such as cloud computing and remote work, healthcare institutions strive to balance accessibility, convenience, and robust security.
In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Understanding the upcoming technological shifts and trends is crucial for preemptive preparation as we look toward the future.
Monitoring healthcare-specific security requirements is a full-time job. The amount of data processed at healthcare institutions grows exponentially, but it remains some of the most valuable information to the patients and—unfortunately—bad actors. These factors require a vendor’s mastery of healthcare-specific security requirements if technology is utilized by healthcare companies in any manner.
If a vendor does not appropriately respect the complex and evolving web of security obligations that healthcare institutions operate within, the vendor may not be able to build technology that is suitable for use by sophisticated healthcare enterprises.
Organizations should not shy away from holding vendors to a very high expectation of familiarity with security requirements within the healthcare industry. These organizations should look to healthcare-specific vendors who have a deep understanding of the standards, complexity, and sensitivity of these payments over non-healthcare-specific vendors.
A well-tailored security program must be just that: tailored. Many security legal frameworks are moving from specificity in controls towards a discretionary-based approach. This “discretionary” standard is interpreted by governing bodies that interpret the leading-edge developments in the industry.
An organization must trace what data is stored or processed and ensure security controls are mapped internally to an organization and externally across vendors. Healthcare organizations must dedicate time to ensure appropriate administrative, technical, and physical controls are in place at the organization and its vendors to protect data stored and processed.
The saying “one size fits all” is never true for how a security program is administered and applied in the healthcare technology industry, or any other industry. However, the fundamental principles are the same: understanding what data is processed by an organization, identifying true risks (internal and external) to the data, evaluating the impacts of those risks, and whether existing controls are adequate to reduce those risks to an acceptable standard.
Cloud computing and remote work are certainly unique trends, but there are always trends in one way or another whether occurring within the organization, the market, or geographically.
Sophisticated security organizations work hard to build flexible security programs, but it’s important to revisit the program on a fluid cadence to ensure that external or internal changes—small or big—are encompassed withing the security controls. For example, in response to COVID-19 many healthcare billing and revenue cycle teams transitioned to remote work. How does that impact payment acceptance security? Is it more important to adopt remote devices to accept secure, P2PE payments, or transition to a deviceless approach that prioritizes security and online patient engagement? These are all questions that providers have needed to answer in the last three years, and highlight the importance of an approach to security measures that welcome rather than avoid adaptation.
The evaluation of the suitability of a security control should not perform in a silo as it must consider business objectives to not weigh down the business unnecessarily. This evaluation may even warrant a reduced burden by offloading obligations to a qualified vendor or utilizing additional services from an existing vendor. For example, in payments, the move to Point-to-Point Encryption in payment systems can offload very complicated security burdens to a vendor while reducing administrative barriers. Companies may be surprised at how well new technologies being adapted within healthcare organization can protect data with more transparency all while promoting consumer-friendly accessibility and convenience (which are tenants of a good data governance program).
It all starts with leadership that buys into the security program and understands that investment in a security culture is an investment in risk minimization. There are three ways a company’s leadership can fast-track a security-minded culture:
Cybersecurity in the healthcare industry will be pushed to higher levels in at least two ways. First, legal frameworks that permit a discretionary application of security controls will reference security standards published from non-governmental security organizations as “industry standard.” These organizations have the resources and expertise to help set the standards of the industry. While this may mean more transparency of what are deemed acceptable standards, healthcare organizations may need to be subject to external third-party audits. Second, cybersecurity controls will continue to be bound together with privacy standards.
Although many laws may treat privacy and security as independent concepts, newer frameworks may treat one as dependent on the other. Sophisticated healthcare organizations are already managing to these predictions by eliminating silos between privacy and security operations, and ensuring a well-documented security program from policies to actions.
Security Awareness Program Builder: Practical guidelines for building your Information Security Awareness Program & prep guide for the Security Awareness and Culture Professional
InfoSec tools | InfoSec services | InfoSec books
Mar 15 2023
Whether your looking to develop a career in data privacy or cybersecurity, we have the perfect training solution for you! Pick bestselling ITG self-paced online training courses today and receive 15% off till March 31st 2023
Jan 26 2023
The European Union Agency for Cybersecurity (ENISA) has made available Awareness Raising in a Box (AR-in-a-BOX), a “do it yourself” toolbox to help organizations in their quest to create and implement a custom security awareness raising program
The package includes:
People have become cyber-attackers’ primary attack vector, which means that programs for raising cyber awareness are crucial for an organization’s cybersecurity strategy. The goal of these programs is to promote good cybersecurity practices of employees, managers and executives and improve their cybersecurity behavior.
A lot of advice can be found online on how to upgrade your security awareness efforts and engage your employees with better cybersecurity training, but sometimes organizations don’t know where to start.
AR-in-a-BOX can help them wrap their head around the task and push them towards realization.
“AR-in-a-Box is offered by ENISA to public bodies, operators of essential services, large private companies as well as small and medium ones (SMEs). [It] is dynamic and will be regularly updated and enriched,” the agency noted.
ENISA has previously published helpful materials for cybersecurity awareness campaigns aimed at electricity operators and the healthcare sector.
Checkout our previous posts on Security Awareness
#InfoSecTools and #InfoSectraining
Ask DISC an InfoSec & compliance related question
Dec 26 2022
Cybersecurity awareness is no longer a “nice to have”; in fact, it has become a fundamental part of your corporate training process across all levels and aspects of your business.
Would you leave your business unlocked and open to all comers? Of course not – but if you don’t have solid cybersecurity in place, that’s effectively what you’re doing! As the business world becomes a digital space, security has also become a digital matter.
One cybercriminal can wreak havoc if unchecked, and our potential flashpoints for vulnerabilities are growing daily. Nor is this something you can achieve alone – a great IT security team is one thing, but if one of your other workers leaves the metaphorical door unlocked, you’ll still be in trouble.
With top-down training boosted with the power of video, however, security can become a simple matter.
The average cost-per-company of a data breach is over $4 million. Cybercrime currently costs companies globally $8.4 trillion a year- and that is expected to soar to $23 trillion (or more) by 2027. Fortunately, there’s a lot you can do to mitigate your risk and keep your company out of those stats.
Humans are and will remain, the weakest link in any business’s digital security. Just as a thoughtless individual can leave a door unlocked and bypass your multi-million dollar security system in a heartbeat, one wrong move from an employee and even the best cybersecurity comes tumbling down.
It’s critical that all people in your organization are aware of cybersecurity risks, know the best practices for data and network security, and understand the consequences of laziness leading to cybersecurity failures.
It’s a simple idea – using a technical approach to proactively educate employees, ensuring awareness of data privacy, identity, and digital assets permeates every level of your organization. This will immensely reduce your risk of cybersecurity breaches. In turn, that means fewer financial losses from this type of crime, making it a solid return on investment.
And being cybersecurity-aware will have knock-on positives in your reputation with consumers, making you seem more trustworthy and desirable. Prevention of security issues means no loss of brand reputation, too.
Of course, your training is only as good as its retention rate. Cybersecurity training for employees can’t be some dull, dusty lecture or 500-page word document that’s unengaging, boring, and packed with jargon, or you may as well not waste your time. It’s critical that staff feel both empowered with their new skills, and that it comes over as simple to understand and easy to implement.
We all know that video is one of the most powerful storytelling formats out there. From the power of video shorts and reels for marketing to the way a great TV program can unite us, it’s a format that delivers punchy messages in an engaging way.
Unlike text, where aspects like reading level can play a role, everyone can engage with video. Plus you have the benefit of being able to condense a lot of information into short, pithy, and easy-to-retain factoids. You can power that up further with the power of AI, making videos simple to create, engaging, and easy to update and adapt without a huge financial outlay.
Using a simple text-to-speech format, you can create compelling, entertaining, and educational content that will help keep every member of your organization aware of cybersecurity risks and qualified to prevent them from occurring.
Cybersecurity awareness is no longer a ‘nice to have’. It’s an absolutely essential part of your corporate training process, across all levels and aspects of your business. With the power of simple-to-use AI video on your side, creating engaging learning programs to keep staff informed and ahead of cyber criminals is a simple matter, so don’t delay in addressing this critical aspect of business security today.
Learn cybersecurity fundamentals, including how to detect threats, protect systems and networks, and anticipate potential cyber attacks.
Infosec books | InfoSec tools | InfoSec services
Oct 19 2022
October is Security Awareness Month, an exciting time as organizations around the world train people how to be cyber secure, both at work and at home. But what exactly is security awareness and, more importantly, why should we care about it?
Organizations, cybersecurity leaders and the cybersecurity community will all tell you the same thing: People represent the greatest security risk in today’s highly connected world. Organizations see it in their own incidents, and we see it in global data sets.
The most recent Verizon Data Breach Investigations Report (DBIR)- one of the industry’s most trusted reports – has pointed out that people were involved in over 80% of breaches globally. These incidents may involve people being targeted with phishing emails or smishing attacks, or people making mistakes (e.g., IT admins misconfiguring their cloud accounts and accidentally sharing sensitive data with the entire world).
If people represent such a high risk, what should we be doing about it?
The traditional approach has been (and often continues to be) to throw more technology at the problem. If cyber attackers are successfully phishing people with email, we will deploy security technologies that filter and stop phishing email attacks. If cyber attackers are compromising people’s passwords, we will implement multi-factor authentication. The problem is that cyber attackers bypass these technologies by targeting people.
As we get better at identifying and stopping phishing email attacks, cyber attackers target people’s mobile phones with smishing (SMS or message-based) attacks. As more and more organizations deploy MFA, cyber attackers began pestering people with MFA requests until they approve one (as recently happened at Uber).
This is where we also run into our second challenge: Security teams far too often blame people as the root cause of the human risk problem – as evidenced in often used phrases such as “People are the weakest link,” and “If our employees did what we told them to do, they and we would be secure.”
But when we look at cybersecurity from the average employee’s perspective, it turns out that the security community is often to blame. We have made cybersecurity so confusing, scary, and overwhelming that we have set people up for failure. People often have no idea what to do or, if they do know what to do, doing the right thing has become so difficult that they get it wrong or simply choose another option.
Just look at passwords, one of the biggest drivers of breaches. We’ve been saying for years that people continue to use weak passwords in an insecure manner, but the problem persists because the password policies we teach are confusing and constantly changing. For example, many organizations or websites have policies requiring complex passwords of 15 characters, including having upper and lower case letters, symbols, and numbers. Then we require people to change those passwords every ninety days but don’t provide a secure way to secure all those long, complex, and changing passwords.
Then we roll out MFA to help secure people but, once again, this is extremely confusing (even for me!). First, we have multiple different names for MFA, including two-factor authentication, two-step verification, strong authentication, or one-time passwords. Then we have multiple different ways to implement it including push notification, text messaging, FIDO token-based, authentication apps, etc. Every website you go to has a different name and implementation of this technology, and then we once again blame people for not using it.
Security awareness training has been the traditional approach, and it involves communicating to and training your workforce on how to be cyber secure. While a step in the right direction, we need to take this one step further: We need to manage human risk.
Managing human risk requires a far more strategic approach. It builds on security awareness, to include:
Managing human risk is becoming a fundamental part of every security leader’s strategy. Security awareness is the first step in the right direction as we attempt to communicate to, engage and train our workforce, but we need a more dedicated, strategic effort to truly manage human risk. Perhaps one day we will even grow and replace the role of the Security Awareness Officer with the Human Risk Officer.
The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer
Oct 07 2022
This October is Cyber Security Awareness Month, an event designed to educate people about information security and the steps they can take to stay safe online.
Now in its nineteenth year, the campaign provides tools and resources to help people learn more about the cyber security industry and the ways they can get involved.
This year’s event focuses on phishing and ransomware – two of the biggest threats that organisations currently face.
According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year. Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.
The attack method is often used to deliver ransomware, which itself is responsible for significant damage. Our research discovered more than 100 publicly disclosed ransomware attacks in the first half of 2022, with intrusions shuttering businesses and creating huge financial problems.
There are events being held throughout October as part of National Cyber Security Awareness Month. Both national governments and private organisations have supported the campaign and are running programmes online and in person.
You can find a full list of events on Stay Safe Online, where you can also find information security tips.
The theme of this year’s campaign is ‘See Yourself in Cyber’, and individuals are encouraged to get involved online with the hashtag #BeCyberSmart.
A key component of that is protecting yourself from scams. The campaign reminds people that: “The signs can be subtle, but once you recognize a phishing attempt you can avoid falling for it.
“Before clicking any links or downloading attachments, take a few seconds (like literally 4 seconds) and ensure the email looks legit.”
The campaign also highlights the benefits of multi-factor authentication, strong passwords and regularly updating software.
You can also follow the latest developments with Cyber Security Awareness Month by following us on LinkedIn. We’ll will provide the latest updates on the campaign to help you get involved in events near you.
Plus, our experts will provide quick and simple tips to boost your cyber security awareness. Did you know, for example, that one of the most effective ways to boost your defences is also one of the simplest – ensuring that your accounts are protected by strong, unique passwords.
This applies not only to login credentials but also to databases and other sensitive information that you store online. The InterContinental Hotel Group was recently caught out by a cyber attack, after criminal hackers discovered a database protected by the password ‘Qwerty1234’.
The breach enabled the attackers to access the most sensitive parts of the hotel giant’s computer systems, and ultimately led to a phishing attack in which an employee was duped into downloading malware that destroyed huge volumes of sensitive data.
Another top tip for preventing cyber attacks is to test your employees with Phishing Challenge E-learning Game. These are messages that use the same techniques as genuine scams without the malicious payload.
The attacks give you the opportunity to monitor how your employees respond to a bogus email. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact the IT team to alert them of the threat?
Simulated phishing is an essential technique in an organisation’s cyber security practices. It complements traditional staff awareness training to assess the effectiveness of your programme in a real-world scenario.
Sep 28 2022
Defend against phishing attacks with more than user training. Measure users’ suspicion levels along with cognitive and behavioral factors, then build a risk index and use the information to better protect those who are most vulnerable.
Our approach to security awareness is flawed. And we must change it.
As Russian tanks creaked into Ukraine, CEOs and IT managers throughout the United States and much of the free world started sending out emails warning their employees about impending spear-phishing attacks.
It made sense: Spear-phishing was what Russians had used on Ukrainians many times in the past half of a decade, such as when they shut down the country’s electrical grid on one of its coldest winter nights. It was also what the Russians had used against the Democratic National Committee and targets across the US.
At one end, the email missives from CEOs were refreshing. People were serious about the threat of phishing, which wasn’t the case in 2014 when I started warning about its dangers on CNN.
At the other end, it was sobering. There wasn’t much else organizations had figured out to do.
Sending messages to warn people was what AOL’s CEO resorted to back in 1997, when spear-phishing first emerged and got its name. Budding hackers of the time were impersonating AOL administrators and fishing for subscribers’ personal information. That was almost three decades ago, many lifetimes in Internet years.
In the interim, organizations have spent billions on security technologies and countless hours in security training. For context, a decade ago, Bank of America (BoA) was spending $400 million on cybersecurity. It now spends $1 billion per year on it. Yet thousands of its customer accounts in California were hacked last year.
And BoA isn’t alone. This year, Microsoft, Nvidia, Samsung, LG, and T-Mobile — which recently paid out a $350 million settlement to customers because of a breach in 2021 — were hacked. All fell victim to spear-phishing attacks. No question that the employees in these companies are experienced and well-trained in detecting such attacks.
Clearly, something is fundamentally flawed in our approach, when you consider that after all this, email-based compromises increased by 35% in 2021, and American businesses lost over $2.4 billion due to it.
A big part of the problem is the current paradigm of user training. It primarily revolves around some form of cyber-safety instruction, usually following a mock phishing email test. The tests are sent periodically, and user failures are tracked — serving as an indicator of user vulnerability and forming the backbone of cyber-risk computations used by insurers and policymakers.
There is limited scientific support for this form of training. Most point to short-term value, with its effects wearing off within hours, according to a 2013 study. This has been ignored since the very inception of awareness as a solution.
There is another problem. Security awareness isn’t a solution; it’s a product with an ecosystem of deep-pocketed vendors pushing for it. There is legislation and federal policy mandating it, some stemming from lobbying by training organizations, making it necessary for every organization to implement it and users to endure it.
Finally, there is no valid measurement of security awareness. Who needs it? What type? And how much is enough? There are no answers to these questions.
Instead, the focus is on whether users fail a phishing test without a diagnosis of the why — the reason behind the failures. Because of this, phishing attacks continue, and organizations have no idea why. Which is why our best defense has been to send out email warnings to users.
The only way to defend against phishing is to start at the fundamentals. Begin with the key question: What makes users vulnerable to phishing?
The science of security already provides the answers. It has identified specific mind-level or cognitive factors and behavioral habits that cause user vulnerability. Cognitive factors include cyber-risk beliefs — ideas we hold in our minds about online risk, such as how safe it might be to open a PDF document versus a Word document, or how a certain mobile OS might offer better protection for opening emails. Many such beliefs, some flawed and others accurate, govern how much mental attention we pay to details online.
Many of us also acquire media habits, from opening every incoming message to rituals such as checking emails and feeds the moment we awake. Some of these are conditioned by apps; others by organizational IT policy. They lead to mindless reactions to emails that increase phishing vulnerability.
There is another, largely ignored, factor: suspicion. It is that unease when encountering something; that sense that something is off. It almost always leads to information seeking and, armed with the right types of knowledge or experience, leads to deception-detection and correction.
It did for the former head of the FBI. Robert Muller, after entering his banking information in response to an email request, stopped before hitting Send. Something didn’t seem right. In the momentary return to reason caused by suspicion, he realized he was being phished, and changed his banking passwords.
By measuring suspicion along with the cognitive and behavioral factors leading to phishing vulnerability, organizations can diagnose what makes users vulnerable. This information can be quantified and converted into a risk index, with which they can identify those most at risk, the weakest links, and protect them better.
Doing this will help us defend users based on a diagnosis of what they need, rather than a training approach that’s being sold as a solution — a paradigm that we know doesn’t work.
After billions spent, our best approach remains sending out email warnings about incoming attacks. Surely, we can do better. By applying the science of security, we can. And we must — because spear-phishing presents a clear and present danger to the Internet.
Security Awareness For Dummies
Sep 12 2022
The European Agency for Cybersecurity (ENISA) each October promotes cybersecurity among EU citizens and organizations, and is partnering with Anima People, specialists in behavioral science related to security, in a critical project to evaluate cybersecurity awareness campaigns in behavior change among employees. Organizations worldwide will benefit by the intelligence they need to design successful campaigns in the future, helping to drive long-term behavior conducive to a cyber-secure world. Please participate by completing this survey:https://
Aug 02 2022
According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture.
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t care enough about cybersecurity to mention it.
Virtually all IT and security leaders agreed that a strong security culture is important in maintaining a strong security posture. Yet, despite rating their organization’s security 8 out 10, on average, three-quarters of organizations experienced a security incident in the last 12 months.
The report suggests this could stem from a reliance on traditional training programs; 48% of security leaders say training is one the most important influences on building a positive security posture. But the reality is that employees aren’t engaged; just 28% of UK and US workers say security awareness training is engaging and only 36% say they’re paying full attention. Of those who are, only half say it’s helpful, while another 50% have had a negative experience with a phishing simulation. With recent headlines depicting how phishing simulations can go awry, negative experiences like these further alienate employees and decrease engagement.
The report also reveals a disconnect when it comes to reporting security risks. Eighty percent of security leaders believe robust feedback loops are in place to report incidents, but less than half of employees feel the same, suggesting clearer processes are needed so that security teams have greater visibility of risk in their organization.
Transformational Security Awareness
Apr 15 2022
While you may disagree, data breach studies show that employees and negligence are the most typical causes of security breaches, yet these prevalent issues are least discussed.
According to a recent industry report from Shred-It, an information security provider, 47% of top business executives believe that employee error, such as the inadvertent loss of a device or document, has resulted in a data breach within their company. According to another study by CybSafe, human errors have been responsible for over 90% of data breaches in 2020.
It’s no secret that companies of all sizes increasingly feel the sting of cybercriminals exploiting vulnerabilities in remote and hybrid working environments. However, little to no effort is made toward strengthening defenses. Now is the moment to train your personnel on security best practices, if you haven’t already.
As a result of inadequate security measures, customers have long suffered the most. However, the stakes for employees and their businesses are higher than ever this year. Experian predicts 2022 will be a hangover from the “cyberdemic” of 2021, making it crucial to stay ahead by designing a cybersecurity training program for employees and strengthening defenses.
Developing a cybersecurity training program requires knowing where the blind spots are. While there are numerous approaches to promoting a more cyber secure workplace, here are the most common and effective ways:
You can test your employees’ ability to distinguish authentic email content from fraudulent attachments by mass spear-phishing them. Employees who fall for the phishing email are the ones you need to be extra careful about.
They might be the ones that eventually end up disclosing a company’s valuable digital assets. Once you have the data, you may measure the entire risk to your network and build remedies from there using custom reporting metrics.
All employees, irrespective of their designation or job role, should be a part of the security training. However, employees who fell for the spear-phishing campaign are the ones you need to observe and invest your security training into.
When delivering cybersecurity training, stress the importance of the training as an exercise that can also be applied elsewhere. Employees will be more inclined to utilize secure procedures at work if they do so at home on their computers and phones.
Nothing motivates an employee more than being rewarded for their performance. Set up metrics and determine the level of participation, enthusiasm, and cybersecurity knowledge an employee obtains via quizzes or cross-questions. Employees who follow best practices should be rewarded, and others should be encouraged to improve their cybersecurity habits.
Engage your employees by introducing cybersecurity topics and certifications. Employees new to the cybersecurity realm would greatly benefit from relevant courses and learnings that might augment their skills and shine bright on their resumes.
Social media platforms are riddled with short instructional videos, which can be a great source of learning for those struggling to complete cybersecurity courses and manage work simultaneously.
Data privacy laws have been here for a while. However, they have recently received recognition after the EU introduced the General Data Protection Regulation (GDPR) in 2016, which came into force in 2018.
Most employees don’t know much about data protection laws or don’t know them altogether. It’s crucial to educate employees regarding existing and upcoming data protection laws and how they impact the business. According to MediaPro, a multimedia communications group, 62% of employees were unsure if their company must comply with the California Consumer Privacy Act (CCPA).
Integrating data privacy laws and regulations within cybersecurity training is crucial. While employees do not need to be compliance specialists, they should have a fundamental understanding of their company’s privacy policies, data handling procedures, and the impact of data privacy laws on their organization.
Massive data breaches and ingenious hackers have muddied the waters of what is and isn’t possible when carrying out a cyberattack, making it challenging for novice security personnel to tell the difference between facts and made-up security misunderstandings.
Lack of understanding and misconceptions make matters worse as employees tend to become too concerned about non-existent or misunderstood risks while being less concerned about real ones. That begs the question: Are employees taking cybersecurity seriously, or will they be a liability rather than an asset?
To move forward, begin by designing a survey that starts with the basic cybersecurity knowledge and distributing it across the organization. The survey could contain questions such as:
The results will demonstrate the current knowledge base within the organization and whether the employees take cybersecurity seriously.
While discovering the loopholes within your organization is one thing, developing a cybersecurity training program specifically tailored to patch those vulnerabilities might not be enough. Not only this, keep a strategy that focuses on zero-day attacks to avoid any damages. As an individual entrusted with developing a training program, you should know that you need a long-term solution to the existing problem.
Humans have always been the weakest link in the cybersecurity chain, and human errors will only escalate despite the depth of training given. That leaves organizations in a tough spot and struggling to meet compliance requirements.
Training just for the sake of training will not benefit anyone. Employees need to dedicate their hearts and minds to the training, and continuous sessions should take place so that employees always stay current with the latest happenings and privacy frameworks. Poor training may further confuse employees, which may also draw additional dangers.
With Securiti data privacy automation tools, you can reduce or eliminate reliance on employees and move towards a more modern and error-free framework.
About the Author: Anas Baig
With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.
Security Awareness Program Builder: Practical guidelines for building your Information Security Awareness Program & prep guide for the Security Awareness and Culture Professional (SACP)™
👇 Please Follow our LI page…
#InfoSecTools and #InfoSectraining
Mar 31 2022
Feb 17 2022
Almost every part of our everyday lives is closely connected to the internet – we depend on it for communication, entertainment, information, running our households, even running our cars.
Not everyone in the world has access to the same features and content on the internet, though, with some governments imposing restrictions on what you can do online. This severely limits internet freedom and, with it, the quality of life and other rights of the affected users.
Internet freedom is a broad term that covers digital rights, freedom of information, the right to internet access, freedom from internet censorship, and net neutrality.
To cover this vast subject, we’ve compiled 50 statistics that will give you a pretty clear picture about the state of internet freedom around the world. Dig into the whole thing or simply jump into your chosen area of interest below:
The Internet in Everything: Freedom and Security in a World with No Off Switch
Dec 08 2021
There is a serious user problem out there, and whether the user makes a mistake or is intentionally malicious, it can impact the entire system and the organization. But is it really a user problem?
In their session at (ISC)2 Security Congress, Ira Winkler, CISO with Skyline Technology Solutions and Tracy Celaya-Brown, president, Go Consulting International, said the user problem is really a cybersecurity people problem.
“People can’t do things that we don’t give them permission to do,” Winkler said. As long as a user has the ability to do certain tasks, click on links or see a spearphishing email show up in their inbox, they will make mistakes that can take down the network. The problem is not that users cause a loss, but that they can potentially initiate a loss, according to Winkler and Celaya-Brown.
One mistake shouldn’t take down an entire network. One person shouldn’t have the ability to cause universal panic because of the access permissions they are given. But it happens all the time, and the reason is failure of cybersecurity leadership. Remember the Twitter hack a few years ago where some of the most famous names on the social media site were victims of account takeovers? Winkler pointed out that social engineering techniques coupled with the fact that about one-fifth of Twitter’s employees had permissions to change passwords led to that massive cybersecurity failure. Or, in other words, the human problem was enabled by cybersecurity people and leadership who fell short in their responsibilities. Of course, you want users that will behave the way cybersecurity leadership wants them to, but the cybersecurity team needs to take a closer look at their actions, too.
“We have to take a closer look at why problems occur,” said Winkler. “The problem isn’t a user clicking on a link. The problem occurred when the user received the message.”
Improving Cyber Security Skills And Knowledge At Board Level
Dec 06 2021
Training available for individual or Corporate members
Aug 04 2021
In our latest video, we demonstrate an attack scenario that can occur within any organization – hacking a smart TV. The video shows an insider plugging a USB Rubber Ducky into a smart TV in a company meeting room. Within less than a minute, a payload is executed to set up a Wi-Fi network for data exfiltration (called kitty3) and instructs the TV to connect to it. The payload then uploads a utility that captures the screen before the insider removes the rogue device.
Smart TV Security: Media Playback and Digital Video Broadcast