Cybercriminals are relentless. The more business protects themselves the more cybercriminals prey on that which the business cannot directly control – the behaviors of people! Business must invest in ongoing cybersecurity awareness and end-user training to ensure even this vulnerability can be minimized.
If you don’t work in IT and you aren’t especially fascinated by news and articles about cyber threats how could you be expected to curtail dangerous behaviors? Just like we educate children about the possible threats from strangers or to immediately leave the house as soon as the smoke detector goes off – education and awareness of users against cyber threats is key!
Enterprises with internal IT departments should already have a heavy focus on cybersecurity. This involves a living cybersecurity plan which is then implemented for protection from, detection of and recovery from cyber threats. However, often overlooked or considered only after considerable damage has occurred is the Cybersecurity Awareness Program as a critical component of the plan.
Emails for example, and how end users open attachments, click on links, or share personal and confidential data are some of the risky user behaviors. Email is important to business survival so how do we reduce risk while remaining effective in our business communication? The difference is increasing the user awareness of how to detect something risky and what action or behavior to take or not take!
According to SOPHOS research:
Elements of a Cybersecurity Awareness Program
1 – Cybersecurity training as a course with a quiz (possibly a certification) that users must complete is essential. Sometimes too overwhelming for an IT department to coordinate on their own, they may hire outside consultants to assist in establishing their program. The format and length of the training course could be simple. Perhaps an internal course with online access for staff in a self-paced format with a scheduled due date would be effective. Some companies may prefer live instructor or a webinar format.
The course should be completed by every employee. All new staff should complete the training in the onboarding process. Contractors who will be given access to the network and company assets may also be required to pass a quiz before gaining their credentials. Annually, the course should be revised for relevance and a recertification for each employee by taking another quiz is a good idea. If failed, a repeat of the course until the quiz and recertification occurs.
Yes – this diligence is necessary to reduce the vulnerabilities of human behaviors.
2 – Cybersecurity review meetings are periodic planned events where examples from the news or stories from the real world are presented, shared, and discussed as stark reminders of the invisible looming threats just waiting for someone to slip up and take the bait. Cybercriminals are relentless!
3 – Penetration testing is a technique where users receive suspicious emails as a test of what action they might take. These are done at random with no warning and simply appear along with all other emails in the inbox. This is a simulation which generates a user response. Either the user reports the email as suspicious, ignores it completely, deletes it or proceeds incorrectly. Regardless of the user response the penetration test tool keeps track. Notifications and reports are then generated so feedback on trends can be given to users regularly on “why” they should have known the email was suspicious.
4 – Ongoing transparency is organic discussion. Security incidents or breaches need to be communicated for lessons learned. Proactive practice of “see something say something” and open dialogue around cybersecurity should be encouraged. A collaborative culture of learning and sharing knowledge is essential for improved cybersecurity.
Remember to strengthen your cybersecurity protection by mitigating risks from human behaviors. Although email is among the highest threat categories, other user behaviors around passwords, sharing devices, downloading, internet surfing and much more will be included in the Cybersecurity Awareness Program which is to be executed as part of your Cybersecurity Plan. Be vigilant!
AKAVEIL Technologies welcomes in house IT professionals to contact us for further information. We are industry experts who offer consulting, design, implementation, maintenance, and support services. We can partner together at any level necessary to improve your business in the achievement of its goals.
If you do not have any in house IT team, please contact us to analyze your needs, offer solutions and perform the set of services desired.
AKAVEIL Technologies has decades of experience, skills, and knowledge in the evolution of cybersecurity practices and standards. In addition, we have carefully chosen SOPHOS as a security partner. SOPHOS provides ongoing research and knowledge in the cybersecurity arena which ensures their products are up to the most current specifications for your protection. We understand security posturing for optimal protection, detection, and recovery.
Related article & Information: