It’s Cybersecurity Awareness Month (CSAM) time again this October. This is an awareness-raising initiative that spans both consumer and corporate worlds, although there’s plenty of crossover: every employee is also a consumer, after all. In fact, as we increasingly work from home or our favorite remote workspace, the lines have never been so blurred. Unfortunately, at the same time, the risks of compromise have never been quite so acute.
Building a more cyber-secure world starts here. So what should IT bosses be incorporating into their security awareness raising programs now and in 2024? It’s important to ensure you’re dealing with the cyberthreats of today and tomorrow, not the risks of yesteryear.
Why training matters
According to Verizon, three-quarters (74%) of all global breaches over the past year include the “human element,” which in many cases meant error, negligence or users falling victim to phishing and social engineering. Security training and awareness programs are a critical way to mitigate these risks. But there’s no quick and easy route to success. In fact, what you should be looking for is not so much training or awareness-raising, as both can be forgotten in time. It’s about changing user behaviors for the long term.
That can only happen if you run programs continuously, to keep learnings top of mind at all times. And ensure no one misses out—that means including temps, contractors and C-level executives. Anyone could be a target, and it could take just one mistake to potentially let the bad guys in. Also, run sessions in bite-sized chunks, to have a better chance of the messages sticking. And where possible, include simulation or gamification exercises to bring a particular threat to life.
As we’ve mentioned before, lessons can even be personalized to specific roles and sectors, to make them more relevant to the individual. And gamification techniques may be a useful addition to make training stickier and more engaging.
3 areas to include now and in 2024
As we near the end of 2023, it pays to think about what to include in next year’s programs. Consider the following:
1) BEC and phishing
Business Email Compromise (BEC) fraud, which leverages targeted phishing messages, remains one of the highest-earning cybercrime categories out there. In cases reported to the FBI last year, victims lost over $2.7 billion. This is a crime fundamentally predicated on social engineering, usually by tricking the victim into approving a corporate fund transfer to an account under the control of the scammer.
There are various methods by which they achieve this, such as by impersonating a CEO or supplier, and these can be neatly slotted into phishing awareness exercises. These should be combined with investments into advanced email security, robust payment processes and doublechecking any payment requests.
Phishing as such has been around for decades but is still one of the top vectors for initial access into corporate networks. And thanks to distracted home and mobile workers, the bad guys have an even better chance of achieving their goals. But in many cases tactics are changing, and so too must phishing awareness exercises. This is where live simulations can really help to change user behaviors. For 2024, consider including content on phishing via text or messaging apps (smishing), voice calls (vishing) and new techniques like multi-factor authentication (MFA) bypass.
Specific social engineering tactics change extremely frequently, so it’s a good idea to partner with a training course provider that can update its content accordingly.
2) Remote and hybrid working security
Experts have long warned that employees are more likely to ignore security guidance/policy or simply forget it when working from home. One study found that 80% of workers admitted that working from home on Fridays in the summer makes them more relaxed and distracted, for example. This can put them at an elevated risk of compromise, especially when home networks and devices may be less well protected than corporate equivalents. And this is where training programs should step in with advice on security updates for laptops, password management and the use of only corporate-approved devices. It should come alongside phishing awareness training.
Cybersecurity for the hybrid workplace:
The hybrid workplace: What does it mean for cybersecurity?
Protecting the hybrid workplace through Zero Trust security
Tackling the insider threat to the new hybrid workplace
Why cloud security is the key to unlocking value from hybrid working
Examining threats to device security in the hybrid workplace
Further, hybrid working has become the norm for many businesses today. One study claims 53% now have a policy, and the figure is surely set to grow. However, commuting to the office or working from a public location has its risks. One is threats from public Wi-Fi hotspots that might expose mobile workers to adversary-in-the-middle (AitM) attacks, where hackers access a network and eavesdrop on data travelling between connected devices and the router, and “evil twin” threats where criminals set up a duplicate Wi-Fi hotspot masquerading as a legitimate one in a specific location.
There are also less “hi-tech” risks out there. Training sessions could be a good opportunity to remind staff of the dangers of shoulder surfing.
3) Data protection
GDPR fines increased 168% annually to over €2.9bn ($3.1bn) in 2022, as regulators cracked down on non-compliance. That makes a pretty strong case for organizations to ensure their staff are following data protection policies correctly.
Regular training is one of the best ways to keep data handling best practice front of mind. That means things like use of strong encryption, good password management, keeping devices safe and reporting any incidents immediately to the relevant contact.
Staff may also benefit from a refresh in using blind carbon copy (BCC), a common mistake which leads to unintended email data leaks, and other technical training. And they should always consider whether what they post on social media should be kept confidential.
Training and awareness courses are a critical part of any security strategy. But they can’t work in isolation. Organizations must also have watertight security policies enforced with strong controls and tools like mobile device management. “People, process and technology” is the mantra that will help build a more cybersecure corporate culture.