Sunday, October 17, 2021

The Importance Of Delivering The Right Message In Your Cyber Awareness Training Programs

 


Once the COVID19 pandemic hit at full throttle last March of 2020, IT Security teams and employees were scrambling fast to fit the new WFH model.  But as time went on, and things started to smoothen out a little bit, one of the key mantras in Cyber still continued, and that was Employee Awareness Training. 

Of course, with everybody working at different hours and Zoombombing taking its full effect, no company in its right mind could really give any sort of training.

But as that too dissipated, CISOs started to come to grips with the new norm and started to begin this training once again.  One key thing that they also understood is that teaching employees of what to do and what to do is not a one size fits all kind of thing. 

Training has to be unique, different, interesting, and above all, fit to the needs of them.

In other words, just as dynamic as the Cyber Threat Landscape has become, so too has Employee Awareness Training.  This is a topic that people have not paid too much attention to in the headlines, because of the sheer rash of Ransomware attacks that have taken place. 

But as we start to wind down Q4 of this year, it is important to tweak your overall messaging so it fits the current time. 

Here are some key tips:

1)   1)   Try to understand why employees do what they do:

What I mean here is despite knowing what a Phishing Email could potentially look like, employees still click on malicious links and/or download attachments that could contain viruses and other forms of malware.  So rather than scolding them which gets nowhere, try to get into their shoes and explain to them the importance of simply deleting suspicious looking Emails, and report them to the IT Security team. Explain the importance of using password managers, and how it will not only protect the company, but even their jobs as well.  But even more important, you also need to explain the key factors in what the IT Security team is looking for when it comes to identifying suspicious behavior. Teach the following as well:

                              *The importance of password requirements;

                              *Not using the same passwords over and over again;

                              *Why there is a cap in the total number of failed logins;

                              *Reviewing user access to systems and applications that make use of PII datasets;

                              *When and where are alerts are used.

       2) Explain what it is all about:

               Whenever you are trying to discuss about a threat variant in the training, just don’t gloss over it.       Tell your employees what it is all about.  Probably the best example here is that of Ransomware.      Instead of simply saying that it is just another piece of malware (which it is), teach them what     really happens, and the aftereffects that can take place, such as locked of files and wireless          devices, how the PII datasets are sold onto the Dark Web, and worst yet, explain to them also             the new technique that is used by the Cyberattacker – Extortion.  Perhaps putting in a little bit of           a fear factor will make them realize just how important maintaining a good level of Cyber       Hygiene really is.  Heck, even do a deeper dive and explain how the IT Security team looks for      such things as malformed data entering and leaving the IT infrastructure, as these are telltale   signs of a possible Ransomware attack.

3)The importance of Endpoint Security:

               This is a topic that I think I have written about previously in some detail in other blogs.  But long story short, these are the traditional points of origination and destination when a line of    network communications has been established between the company servers and your wireless             device, and also vice versa.  Most businesses have only been concerned with protecting the   information/data that has been transmitted, and not these so-called Endpoints.  Because of this,      the Cyberattacker has started to hang out in these areas in a very covert fashion, and ready to          move when the timing is right, especially in a lateral fashion. Obviously, there is not really too            much the employee can do to help safeguard the Endpoints, it is really the job of the IT Security        team.  But in this regard, it is very important to explain to them what this is all about, and what         your team is doing to secure these Endpoints at the present time.  This includes how software           versioning used, how the latest firmware and software patches/upgrades are applied, how alerts are filtered through from the Network Intrusion Devices (NIDs), etc.  By shedding light on      this aspect on this as well, employees will come to appreciate all the hard work that it takes to                protect the digital assets of your company, and hopefully this will instill into them a greater sense of urgency to maintain good levels of Cyber Hygiene.

4) Doing work outside of the home:

               Humans are social creatures by design, and there are times when they will feel like working               outside of the home, such as at a Starbuck’s or Panera Bread.  In these cases, remind them not                to use the Public Wi Fi that is offered at these places. Remind them to instead use their wireless           device as a hotspot instead, because this is encrypted and makes use of a much stronger      password.  Also tell them to never use their own devices at these public places, always use    company issued devices.  Finally, also remind them of Social Engineering.  For example, there could literally be a Cyberattacker sitting just two feet away from them with a network sniffer in     their pocket capturing all of the data packets that is being transmitted to and from your         employee’s device.  And, if they ever have to travel., remind them the importance to check to           make sure that where they are staying also supports the usage of VPN technology.

My Thoughts On This

One key thing in these training programs is once again, use the tactic of fear to jar up your employees a bit.  Simply tell them that the total number of Cyberattacks is not going to go away, and in fact, is increasing, and it is expected that this will be the case even going into 2022.  This can be seen from the illustration below:


(SOURCE:  https://www.darkreading.com/attacks-breaches/north-american-orgs-experience-497-attacks-per-week-on-average-currently)

I will review this in much more detail in a future blog.  You should also explain to the employees in your company what further steps the IT Security team is taking to further fortify the lines of defenses:

               *Blocking access to websites that have suspicious IP addresses at the point of origination;

               *Taking new steps to block the installation of unapproved software apps onto company issued               devices (this is also known as “Shadow Management”);

               *Using rules in firewalls and routers to ensure that only HTTPS based connections are ensured.

Remember, you should not just rely upon the HR department to deliver this kind of training.  It also takes a strong level of cooperation from the IT Security team as well to deliver a great training product.  So as we wrap up, you may be asking what should Employee Awareness Training look like for 2022?  Well, once reach that point, I will tell you.  But for sure once again, Ransomware will be a key chunk of it.


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...