Once the COVID19 pandemic hit at full throttle last March of
2020, IT Security teams and employees were scrambling fast to fit the new WFH
model. But as time went on, and things
started to smoothen out a little bit, one of the key mantras in Cyber still
continued, and that was Employee Awareness Training.
Of course, with everybody working at different hours and
Zoombombing taking its full effect, no company in its right mind could really
give any sort of training.
But as that too dissipated, CISOs started to come to grips
with the new norm and started to begin this training once again. One key thing that they also understood is
that teaching employees of what to do and what to do is not a one size fits all
kind of thing.
Training has to be unique, different, interesting, and above
all, fit to the needs of them.
In other words, just as dynamic as the Cyber Threat
Landscape has become, so too has Employee Awareness Training. This is a topic that people have not paid too
much attention to in the headlines, because of the sheer rash of Ransomware
attacks that have taken place.
But as we start to wind down Q4 of this year, it is
important to tweak your overall messaging so it fits the current time.
Here are some key tips:
1) 1) Try to understand why employees do what they
do:
What I mean here is despite knowing
what a Phishing Email could potentially look like, employees still click on
malicious links and/or download attachments that could contain viruses and
other forms of malware. So rather than
scolding them which gets nowhere, try to get into their shoes and explain to
them the importance of simply deleting suspicious looking Emails, and report
them to the IT Security team. Explain the importance of using password
managers, and how it will not only protect the company, but even their jobs as
well. But even more important, you also
need to explain the key factors in what the IT Security team is looking for
when it comes to identifying suspicious behavior. Teach the following as well:
*The
importance of password requirements;
*Not
using the same passwords over and over again;
*Why
there is a cap in the total number of failed logins;
*Reviewing
user access to systems and applications that make use of PII datasets;
*When
and where are alerts are used.
2) Explain
what it is all about:
Whenever
you are trying to discuss about a threat variant in the training, just don’t
gloss over it. Tell your employees what it is all about. Probably the best example here is that of
Ransomware. Instead of simply saying that it is just another piece of malware
(which it is), teach them what really
happens, and the aftereffects that can take place, such as locked of files and
wireless devices, how the PII
datasets are sold onto the Dark Web, and worst yet, explain to them also the new technique that is used by
the Cyberattacker – Extortion. Perhaps
putting in a little bit of a
fear factor will make them realize just how important maintaining a good level
of Cyber Hygiene really is. Heck, even do a deeper dive and explain how
the IT Security team looks for such
things as malformed data entering and leaving the IT infrastructure, as these
are telltale signs of a possible
Ransomware attack.
3)The importance of Endpoint Security:
This is
a topic that I think I have written about previously in some detail in other
blogs. But long story short, these are the traditional points of origination and
destination when a line of network
communications has been established between the company servers and your
wireless device, and also vice
versa. Most businesses have only been
concerned with protecting the information/data
that has been transmitted, and not these so-called Endpoints. Because of this, the Cyberattacker has started to hang out in these areas in a
very covert fashion, and ready to move
when the timing is right, especially in a lateral fashion. Obviously, there is
not really too much the
employee can do to help safeguard the Endpoints, it is really the job of the IT
Security team. But in this regard, it is very important to
explain to them what this is all about, and what your team is doing to secure these Endpoints at the present
time. This includes how software versioning used, how the latest
firmware and software patches/upgrades are applied, how alerts are filtered through from the Network Intrusion Devices
(NIDs), etc. By shedding light on this aspect on this as well, employees will
come to appreciate all the hard work that it takes to protect the digital assets of your company, and
hopefully this will instill into them a greater sense of urgency to maintain good levels of Cyber Hygiene.
4) Doing work outside of the home:
Humans
are social creatures by design, and there are times when they will feel like
working outside of the home,
such as at a Starbuck’s or Panera Bread.
In these cases, remind them not to
use the Public Wi Fi that is offered at these places. Remind them to instead
use their wireless device as a
hotspot instead, because this is encrypted and makes use of a much stronger password.
Also tell them to never use their own devices at these public places,
always use company issued devices. Finally, also remind them of Social
Engineering. For example, there could literally be a Cyberattacker sitting just
two feet away from them with a network sniffer in their pocket capturing all of the data packets that is being
transmitted to and from your employee’s
device. And, if they ever have to
travel., remind them the importance to check to make sure that where they are staying also supports the
usage of VPN technology.
My Thoughts On This
One key thing in these training programs is once again, use
the tactic of fear to jar up your employees a bit. Simply tell them that the total number of
Cyberattacks is not going to go away, and in fact, is increasing, and it is
expected that this will be the case even going into 2022. This can be seen from the illustration below:
I will review this in much more detail in a future blog. You should also explain to the employees in
your company what further steps the IT Security team is taking to further
fortify the lines of defenses:
*Blocking
access to websites that have suspicious IP addresses at the point of
origination;
*Taking
new steps to block the installation of unapproved software apps onto company
issued devices (this is also
known as “Shadow Management”);
*Using
rules in firewalls and routers to ensure that only HTTPS based connections are
ensured.
Remember, you should not just rely upon the HR department to
deliver this kind of training. It also
takes a strong level of cooperation from the IT Security team as well to
deliver a great training product. So as
we wrap up, you may be asking what should Employee Awareness Training look like
for 2022? Well, once reach that point, I
will tell you. But for sure once again,
Ransomware will be a key chunk of it.
No comments:
Post a Comment