SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
The security awareness training topics to reduce risk and promote a security-compliant culture
Thu, 15th Sep 2022
FYI, this story is more than a year old

Cybercriminals are experts at creating confusion in even the most cyber-savvy professionals, and many attacks rely on human error to succeed. Therefore, it’s critical for businesses to support integrated and ongoing security awareness training that continues to educate end users on how to identify and combat cyber threats, as well as best practices for staying cyber-savvy.

Cybercriminals commonly use phishing emails to gain access to company networks, and these emails are extremely convincing even to employees who are aware of this type of attack. It’s important for organisations to focus on training their staff members to an even higher degree to help them identify and avoid the increasingly sophisticated cyberattacks that are being launched with the specific intention to circumvent cybersecurity tools through human error.

It takes a consistent, comprehensive, and sustained training effort to ensure that all team members, regardless of their role, can identify potential risks and avoid falling victim. This training should occur regularly because of the ever-changing nature of the threat landscape, with threats evolving and changing constantly. The training should also cover a broad range of topics to better equip staff to defend themselves and their organisations against these threats.

There are 12 critical areas of concern that end-user security awareness training should cover:

Phishing attacks: phishing attacks often involve an employee receiving an email that appears to come from a reputable source, tricking them into clicking a link that will download malware. Effective phishing training will teach employees how to recognise and report suspected phishing attempts and the best practices to avoid falling for one.

Ransomware: ransomware occurs when attackers encrypt an organisation’s data, making it inaccessible unless the organisation pays a ransom. Paying the ransom provides no guarantee that the files will be decrypted, nor does it ensure that the attackers won’t release confidential files to the public, both of which could significantly damage the organisation. Recovering from a ransomware incident is costly, both from a reputational and financial viewpoint. The best way to protect against ransomware is to give employees the tools to spot and flag suspicious behaviour, as well as educate them on the risks of paying the ransom.

Social engineering: cybercriminals use psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering training teaches employees how to defend against sophisticated phishing attacks with tools and techniques to recognise and combat them.

Social media use: while many organisations do not consider social media to be a threat, it can lead to a security breakdown without proper policies in place. For example, malicious actors can monitor a staff member’s social media behaviour to learn inside information that lets them create more effective social engineering campaigns. Knowing the dos and don’ts of social media can help employees avoid leaked passwords, brand impersonation, and various phishing scams, for example.

Internet and email use: email is the primary weapon for spreading ransomware via phishing emails that trick recipients into opening malicious links or attachments; this is sometimes known as business email compromise. Training will equip employees with the tools to recognise and prevent an incoming cyberattack.

Mobile device security: mobile devices are a leading cause of data breaches; however, companies still fail to properly train employees on secure device use. Cybersecurity awareness training teaches employees about device safety, including the importance of passcode protection and enabling data encryption.

Removable media and devices: cybercriminals leverage removable media and devices as an initial attack vector in operational technology (OT) environments. It is important for employees to understand how to manage the risk of removable media such as USB drives and the importance of protecting the data on these devices.

Passwords and authentication: login credentials present a significant risk to users’ sensitive information. Employees need to understand the importance of using strong login credentials to protect information from falling into the wrong hands.

Physical security: to combat data theft, physical objects that contain sensitive information must be protected. Physical security prepares employees to recognise threats that leave networks vulnerable to attacks and how to mitigate them with physical and digital policies.

Work from anywhere (WFA): in the rush to set up remote work environments, businesses faced newly exposed or vulnerable devices and networks. WFA training can help employees working outside the office avoid falling prey to phishing attacks, understand how to keep data secure when outside the corporate firewall, and adhere to cybersecurity best practices.

Public Wi-Fi: employees that work in places such as cafes, libraries, and public transport may need extra training on how to safely use public Wi-Fi services. Training will guide employees on the inherent risks of using public networks and how to identify a potential scam.

Cloud security: as businesses flock to the cloud, the risk of large-scale hacks increases, emphasising the importance of guiding employees through the secure use of cloud-based applications.

Employees are high-value targets for threat actors; however, they’re also the best defence against cyberattacks. By implementing an effective end-user security awareness program, organisations can promote a security-compliant culture with increased user awareness to stop breaches and protect data while also freeing up IT resources.