We currently live in a digital era where almost everything is done online, including business operations. While the internet has provided employees with all kinds of opportunities to stay connected, gain access to a wealth of information, and collaborate, this accessibility also means that they are putting their data at risk. Consequently, most organizations are now supplementing their conventional security awareness training with simulated phishing tests for their first line of defense — their employees. The purpose of these tests is to reveal the risks related to cybercrimes and improve staff awareness.
As more and more people are increasingly becoming reliant on smartphones and other gadgets, it has become necessary to find ways to safeguard against cyberattacks. To secure important business data and information, enterprises in Hong Kong and other countries worldwide are joining hands to spread cybersecurity awareness.
EC-Council’s Aware provides phishing, SMiShing, and vishing simulations, all in a single revolutionary platform integrated with e-Learning and gamification modules on a learning management system (LMS) to help prepare your business against cyberattacks.
Security awareness training prepares members of an organization — employees, contractors, temps, and anyone else who completes authorized functions online for an organization — with the necessary information to defend themselves and secure their organization’s assets from damage or loss.
Unfortunately, several cybersecurity experts have a narrow perspective on security awareness training and its implications for their organizations. This is quite understandable, considering that the field of information security also has an equally limited explanation of it as well. Nevertheless, since employees are a critical aspect of the organization’s attack surface, ensuring they are equipped to protect themselves and the organization from internal and external threats is a crucial element of a sound security awareness plan.
Thankfully, cybersecurity is now a crucial part of the organizational continuity plan. Gone are the days when security was someone else’s problem. Now, cyberattacks are targeted at every unsuspecting individual and department. Not surprisingly, workplace security awareness training programs have become a part of organizational culture just as staff lunch coupons have!
A sound cybersecurity awareness training should not just begin and close with business mandates. It should start with inspirations, enablement, and, most of all, personal connection. Moreover, security awareness training strategies should ensure that employees meet and comply with all the available regulatory requirements, including PCI, FISMA, NIST, ISO, HIPAA, and Sarbanes-Oxley reporting requirements.
It comes as no surprise that the history of cybersecurity can be traced back to the appearance of the internet. Ever since the worldwide web began to percolate into mainstream society, cybercriminals have been coming up with innovative ways to take advantage of this.
One of the first incidents of hacking took place in the early 1980s when a group of computer hackers known as the 414s (named after their Milwaukee area code) were arrested for breaking into more than 60 computer networks. These include the Memorial Sloan-Kettering Cancer Center and the Los Alamos National Laboratory.
As hacking became increasingly challenging during this period, the Computer Fraud and Abuse Act was created to punish those who were caught victimizing computer systems. By the late 1980s, a unit called the Computer Emergency Response Team (CERT) was formed under the Computer Emergency Response Team (CERT) to investigate the growing volume of hacking on computer networks.
Towards the end of the 1980s, Robert Morris released the historic Internet worm, which caused 10% of the internet to shut down (at the time). It was also possibly the first denial-of-service (DoS) attack ever to appear on the internet.
Though hacking from the 1980s was, for the most part, carried out by amateurs and hacking students, cybercrime took a more serious turn as the 1990s rolled by. By this time, cybercrime had not only increased in sophistication but notoriety. Hackers started to target government agencies and substantial corporate databases, such as Yahoo!, eBay, and Amazon.
From the late 1990s to the beginning of the millennium, viruses, such as Melissa and ILOVEYOU, started making headlines for infecting more than 10 million personal computers and causing the failure of email systems around the world. These threats inevitably led to the development of antivirus technology and the growing importance of security awareness for computer users.
The United States security hearings after 9/11 and the resulting activities that followed in the subsequent years highlight how human senses improve in the aftermath of an incident. The same goes for an information security staff program. It is important to note that awareness will be heightened after an event, but it will be short-lived without fortifications. This is why continuous security training is required.
Security plans and policies no doubt look good on paper. However, making them be of any benefit to the organization requires that you apply them effectively. Part of that application is the training stage that should be a core aspect of any effective incident response plan or security and risk management plan.
Rob Kraus indicated that random security training within organizational environments leads to a 10% to 15% decrease in the probability of an effective cyberattack. Similarly, being consistent with security awareness training can lessen cybercrimes and their impacts to about 40% to 50%.
Many employees are unaware of the critical risk factors associated with information security and privacy. Since security is everyone’s business, security awareness training helps to bring everyone within the organization to the same page, protects both human and physical resources, and lessens incidents and the risks associated with cyberattacks.
Your security awareness consultant’s efforts will be ineffective if treated like a mere box that must be ticked, particularly if you fail to review your training modules constantly. Therefore, an effective cybersecurity awareness information plan must be fun and not stringent, and it must be backed up by the executive and management board. It must be targeted at improving user behavior and be interactive in a way that necessitates feedback from all users. It should also be diverse in such a way that it penetrates the totality of the corporation with security awareness training materials, including email tips, posters, newsletters, and other regularly distributed communication materials.
Other ways to improve your security awareness training include:
Aware combines simulated phishing attacks with set-and-go training modules, improving awareness, altering user behavior, and reducing the risk associated with social engineering attacks.
Phishing has been going on for many years now, yet many users continue to fall prey to tactics that bait victims into revealing their personal information. There is a reason why this type of cyber threat is so prevalent and dangerous: besides being relatively inexpensive, it is extremely easy to execute.
Identifying an email scam is not always a straightforward process. This is where Aware comes in. Our phishing simulations mimic real-life attack scenarios that teach your employees to spot phishing scams and avoid the hefty cost of a data breach.
As texting is one of the most common methods of communication for many users, this inevitably makes it an irresistible target for many cybercriminals. SMiShing has become one of the main tools in a scammer’s arsenal, partly because it is so easy to wield and requires little technical knowledge.
SMiShing typically follows the usual phishing route. Each text contains a link that directs the target to a website and asks them to fill in their details or prompts them to download malware onto their system. However, compared to a standard phishing attack, the success rates are higher with a SMiShing attack because users are not conditioned to receive spam on their mobile phones.
Vishing often begins where phishing ends. For instance, you click on a link for an advertisement that relates to your interest. The link, which hides embedded malware, triggers a lock-up component that only a helpful “technical” person can help you with. So, you call the number you see and spend some money to remediate the problem. Little did you know, it was all just part of the scam, and the company that you just called was the culprit that created this problem in the first place.
Our phishing reporting tool, known as CheckAPhish, helps you gain visibility into your organization’s risk behavior and measures the overall risk levels across your user groups. You will also have different types of reports at your disposal.
CheckAPhish+ is an advanced version of CheckAPhish and is the latest addition to Aware’s roster of services, with innovative features and added advantages such as one-view scanning and deletion of suspicious emails. The software is specially designed for all corporate houses, making it a must for corporates who are serious about phishing attacks and are fighting against cybercrime.
Ans. Information security awareness training simulates the daily choices that DoD information system users make while carrying out their tasks. This training suggests that information system users are accountable for safeguarding classified and sensitive information, together with the location or storage of the information system.
Quarterly information awareness training serves as the foundation for adopting a security mentality, demonstrated in everyday work routines from telephone and email interactions to wireless network and physical security protocols. The completion of information security awareness training by all employees in an organization is fundamental to upholding a strong security posture.
Ans. In the wake of the COVID-19 pandemic and the current economic climate, most organizations in the Hong Kong are battling with how to keep their businesses running. IT experts and other cybersecurity professionals have their work cut out to develop and maintain a remote business setting to ensure business continuity.
While company budgets are going all-out to finance this, a recent survey has shown that phishing attacks escalated by over 667% in March 2020 alone. Now more than ever, you need to be training and phishing all your users. Your security awareness training program must incorporate a people-centric strategy since most cyberattacks are targeted at people (that is, consumers and employees).
You miss the chance to protect your organization when you don’t include users in your security awareness program policy. Likewise, your organization’s unique threat profile should also be factored into your security awareness program ideas when deciding what topics to cover.
However, before we delve deep into what security awareness training should include, the following are the top three elements of a security awareness program:
Now that we’ve established the elements of security awareness training, below are some of the major topics that should be included in your security awareness training modules:
Employees must be educated on detecting phishing and the potential threats associated with inputting credentials on a spoofed page or interacting with suspicious links. According to research conducted by the Ponemon Institute, there is a projected 75% training retention rate when traditional phishing tests are applied. It was further suggested that when a company uses phishing tests, it can increase its ROI.
Microsoft also suggests that phishing is still one of the leading methods for sending malware infection, and the most common phishing methods include mobile texts, emails, and voice calls. Therefore, your security awareness training should consist of topics about this prevalent cyberattack. Your phishing modules should also cover contacts from suspicious emails or social media accounts; questionable voice calls, texts, or emails; spear phishing; and cases of phishing attempts that have affected other organizations in the same industry.
Every organization in Hong Kong needs to implement a refresher course (people patching) for employees. Just as it is important to keep your organizational systems and networks updated continuously, your users also need that same maintenance level or people patching. Your security awareness training must be an ongoing process so that employees retain concepts long-term.
As such, a training session on how to spot the tell-tale signs of malware infections and what to do when this is spotted is important. This is the basic training that would echo in the minds of your users when you mention topics like patching and phishing. Your malware training session should identify the types of malware and describe their capabilities.
Desktop Security Policy
This topic covers desktop hygiene and desk security practices. Employees should be trained on how to declutter their desks to prevent possible information leaks. Desktop hygiene would cover password security, why printouts should not be left on the printer, shutting down computers when they are not being used, and also not plugging unauthorized devices into company terminals. This would also enlighten employees on the potential dangers of doing any of these even for a few minutes.
Physical Security and BYOD
The nature and extent of a mobile device security policy can differ from one organization to the other. Considering that most organizations now allow employees to bring their own devices to work and use their gadgets for virtual offices or remote workstations, it is important that physical security awareness training is conducted for all users.
Employees should be acquainted with the importance of safe app installations, use passwords to control phone access, use public Wi-Fi safely, and report physical security risks. This can also cover the potential risks of connecting to unsafe wireless networks and unfamiliar ones.
Social Media Security
Social media serves as a window to the world and virtually everyone has a social media account and uses other online platforms. While social media platforms help you to connect with people, they also open you to cyberattacks. Your security awareness tips should include safe practices for employees while accessing social media pages. This can be merged with the phishing and malware module since this is a recent channel for both.
Ans. Phishing describes a form of cyberattack that applies camouflaged emails, texts, or voice as a weapon to trick the recipient into believing the information is something they need. This could include a call from a distant relation, a request from their banks, or even a link to an attachment. Phishing is the number one culprit for most data breaches that take place today.
As fraudsters continue to develop innovative ways to trick end users into giving up their personal information, it is important for businesses to strengthen their first line of defense — their employees — to avoid falling prey to such attacks. This is the reason security awareness is so important. It only takes one user to click on a phishing email for a cybercriminal to breach your organization’s network and steal your data. Aware provides phishing simulations that mimic real-life attack scenarios that teach your employees to spot phishing frauds and prevent the hefty cost of a data breach.
Ans. The following are important facts you should know about phishing:
Ans. Phishing simulations are the most important part of spreading awareness about phishing. The simulation is nothing but a mock phishing scenario that is created aesthetically and strategically for employees of corporate houses so they can understand real-time phishing activities. It is one of the most important steps while training, and is usually based on different real-life scenarios.
Ans. The main benefit of phishing simulations and computer-based training is that they help prevent data breaches.
Ans. Check out some important information about CheckAPhish+ below:
CheckAPhish+ Signup and Setup: The CheckAPhish+ Signup can be with the same email or admin credentials of the client. (O365, GSuite, or Exchange). After landing on the onboarding page of Aware Admin Console, the user with the required credentials should enter the respective authorized page. For easy CheckAPhish+ implementation, Google/Outlook plugins are available.
CheckAPhish+ One View Scanning: Bulk emails scanning is possible with this CheckAPhish+ feature. Automated email scanning is the USP of CheckAPhish+. It is an anti-phishing engine that allows scanning of emails in bulk to ensure that phishing emails in large numbers are in the mailbox. An admin can scan multiple employees at a go, which can help them get rid of all phishing emails. It eventually sorts and segregates mails for cleansing email accounts. The automation of reporting any suspicious email can also be done by using the CheckAPhish+ plugin.
Prompt Deletion of Phishing Emails: After scanning and sorting phishing emails, it is important to delete them as well! With CheckAPhish+, there is an option where all phishing emails can be deleted at one go. This is highly recommended.
To learn more about Aware’s products and services, you can contact us, follow us on our social channels, and reach out to us at the address below.