We currently live in a digital era where almost everything is done online, including business operations. While the internet has provided employees with all kinds of opportunities to stay connected, gain access to a wealth of information, and collaborate, this accessibility also means that they are putting their data at risk. Consequently, most organizations are now supplementing their conventional security awareness training with simulated phishing tests for their first line of defense — their employees. The purpose of these tests is to reveal the risks related to cybercrimes and improve staff awareness.
EC-Council's Aware provides phishing, SMiShing, and vishing simulations, all in a single revolutionary platform that is integrated with e-Learning and gamification modules on a learning management system (LMS) to help prepare your business against cyberattacks.
Security awareness training prepares members of an organization — including employees, contractors, temps, and everyone else that completes authorized functions online for an organization – with the necessary information to defend themselves and secure their organization’s assets from damage or loss.
Unfortunately, several cybersecurity experts have a narrow perspective when it comes to security awareness training and its implications for their organizations. This is quite understandable, considering that the field of information security also has an equally narrow explanation of it as well. Nevertheless, since employees are a critical aspect of the organization’s attack surface, making sure that they are equipped with the expertise to protect themselves and the organization from both internal and external threats is a crucial element of a sound security awareness plan.
Thankfully, cybersecurity is now a crucial part of the organizational continuity plan. Gone are the days when security was someone else’s problem. Now, cyberattacks are targeted at every unsuspecting individual and department. Not surprisingly, workplace security awareness training programs are as much a part of organizational culture as staff lunch coupons!
A sound cybersecurity awareness training should not just begin and close with business mandates. It should start with inspirations, enablement, and, most of all, personal connection. Moreover, security awareness training strategies should ensure that employees meet and comply with all the available regulatory requirements, including PCI, FISMA, NIST, ISO, HIPAA, and Sarbanes-Oxley reporting requirements.
Information security awareness training simulates the daily choices DoD information system users make while they carry out their tasks. This training suggests that information system users are accountable for safeguarding classified and sensitive information, together with the location or storage of the information system.
Quarterly information awareness training serves as the foundation for adopting a security mentality, which is demonstrated in everyday work routines from telephone and email interactions to wireless network and physical security. The completion of information security awareness training by all employees in an organization is fundamental to upholding a strong security posture.
It comes as no surprise that the history of cybersecurity can be traced back to the appearance of the internet. Ever since the worldwide web began to percolate into mainstream society, cybercriminals have been coming up with innovative ways to take advantage of this.
One of the first incidents of hacking took place in the early 1980s when a group of computer hackers known as the 414s (named after their Milwaukee area code) was arrested for breaking into more than 60 computer networks. These include the Memorial Sloan-Kettering Cancer Center and the Los Alamos National Laboratory.
As hacking became increasingly challenging during this period, the Computer Fraud and Abuse Act was created to punish those who were caught victimizing computer systems. By the late 1980s, a unit called the Computer Emergency Response Team (CERT) was formed under the Defense Advanced Research Project Agency (DARPA) to investigate the growing volume of hacking on computer networks.
Towards the end of the 1980s, Robert Morris released the historic Internet worm, which caused 10% of the internet to shut down (at the time). It was also possibly the first denial-of-service (DOS) attack ever to appear on the Internet.
Though hacking from the 1980s was, for the most part, carried out by amateurs and hacking students, cybercrime took a more serious turn as the 1990s rolled by. By this time, cybercrime has not only increased in sophistication but notoriety. Hackers started to target government agencies and substantial corporate databases, such as Yahoo!, eBay, and Amazon.
From the late 1990s to the beginning of the millennium, viruses, such as the Melissa and ILOVEYOU, started making the headlines for infecting more than 10 million personal computers and causing the failure of email systems around the world. These threats inevitably led to the development of antivirus technology and the importance of security for computer users.
In the wake of the COVID-19 pandemic and the current economic climate, most organizations are battling with how to keep their businesses running. IT experts and other cybersecurity professionals have their works cut out for them with developing and maintaining a remote business setting to ensure business continuity.
While company budgets are going out to finance this, a recent survey has shown that phishing attacks escalated by over 667% in March 2020 alone. Now more than ever, you need to be training and phishing all your users. Your security awareness training program must incorporate a people-centric strategy since most cyberattacks are targeted at people (that is, consumers and employees).
You miss the chance to protect your organization when you don’t include users in your security awareness program policy. Likewise, the unique threat profile of your organization should also be factored into your security awareness program ideas when deciding what topics to cover.
However, before we delve deep into what security awareness training should include, the following are the top three elements of a security awareness program:
Now that we’ve established the elements of security awareness training, below are some of the major topics that should be included in your security awareness training modules.
Employees must be educated on how to detect phishing and the potential threats associated with inputting credentials on a spoofed page or interacting with suspicious links. According to research conducted by the Ponemon Institute, there is a projected 75% training retention rate when traditional phishing tests are applied. It was further suggested that when a company applies phishing tests it can increase their ROI as well.
Microsoft also suggests that phishing is still one of the leading methods for sending malware infection and the most common methods of phishing include mobile texts, emails, and voice calls. Therefore, your security awareness training should include topics about this prevalent cyberattack. Your phishing modules should also cover contacts from suspicious emails or social media accounts; suspicious voice calls, texts, or emails; spear phishing; and cases of phishing attempts that have affected other organizations in the same industry.
Every organization needs to implement a refresher course (people patching) for employees. Just as it is important to keep your organizational systems and networks constantly updated, your users also need that same level of maintenance or people patching. Your security awareness training must be an ongoing process so that employees can retain the concepts for the long-term.
As such, a training session on how to spot the tell-tale signs of malware infections and what to do when this is spotted is important. This is the basic training that would echo in the minds of your users when you mention topics like patching and phishing. Your malware training session should identify the types of malware and describe their capabilities.
This topic covers desktop hygiene and desk security practices. Employees should be trained on how to declutter their desks to prevent possible information leaks. Desktop hygiene would cover password security, why printouts should not be left on the printer, shutting down computers when they are not being used, and also not plugging unauthorized devices into company terminals. This would also enlighten employees on the potential dangers of doing any of these even for a few minutes.
The nature and extent of mobile device security policy can differ from one organization to the other. Considering that most organizations now allow employees to bring their own devices to work and use their personal gadgets for virtual offices or remote workstations, it is important that physical security awareness training is conducted for all users.
Employees should be acquainted with the importance of safe app installations, how to use passwords to control phone access, how to use public Wi-Fi safely, and how to report physical security risks. This can also cover the potential risks of connecting to unsafe wireless networks and unfamiliar ones.
Social media serves as a window to the world and virtually everyone has a social media account and uses other online platforms. While social media platforms help you to connect with people, they also open you to cyberattacks. Your security awareness tips should include safe practices for employees while accessing social media pages. This can be merged or slot in with the phishing and malware module since this is the recent channel for both.
The United States security hearings after the 9/11 incident, as well as the resulting activities that followed in the subsequent years, highlight how human senses are improved after an incident. The same goes for an information security staff program. It is important to note that awareness will be heightened after an event, but it will be short-lived without fortifications. This is why continuous security training is required.
Security plans and policies no doubt look good on paper. However, making them be of any benefit to the organization requires that you apply them effectively. Part of that application is the training stage that should be a core aspect of any effective incident response plan or security and risk management plan.
Rob Kraus indicated that random security training within organizational environments leads to about a 10% to 15% decrease in the probability of an effective cyberattack. Similarly, being consistent with security awareness training can lessen cybercrimes and their impacts to about 40% to 50%.
Many employees are unaware of the critical risk factors associated with information security and privacy. Since security is everyone’s business, security awareness training helps to bring everyone within the organization to the same page, protects both human and physical resources, and lessens incidents and the risks associated with cyberattacks.
The efforts of your security awareness consultant will be ineffective if treated like a mere box that must be ticked, particularly if you fail to review your training modules constantly. Therefore, an effective cybersecurity awareness information plan, must be fun and not stringent, and it must be backed up by the executive and management board. It must be targeted at improving the behavior of all the users and it must be interactive in a way that it necessitates feedback from all users. It should also be diverse in such a way that it penetrates the totality of the corporations with security awareness training materials, including email tips, posters, newsletters, and other regularly distributed communication materials.
Other ways to improve your security awareness training include:
What Exactly Is Phishing?
Phishing describes a form of cyberattack that applies camouflaged emails, text, or voice as a weapon to trick the recipient into believing the information is something they need. This could include a call from a distant relation, a request from their banks, or even a link to an attachment. Phishing is the number one culprit for most data breaches that take place today.
As fraudsters continue to come up with innovative ways to trick end users into giving up their personal information, it is important for businesses to strengthen their first line of defense — their employees — to avoid falling prey to such attacks. This is the reason security awareness is so important. It only takes one user to click on a phishing email for a cybercriminal to breach your organization’s network and steal your data.
Aware provides phishing simulations that mimic real-life attack scenarios that teach your employees to spot phishing frauds and prevent the hefty cost of a data breach.
The following are important facts you should know about phishing:
Phishing simulations are the most important part of spreading awareness about phishing. The simulation is nothing but a mock phishing scenario that is created aesthetically and strategically for employees of corporate houses so they can understand real-time phishing activities. It is one of the most important steps along with training, which is based on different real-life scenarios.
To learn more about phishing simulations for employees, you can read different blogs and articles available on the internet.
The eventual benefit of phishing simulation and computer-based training is that it prevents a data breach.
Aware combines simulated phishing attacks with set-and-go training modules, can help improve awareness, alter user behavior, and reduce the risk associated with social engineering attacks.
Phishing has been going on for many years now, yet many users continue to fall prey to tactics that bait victims into revealing their personal information. There is a reason why this type of cyber threat is so prevalent and dangerous: besides being relatively inexpensive, it is extremely easy to execute.
Identifying an email scam is not always a straightforward process. This is where Aware comes in. Our phishing simulations mimic real-life attack scenarios that teach your employees to spot phishing scams and avoid the hefty cost of a data breach.
As texting is one of the most common methods of communication for many users, this inevitability makes it an irresistible target for many cybercriminals. SMiShing has become one of the main tools in a scammer’s arsenal, partly because it is so easy to wield and requires little technical knowledge.
SMiShing typically follows the usual phishing route. Each text contains a link that directs the target to a website and asks them to fill in their details or prompts them to download malware onto their system. However, as opposed to a standard phishing attack, the success rates are higher with a SMiShing attack because users are not conditioned to receiving spam on their mobile phones.
Vishing often begins where phishing ends. For instance, you click on a link for an advertisement that relates to your interest. The link, which hides embedded malware, triggers a lock-up component that only a helpful “technical” person can help you with. So, you call the number you see and spend some money to remediate the problem. Little did you know, it was all just part of the scam, and the company that you just called was the culprit that created this problem in the first place.
Our phishing reporting tool, known as CheckAPhish, helps you gain visibility into your organization’s risk behavior and measure the overall risk levels across your user groups. You will also have different types of reports at your disposal.
CheckAPhish+ comes with innovative features and added advantages. CheckAPhish+ is an advanced version of CheckAPhish and is the latest addition by Aware! The software is specially designed for all corporate houses. CheckAPhish+ is the latest revolution that can conduct one-view scanning and deletion of suspicious emails. It is a must for corporates who are serious about phishing attacks and are fighting against cybercrime.
Check out some important information about CheckAPhish+ below:
The CheckAPhish+ Signup can be with the same email or admin credentials of the client. (O365, GSuite or Exchange). After landing on the onboarding page of Aware Admin Console, the user with the required credentials should enter the respective authorized page. For easy CheckAPhish+ implementation, Google/Outlook plugins are available.
Bulk emails scanning is possible with this CheckAPhish+ feature. Automated email scanning is the USP of CheckAPhish+. It is an anti-phishing engine that allows scanning of emails in bulk to ensure that phishing emails in large numbers are in the mailbox. An admin can run a scan on multiple employees at a go, which can help employees to get rid of all phishing emails. It eventually sorts and segregates the mails for cleansing email accounts. The automation of reporting any suspicious email can also be done by using the CheckAPhish+ plugin.
After scanning and sorting the phishing emails, it is important to delete those as well! With CheckAPhish+, there is an option where all phishing emails can be deleted at one go. This is highly recommended.
To learn more about EC-Council’s Aware products and services, you can contact us, follow us on our social channels, and reach out to us at the address below.