There's already so many things you and your employees need to be aware of to avoid getting hacked. How then, are busy non-technical people just doing their jobs supposed to remember all this stuff? You train them. Security awareness training is designed to give staff the skills they need to thwart most cyber security attacks before they happen.
The bad news is that staff security awareness training isn’t as common as it should be. The 2020 Shred-It Data Protection Report found that 24% of C-suite executives and 54% of small business owners say they have no regular training on information security procedures or policies. Mophisec’s 2020 WFH Employee Cybersecurity Threat Index states that 20% of employees surveyed said their IT department provided no tips for working remotely.
The same way most workers receive professional development throughout their careers, security awareness training is a skill that needs to be learned and refreshed regularly.
Most successful hacking attempts occur when someone in the business has a moment of weakness or carelessness. The Office of the Australian Information Commissioner's (OAIC) Notifiable Data Breaches Report for July - December 2021 details that phishing, stolen passwords and ransomware are the most common cyber incidents leading to a notifiable data breach. Those incidents aren’t the work of sophisticated state actors, they’re garden-variety hackers using known techniques that if you’re aware of are easy to thwart.
Unfortunately, it only takes a single unaware staff member to unwittingly leave a door open for a hacker that then results in having to deal with the OAIC and becoming a statistic in their next report.
One example of how a single weak link can undo the best security is from Ireland in 2021. A simple Excel file, opened by an employee on a HSE workstation (Ireland’s health service) lead to healthcare professionals losing access to all HSE-provided IT systems. Healthcare services countrywide were disrupted and over €100 million was spent on remediation work to repair the damage. All that from a single email, that if the employee was better trained, could have been avoided.
It's only a matter of when, not if, someone in your organisation slips up. With the right training the likelihood and severity of these inevitable incidents can be reduced, turning what could be a killer blow into a mild inconvenience.
Develop a Security First Culture
Protecting your business from a cyber security incident is the main benefit of security awareness training but conducting regular training sessions also helps create a "security first" culture in your organisation. Fostering this culture goes a long way to avoiding the second largest source of data breaches according to the OAIC - human error.
Commissioner Falk from the OAIC noted that the latest figures on human error "reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information". When the OAIC Commissioner speaks, we should listen.
Tessian’s Psychology of Human Error 2022 report backs this up, with a quarter of employees surveyed confessing to clicking a phishing link in an email at work. Why? Distraction. Fostering a security first culture in your workplace can turn learned behaviours into instincts, so even when under the pump staff remain alert to cyber security attacks.
Making security awareness training a priority demonstrates to staff that your organisation takes security seriously and reduces incidents of emailing personal information to the wrong person, unintentionally publishing, or releasing information and losing paperwork or data storage devices.
What’s covered in security awareness training?
Security awareness training isn't a full cyber security course. Your employees aren't going to turn into experts that can help the Australian Signals Directorate fight in cyber wars. This type of training aims to provide basic information that everyone can understand, with the hope this knowledge avoids the easiest type of hacking attempts.
Topics typically covered in security awareness training include:
The business of hacking - why do hackers do what they do and what's in it for them? Understanding the motivations for hackers gives purpose to why we need to take cyber security seriously and that it's not a thing that happens to “someone else”.
Real life examples of hacking & phishing attempts - showing staff case studies of groups impacted by a cyber security event can reinforce the fact that everyone is vulnerable and to call out similarities in their organisation.
How to spot phishing attempts - examples, tips and tricks for verifying that emails, text messages and other communication are legitimate. Instil healthy scepticism into employees so they aren't duped by this extremely common network infiltration method.
Be alert for social engineering - educate staff that there are people willing to exploit their good nature to gain access to confidential information or network access. Even if the staff aren't high ranking, they can still be used in social engineering campaigns unwittingly.
Password manager use – the vital act of creating strong, unique passwords, on all services every time can be difficult without a password manager. Training staff to use one is no different than training staff to use any other application your business relies on.
Detect fake wi-fi networks - public wi-fi networks are easily manipulated to redirect data into a hacker's hands. Explaining why using public Wi-Fi is a no-no reduces the chances of staff logging in to a malicious Wi-Fi network.
Multi-factor authentication - despite being one of the best value for money and lowest effort features to reduce hacking attempts, people still misuse MFA and unwittingly grant access to unauthorised individuals by sending codes or accepting authentication notifications without paying attention.
Identifying suspicious equipment – training staff to identify hacking tools like "Rubber Ducky" USB devices
attached to keyboards that intercept and store keystrokes to capture passwords, or "Wi-Fi Pineapple" wi-fi intercept boxes
placed in or around business premises, means they can be removed promptly.
In-person security training yields the best results
Security awareness training can be delivered two ways - automated or in person.
Automated training is typically conducted online via a series of videos that then end in a quiz to check what you've learned. This type of training can tick a box to show you are telling your employees, but the most effective type of training is in person and delivered by a cyber security expert. They have seen and heard it all, so can easily customise their training for your organisation and your staff's familiarity with technology, along with interesting and relevant stories that can engage an otherwise disinterested audience.
Like any skill, if you don't use it, you lose it. Security awareness training is no different. A study by USENIX, one of the oldest computer research organisations in the world, asked freshly security awareness trained individuals to identify phishing emails at different intervals over 12 months. The more time that’s passed since the training took place, the more likely the participants would fall for a phishing attempt. The largest increase in successful phishing emails was after six months from the training.
The key message for this blog is that your organisation's cyber security is only as strong as its weakest link, and that link is often a staff member that doesn't know any better because they haven't been effectively trained on what to do should they encounter one of the various methods the average hacker has at their disposal. By regularly showing your staff the common attacks and educating them on what to do about it, the chances of a hacking attempt being successful drops dramatically.
Looking to engage your staff in some Cyber Security training in 2023 and beyond? give us a call on 1300 778 078 to discuss an in person training session for your team.