Most companies will never be able to build an organization full of security experts, so what can you do to build the most expertise possible across your business? How do you build a cyber and email security training program? What should your objectives be to effectively accomplish this?
As discussed in our previous post on setting up a Cyber Security Awareness and Training program, any training plan must be predicated on proper cyber security awareness. Before any training can be begin, you need buy-in across your organization, both from the top-down and bottom-up. Your organization needs to be aware of the cyber security leadership provided by its IT department, otherwise any training efforts will be short-lived and fall on deaf ears.
Effective cyber and email security is invisible to most – most strategies aren’t obvious until they stop working, and good ones rarely fail. Users don’t have a need to see every one of the ongoing threats that you and your team are doing such a great job preventing but, as part of the awareness plan, telling them how well you are doing against commonly known threats will reassure them that they are protected. Building on that awareness, cyber and email security training should empower your users with a minimum required background to ensure a level of organizational savviness and confidence.
Thus, an effective cyber security training strategy does 3 things.
- Trains – Lets users know the practices that they are responsible for.
- Informs – Regularly updates users on new standards and applications.
- Gives a Healthy Paranoia – Perhaps most importantly, lets users know when to hit the “red button”.
While each organization will have it’s own security requirements depending on its size, industry and other concerns, the fundamentals of an effective cyber security training program remain the same, driving both accountability and a sense of security for everyday users. So, based on the principles above, let’s delve into how each can apply to your organization.
What users are responsible for:
The first thing any new employee does is set up a password to their email or other accounts, and maintaining strong password . We’ve written extensively about this subject in the past and for good reason. A stolen, phished, brute-forced, or keylogged password can do incredible damage to your work network. Training your users consists of ensuring not just on how to create an effective password but how to never give it out, avoiding suspicious or illicit sites that could download spyware to their device, questioning potential phishing links and other messages that may make it to them (without an effective filter like Vircom’s modusCloud) are all top-of-mind issues when it comes to password management.
Along with choosing a strong password and NEVER giving it out, ensure that all devices are password protected, especially mobile devices which if accessed can provide hackers a gateway to all your sensitive information. The same applies to USB devices and drives that may be handled inside or outside of the office.
Nearly all departments will have separate software needs. Over-restrictive IT policy can often lead to subpar, counter-productive software to a department’s specific purposes, but employees should also understand how to take responsibility for the software they want to use and where to store and manage its accesses. By validating employees’ preferred software and providing a place to store and manage passwords separately from your messaging and word processing apps, you create both a secure and cooperative environment that suits users needs and ITs security requirements.
Identifying Malicious Emails, Links, Attachments, Websites.
The ability to use judgement to prevent clicks on malicious links is important. Human error is the biggest risk in cybersecurity – for all the effort made to secure systems and servers, the users who access them can still make mistakes. Make sure that your users understand what a spoofed email is and how to identify it. The same applies to an attachment that could be malicious, a phishing link or a dangerous website.
Many people will often click a link out of curiosity, a trend scammers are experts at exploiting, while popups are designed to get instant reactions from users who aren’t thinking about the consequences of the action they might take. Understanding this psychological element and warning your users about the risks is essential.
A cyber and email security solution will cut these risks as close to 0% as possible, but the training you provide your users can help improve that all the more..
Using public Wifi
With the trends in remote workers, part timers, freelancers and consultants, there are risks to the network that a firewall can’t control. Public wifi networks are vulnerable and should be avoided by users at all costs. Users should not enter passwords to sites where financial information can be collected or log into their email, while also using 2FA and secure websites. In general, users should also try to stick to their cellular data, tethering their other devices when possible. Special care must be taken when logging into wifi at your hotel and other places, as imposter networks and a high volume users increase the risk of sensitive information being shared.
Using 2 (or more) Factor Authentication (2FA/MFA)
Protecting personal information is a must, and any remote login or similar request should require, at minimum, two-factor authentication. If someone needs information or a transfer of funds “immediately”, employees should always approach it with skepticism and ensure that they can confirm the validity of the request and the identities of those involved. With financial transactions, your users must know that they need to get multiple levels of authorization, and a little healthy skepticism is a must.
Depending on what kind of encryption is being used, train your organization to know how and when it must be used. An effective and secure email encryption service will use a variety of methods, including managed dictionaries and smart triggers, that automatically encrypt emails with sensitive information, while subject-line triggers can also ensure that your users can effectively and intuitively leverage it for the security of both you and your customers.
Updating Users on These Standards and Applications
To supplement the training and basic skills that all your users need, its important to provide them with updates that give context to their actions, what is required of them, and to keep them abreast of basic security terminology.
Backups (Machine and Email)
Explain how backups run, both of email and of shared folders to ensure continuity. If ever a device fails or an email is mistakenly deleted, show your users that they can rely on their IT department to support them.
Email Security Solutions
With an email security solution, many of the important features that prevent threats from gaining access are built-in. Explaining this can help your users relax and gain confidence knowing that there’s a powerful solution working in tandem with their more “human” efforts. Communicate the concepts underlying URL Defense, Domain and Email Spoofing prevention, DMARC, Spam Filtering, Targeted Phishing Protection, Email Virus Scanning and more as sophisticated defense mechanisms against many of today’s most targeted attacks and their tactics.
Malware Scanning and Anti-Virus Software
All computers connected to your networks should have Malware and Virus Protection. This should include web security, real-time scanning and a secure VPN, all of which your users need to understand both in terms of how it protects them and how it doesn’t. With those big door-blasting threats out of their minds, they can understand when to spot socially engineered attacks that are targeting them more specifically.
Explain to users how they work and their importance, what kind of threats they protect against and how they keep your users from being exposed to more dangerous threats.
When to hit the Alarm Button
Encourage your users to not hesitate to contact IT or ring the proverbial “alarm bells” if they are unsure about the nature of a request for access or funds. Take the approach that no question is a bad question, and wherever a question you might otherwise consider “bad” pops up, use that as an example of something to include in your additional training and awareness efforts. If your users feel comfortable bringing things to your attention about the emails they receive, the software they user or the places they take their devices, you can bring down the odds of human error dramatically and increase visibility on solutions if and when something bad does happen.
It is also essential that high risk and less tech-literate members of your team receive extra attention. Hackers know how to target the most vulnerable, and the most vulnerable are more likely to make the “human error”. Figure out a way to approach the subject pleasantly, without them feeling like they are being singled out. As part of this high-risk group, the C-suite must receive comprehensive attention – as they are key decision makers and can easily make costly mistakes in the midst of their busy schedules.
Building a Complete Cyber Security Training Plan for Your Organization
There are online quizzes, companies that specialize in providing trainings, and security training consultants for hire out there to help you develop a complete training plan. We’ve included some ideas and links below to supplement our tips above.
To reiterate, you shouldn’t expect to build a team of cyber security experts. Asking them to know the difference between spear phishing and whaling, or what a patch or SQL Exploit is will not make your company more secure. It will just overwhelm your audience. Instead, provide practical advice on subjects that can clearly interest your users, and you’ll see a effective practices take root.
Other materials and ideas:
Toolkit from Microsoft on Internet Safety for Enterprise & Organizations
Distributable Cyber Security materials from CERT – the US Computer Emergency Readiness Team
From the InfoSec Institute – How to Get Quick Results
Or some ideas for the Gamification of Cyber Security Training