Whether you’re a SMB or the head of a SMF (Small to Medium-sized Family) Cyber Security awareness and training should be a top priority. Every single device that connects to the internet poses a cyber security threat, including that innocent-looking coffee maker you rely on every morning.
Cyber awareness and training can never start too early in your business and personal life. And, it’s not a once-and-done effort. Cyber threats are constantly evolving, so it’s imperative to think about your cyber awareness training as ongoing education…. starting today.
“They” say, the best way to learn is to practice and then teach. The information contained here won’t help if you don’t take action (practice, implement, test) or keep the information to yourself. We encourage you to become a leader of change when it comes to cyber security. Teach your co-workers, your family, and your friends.
Yes, we know you already have a career and a personal life, but wouldn’t ALL aspects of your life be affected if you were to become the victim of a cyber attack? And, aren’t your devices connected to a digital infrastructure that could wreak havoc on almost everyone that you work or live with?
It’s also a two-way street. If the people in your business or personal life aren’t as educated and prepared as you would like them to be, they could unwittingly corrupt your devices. So, it’s in your (and their) best interest to make cyber awareness and training a core competency. Beginning now and ending… never.
Let’s start with a thorough overview of the most important cyber awareness and training topics. Most, if not all of these, apply to your work and home life. It’s important to take your time reading and truly digesting these topics. If you just skim them, you may, unfortunately, suffer the consequences later.
We also ask that, after reading this article, you begin to develop an action plan. Not one for the distant future, one that can begin today. Small actions, made consistently, can yield gigantic results. Let’s get started…
According to excerpts from an article by usecure, they wrote, “With human error playing a key part in 95% of cybersecurity breaches, managing employee cyber risk is essential for your business to steer clear of a user-related data breach and to demonstrate regulatory compliance.
One core component of a strong human risk management (HRM) program is ongoing security awareness training that educates end-users on how to identify and combat modern threats, as well as best practices for staying security-savvy.
But deciding to launch this type of training comes with some common questions, not least of which is deciding on the security awareness training topics you should be including.
Below, you’ll learn which topics should be included in your core security awareness training library, as well as how you can start educating your staff on these topics in a flash.
The Top 12 Essential Security Awareness Training Topics
1. Phishing Attacks
Phishing remains one of the most effective avenues of attack for cyber criminals. Having doubled in 2020, phishing attacks steadily increased throughout 2021, with remote work making it harder for businesses to ensure their users aren’t falling victim.
But why is phishing still such a threat to businesses now?
One major factor is due to how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick employees into compromising sensitive data or downloading malicious attachments.
For example, business email compromise (BEC) is a common form of phishing that uses prior research on a specific individual — such as a company’s senior executive — in order to create an attack that can be incredibly difficult to distinguish from a real email.
Partner these more intelligent attacks with the common misconception that phishing is ‘easy to spot’, then there is no wonder why many businesses are forecast to suffer a phishing-related breach.
Employees need regular training on how the spot phishing attacks that use modern techniques, as well as how to report a phishing attack as soon as they believe they have been targeted.
***We recently noticed a new, effective phishing trend. Scammers are hacking into emails, gathering personal information, and using it to ask for gift cards (from a trusted acquaintance) for a “worthy” cause.
2. Removable Media
Another security awareness topic that is used daily by companies is removable media. Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device, (add the information) to another (device) and vice versa. USB devices containing malware can be left for end-users to find when they plug this into their device.
“Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside”*
As well as understanding the risks your employees need to know how to use these devices safely and responsibly in your business. There are numerous reasons a company would decide to use removable media in their environment. However, with all technologies, there will always be potential risks. As well as the devices themselves, it is important your employees are protecting the data on these devices. Whether it’s personal or corporate, all data has some form of value.
A few common examples of removable media you and your employees might use in the workplace are:
- USB sticks
- SD cards
This security awareness topic should be included in your training and cover examples of removable media, why it’s used in businesses, as well as how your employees can prevent the risks such as lost or stolen removable devices, malware infections, and copyright infringement.
***We strongly discourage the use of removable media. Especially as a means of backup.
3. Passwords and Authentication
A very simple but often overlooked element that can help your company’s security is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your accounts. Using simple passwords, or having recognisable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the deep web.
Implementing randomised passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Other steps, such as two-factor authentication, provide extra layers of security that protect the integrity of the account.
***We recommend Keeper as a password protection program. Also, be sure that you implement 2FA for your email account and anything else that you log into, including your bank and PayPal.
4. Physical Security
If you’re one of those people who leave their passwords on sticky notes on their desk, you may want to throw them away. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company’s security system.
Simple awareness of the risks of leaving documents, unattended computers, and passwords around the office space or home can reduce the security risk. By implementing a ‘clean-desk’ policy, the threat of unattended documents being stolen or copied can be significantly reduced.
***Pro Tip, even if you trust your co-workers, family, and friends without question, do you trust every vendor, contractor, or service person that has access to your work or living space?
5. Mobile Device Security
The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. With many people now having the option to work on the go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training, especially for traveling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.
Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password-protected, encrypted, or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.
Best community practice is making sure workers should have to sign a mobile security policy.
***We suggest that you install a VPN, malware protection, and a password keeper on ALL mobile devices. Yes, even cell phones. Especially cell phones!
6. Working Remotely
In 2021, the obvious need for remote working, combined with the increasing uptake, led to many companies taking drastic steps towards full-time working from home policies. Remote working can be positive for companies and empowering for employees promoting increased productivity and greater work-life balance. This trend does however pose an increased threat to security breaches when not safely educated on the risks of remote working. Personal devices that are used for work purposes should remain locked when unattended and have anti-virus software installed. If a company wants to offer this incentive, it should focus on educating remote employees on safe working practices.
***Please note, anti-virus software – as a stand-alone solution – is not effective. But, it is a necessary ingredient in an effective, multi-layered solution.
It is likely that this trend will continue. Though we hope to see offices reopening and a return to normal working life, companies have increasingly hired remote workers, and those who have adapted to WFH lifestyle may prefer to work this way. The need to train employees to understand and manage their own cybersecurity is apparent. As we’ve seen there is an increasing threat landscape targeting these individuals. Ensuring they keep security top of mind is a key theme.
7. Public Wi-Fi
Some employees who need to work remotely, working on the move, may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end-users vulnerable to entering information into non-secure public servers.
Educating your users on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the company’s awareness and minimise risk. WIRED magazine provides a helpful guide on avoiding the risks of public Wi-Fi.
***At minimum, use a VPN – which provides end-to-end encryption – on all devices that access public wi-fi, including cell phones.
8. Cloud Security
Cloud computing has revolutionised businesses, the way data is stored and accessed. These digital applications are transforming businesses, however, with large amounts of private data being stored remotely comes the risk of large-scale hacks. Many big companies are working on data protection, but by choosing the right cloud service provider cloud storage can be a much safer and cost-effective way of storing your company’s data.
As with the other topics mentioned, insider hacking is much more of a threat than large-scale cloud companies. Gartner predicts that by next year, 99% of all cloud security incidents will be the fault of the end-user. Therefore, cyber security awareness training can help guide employees (or family and friends) through the secure use of cloud-based applications.
***At minimum, be sure the cloud service that you are considering uses end-to-end encryption.
9. Social Media Use
We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source (see: social engineering).
Educating employees (and family and friends – including children) about protecting the privacy settings of their social media accounts, and preventing the spread of public information will reduce the risk of the potential leverage that hackers can gain from this access to your personal network.
***We strongly suggest that you (or your family – especially children – and friends) do NOT share birthdays, locations (home, school, extracurricular activities, etc), or anything else that can be used to guess your passwords. Including old addresses or the name(s) of your pet(s).
10. Internet and Email Use
Some employees may have already been exposed to data breaches, by using simple or repeat emails for multiple accounts. One study found that 59% of end-users use the same password for every account. This means that if one account is compromised, a hacker can use this password on work and social media accounts to gain access to all of the user’s information on these accounts.
Often websites offer free software infected with malware. Downloaded applications from trusted sources only is the best way to protect your computer from installing any malicious software. Educating employees on safe internet habits should be a key part of any IT induction, though some may see this training as obvious, it is a key part of the safety of any security programme.
Many large websites have had large data breaches in recent years, if your information has been entered into these sites, it could have been made public and exposed your private information.
***Pro Tip – NEVER save your passwords or credit card information on any search engine or website. That includes Google and Amazon. The only platform where you should store this information is on a secure password service like Keeper. Only Keeper (or a similar service) should auto-fill information for you.
11. Social engineering
Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated on security awareness topics that cover the most common social engineering techniquesand the psychology of influence (for instance: scarcity, urgency and reciprocity), in order to combat these threats.
For example, by posing as a viable client or offering incentives, private information can unwittingly be handed over to these malicious actors. Increasing employee awareness of the threat of these impersonations is critical in reducing the risk of social engineering.
***Recently, we had a client book a hotel room through a “trusted” platform – Priceline. Then she received an email asking her to confirm her credit card information and date of birth – after she’d received confirmation of the booking. She knew it was a phishing attempt and didn’t respond. Unfortunately, when she got to her hotel in Barcelona, they had no record of her reservation, even though she received several emails from “Priceline” confirming her booking.
12. Security at Home
Unfortunately, the threat of malicious actors does not stop when you leave the workplace. Many companies allow their employees to use their personal devices, which is a great cost-saving method and allows flexible working, however, there are risks associated with this. Unwittingly malware downloaded applications on personal devices can risk the integrity of the company’s network if, for example, log-in details are compromised.
Additionally, The growing network of digital resources available to workers and companies has increased connectivity and productivity. However, these applications also pose a risk to the user, a study by Propeller found that phishing campaigns targeted to Dropbox had a 13.6% click-through rate. Increasing employee knowledge, sharing encrypted files and authenticating downloads will reduce the risk.”
***While this is good information, it failed to address IoT devices as a threat when you’re at work, home, or on the road. We address those concerns below.
In excerpts from SecurityScorecard, they wrote, “The internet of things (IoT) is a highly developed space that is home to a vast amount of sensitive data, making it a very attractive target for cybercriminals. Threats and risks continue to evolve as hackers come up with new ways to breach unsecured systems — posing a threat to the ecosystem itself. Let’s take a look at the leading threats and risks to the IoT and the associated vulnerabilities that must be secured.
What is the internet of things (IoT)?
The internet of things (IoT) is a network of intertwined devices, software, sensors, and other ‘things’ which enable the world to be connected throughout physical space. This can include business software, smart home devices (including watches), care monitoring systems, mobile phones, or driverless trucks, and can be as small as a thumb drive to the size of a train. All of these things communicate with each other without the need for human interaction. This spider web of connectivity is fascinating but poses serious danger to information security.
Exploring the IoT attack surface
A business’s attack surface is the sum of vulnerabilities that are currently present on their network, both physical and digital. These can be vulnerabilities from within their endpoint devices (computers, tablets) or from the software and hardware used to conduct business.
While each device is typically protected through security software, they are still exposed to a series of added threats and vulnerabilities through their connection to the IoT. The Open Web Application Security Project (OWASP) provides a broad consensus of the current threats and vulnerabilities within the surfaces, which we have condensed into 3 main categories to outline.
Devices inevitably have vulnerabilities embedded within their memory systems, physical and web interface, network services, and firmware. This allows hackers to easily exploit systems within the devices’ outdated components and insecure default settings with update mechanisms. When managing vulnerabilities throughout your network’s devices, continuous monitoring is essential.
Attacks can originate from the channels that connect IoT devices. This presents serious threats to the security of the entire system and creates the potential for spoofing and Denial-of-Service (DoS) attacks. These threats and attacks lay the foundation for an unstable network surface.
Applications and software
Each application and software presents risk and many web applications and APIs do not protect sensitive data adequately. This data can be anything from financial intelligence to healthcare information. A breach of these types of information can result in identity theft, credit card fraud, and exposure of confidential information all because a web application isn’t properly secured or patched on a consistent basis.
7 IoT threats and vulnerabilities to be aware of
As long as the IoT continues to expand, the number of threats will continue to increase. Being able to identify and understand the different types of threats and vulnerabilities associated with the internet of things can significantly reduce the risk of a data breach at your organization. Let’s explore the top IoT concerns:
1. Lack of physical hardening
The lack of physical hardening has always been a concern for devices within the internet of things. Since most IoT devices are remotely deployed, there is no way to properly secure devices that are constantly exposed to the broader physical attack surface. Devices without a secure location and the inability for continual surveillance allow potential attackers to gain valuable information about their network’s capabilities which can assist in future remote attacks or gaining control over the device. For example, hackers can facilitate the removal of a memory card to read its contents and access private data and information that may allow them to access other systems.
2. Insecure data storage and transfer
As more people utilize cloud-based communications and data storage, the cross-communication between smart devices and the IoT network increases. However, any time data is transferred, received, or stored through these networks, the potential for a breach or compromised data also increases. This is due to the lack of encryption and access controls before data is entered into the IoT ecosystem. For this reason, it is important to ensure the secure transfer and storage of data through robust network security management tools like firewalls and network access controls.
3. Lack of visibility and device management
Many IoT devices remain unmonitored, untracked, and improperly managed. As devices connect and disconnect from the IoT network, trying to monitor them can grow to be very difficult. Lack of visibility into device status can prevent organizations from detecting or even responding to potential threats. These risks can become life-threatening when we take a look into the healthcare sector. IoT pacemakers and defibrillators have the potential to be tampered with if not secured properly and hackers can purposefully deplete batteries or administer incorrect pacing and shocks. Organizations need to implement device management systems to properly monitor IoT devices so all avenues for potential breaches are accounted for.
Botnets are a series of internet-connected devices that are created to steal data, compromise networks, or send spam. Botnets contain malware that allows the attacker to access the IoT device and its connection to infiltrate an organization’s network, becoming one of the top threats for businesses. They are most prominent in appliances that were not initially manufactured securely (smart fridges, for example). These devices are continuously morphing and adapting. Therefore, monitoring their changes and threat practices is necessary to avoid attacks.
5. Weak passcodes
Although intricate passcodes can prove to be secure for most IoT devices, one weak passcode is all it takes to open the gateway to your organization’s network. Inconsistent management of passcodes throughout the workplace enables hackers to compromise your entire business network. If just one employee does not adhere to advanced password management policies, the potential for a password-oriented attack increases. Practicing good password hygiene is essential to ensure your business is covering all bases within standard security practices.
6. Insecure ecosystem interfaces
Application programming interfaces (APIs) are software intermediaries that allow two applications to talk to each other. With the connection of the two servers, APIs can introduce a new entrance for attackers to access a business’s IoT devices and breach a network’s router, web interface, server, etc. It is crucial to understand the intricacies and security policies of each device in the ecosystem before connecting them to ensure complete network security.
7. AI-based attacks
While AI attacks have been around since 2007, the threats they present within IoT are becoming increasingly more prominent. Hackers now can build AI-powered tools that are faster, easier to scale, and more efficient than humans, to carry out their attacks. This poses a serious threat within the IoT ecosystem. While the tactics and elements of traditional IoT threats presented by cyber attackers will look the same, the magnitude, automation, and customization of AI-powered attacks will make them increasingly hard to battle.”
At Adaptive Office solutions, we have found that most people have no idea how many IoT devices they have. In fact, many people aren’t aware that they even have IoT devices. But, we live in a modern world, and we can tell you that they are everywhere; from your smartwatch, to your car, to your light bulbs.
We suggest you read this article (we’ve skipped the boring stuff and jumped right to the important sections at the bottom) for a better understanding of just how connected (and vulnerable) you are.
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at email@example.com