The Importance of Cyber Security Training

img blog The Importance Cyber Security Training r1

The business culture in North America has morphed over the last decade, to the point that it’s almost impossible to imagine going back to the way things used to be. In the past, there used to be what is now called, a “silo mentality” in older organizational structures. For example, Sales and Marketing, HR and Management, and Finance and Operations weren’t “ANDS” at all. 

In the past, marketing departments didn’t consult with sales teams before churning out sales collateral, HR basically dealt with people and paperwork the way management told them to, and operation departments didn’t solicit input from financing departments about how to improve profitability. 

The same dysfunctional structure existed in nearly all Information Technology (IT) departments.  

From organizations to corporations the attitude was very much, “You stay in your lane, and we’ll stay in ours.”

But, that way of doing business was destined to fail. In an article by Harvard Business Review, they wrote, “Successful enterprise transformation has long been considered the holy grail of the corporate world — continually sought after, but difficult to grasp. Our assessment found that only 28 of the 128 companies we examined (i.e., 22%) successfully transformed from both a financial and reputational perspective.

Microsoft is one of the best-known examples of corporate transformation in recent years, moving from a software company to a cloud-services company and gaining $1.5 trillion in market capitalization. A core element of its overall restructuring and strategic shift was an overhaul of the company’s vision, which in turn affected all aspects of the employee experience, from team dynamics to compensation.

In 2014, when the company began its transformation initiative, it also set out to change its corporate culture, which had previously been characterized by individualism, competitiveness, and a “know-it-all” attitude among employees. 

Executives partnered with HR leaders to craft a refreshed mission and vision that better reflected the ideals of empathy, humanity, understanding of cultural differences, and Microsoft’s place in the world. The result was a mission that shifted from a product focus to a more inclusive, people focus — an aim to “empower every person and organization on the planet to achieve more.”

At Adaptive Office solutions, we believe the key elements to empowering people and organizations are: establishing open communication among departments, creating a unified vision for the future, and encouraging constant improvement through inclusive leadership and ongoing education.  

We simply cannot operate in silos anymore. And, with the explosion of digital data over the last decade – and the number of people who have access to it in any given organization – cyber security is now everyone’s responsibility. 

Before we take a deeper dive into the bigger cyber threats we’ll face in 2023 – and how to train your employees to spot and defend against them – let’s briefly talk about the different roles and responsibilities of IT and Cyber Security. 

According to excerpts from an article by ZDNet, they wrote, “Information technology and cybersecurity share common goals of protecting people, devices, and data — but focus on different issues and take a very different approach.

Information technology (IT) uses computer networks, hardware, and software to store and share digital information. Cybersecurity focuses more narrowly on protecting computer systems, digital devices, and data from unauthorized access.

***When you combine the two roles, you have what’s known as an Information Security Specialist 

An information security specialist may create and enforce user, network, and data security policies. Information security employees educate network users about security issues and encourage them to follow security standards. They may also investigate security incidents and document what happened to prevent or eliminate a recurring threat.”

That brings us to our next topic, what are the biggest threats in 2023? 

The Top 12 Cyber Security Awareness Training Topics

According to an article by usecure, they wrote, “With human error playing a key part in 95% of cybersecurity breaches, managing employee cyber risk is essential for your business to steer clear of a user-related data breach and to demonstrate regulatory compliance.

One core component of a strong human risk management (HRM) program is ongoing security awareness training that educates end-users on how to identify and combat modern threats, as well as best practices for staying security-savvy.

In this section, you’ll learn which topics should be included in your core security awareness training library for 2023, as well as how you can start educating your staff on these topics in a flash.

1. Phishing Attacks

In a report conducted by Slashnext in 2022, 

The first quarter of 2022 saw a dramatic increase in phishing attacks. Cybersecurity vendor, CheckPoint, revealed in their 2022 Q1 Brand Phishing Report that phishing attacks impersonating the professional social networking site made up over half (52%) of all attempts globally in the first quarter of 2022. This represents a 44% increase compared to the previous quarter, Q4 2021 when LinkedIn was the fifth most impersonated brand.

But why is phishing still such a threat to businesses in 2023?

One major factor is how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick employees into compromising sensitive data or downloading malicious attachments. 

For example, business email compromise (BEC) is a common form of phishing that uses prior research on a specific individual — such as a company’s senior executive — in order to create an attack that can be incredibly difficult to distinguish from a real email.

Partner these more intelligent attacks with the common misconception that phishing is ‘easy to spot’, then there is no wonder why many businesses are forecast to suffer a phishing-related breach in 2023.

Employees need regular training on how the spot phishing attacks that use modern techniques, as well as how to report a phishing attack as soon as they believe they have been targeted.

2. Removable Media

Another security awareness topic that is used daily by companies is removable media. Removable media is a portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. USB devices containing malware can be left for end-users to find when they plug this into their device.

“Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside”*

As well as understanding the risks your employees need to know how to use these devices safely and responsibly in your business. There are numerous reasons a company would decide to use removable media in their environment. However, with all technologies, there will always be potential risks. As well as the devices themselves, it is important your employees are protecting the data on these devices. Whether it’s personal or corporate, all data has some form of value.

A few common examples of removable media you and your employees might use in the workplace are:

  • USB sticks
  • SD cards
  • CDs
  • Smartphones

This security awareness topic should be included in your training and cover examples of removable media, why it’s used in businesses, as well as how your employees can prevent the risks such as lost or stolen removable devices, malware infections, and copyright infringement.

3. Passwords and Authentication

A very simple but often overlooked element that can help your company’s security is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your accounts. Using simple passwords, or having recognisable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the deep web.

Implementing randomised passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Other steps, such as two-factor authentication, provide extra layers of security that protect the integrity of the account. 

4. Physical Security

If you’re one of those people who leave their passwords on sticky notes on their desks, you may want to throw them away. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company’s security system.

Simple awareness of the risks of leaving documents, unattended computers, and passwords around the office space or home can reduce the security risk. By implementing a ‘clean-desk’ policy, the threat of unattended documents being stolen or copied can be significantly reduced.

5. Mobile Device Security

The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. With many people now having the option to work on the go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training in 2023, especially for traveling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.

Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password-protected, encrypted, or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.

The best community practice is to make sure workers should have to sign a mobile security policy.

6. Working Remotely

In 2021, the obvious need for remote working, combined with the increasing uptake, led to many companies taking drastic steps towards full-time working-from-home policies. Remote working can be positive for companies and empowering for employees; promoting increased productivity and greater work-life balance. 

This trend does however pose an increased threat to security breaches when not safely educated on the risks of remote working. Personal devices that are used for work purposes should remain locked when unattended and have anti-virus software installed. If a company wants to offer this incentive, it should focus on educating remote employees on safe working practices.

Going into 2023, it is likely that this trend will continue. Though we hope to see offices reopening and a return to normal working life, companies have increasingly hired remote workers, and those who have adapted to the WFH lifestyle may prefer to work this way. The need to train employees to understand and manage their own cybersecurity is apparent. As we’ve seen there is an increasing threat landscape targeting these individuals. Ensuring they keep security top of mind is a key theme of 2023.

7. Public Wi-Fi

Some employees who need to work remotely, traveling on trains, and working on the move may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end-users vulnerable to entering information into non-secure public servers.

Educating your users on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the company’s awareness and minimise risk. 

8. Cloud Security

Cloud computing has revolutionised businesses, the way data is stored and accessed. These digital applications are transforming businesses, however, with large amounts of private data being stored remotely comes the risk of large-scale hacks. Many big companies are working on data protection, but choosing the right cloud service provider cloud storage can be a much safer and cost-effective way of storing your company’s data.

As with the other topics mentioned, insider hacking is much more of a threat than to large-scale cloud companies. Gartner predicts that by next year, 99% of all cloud security incidents will be the fault of the end user. Therefore, cyber security awareness training can help guide employees through the secure use of cloud-based applications. 

9. Social Media Use

We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source (see: social engineering).

Educating employees on protecting the privacy settings of their social media accounts, and preventing the spread of public information about your company will reduce the risk of the potential leverage that hackers can gain from this access to your personal network.

10. Internet and Email Use

Some employees may have already been exposed to data breaches, by using simple or repeat emails for multiple accounts. One study found that 59% of end-users use the same password for every account. This means that if one account is compromised, a hacker can use this password on work and social media accounts to gain access to all of the user’s information on these accounts.

Often websites offer free software infected with malware. Downloaded applications from trusted sources only are the best way to protect your computer from installing any malicious software. Educating employees on safe internet habits should be a key part of any IT induction, though some may see this training as obvious, it is a key part of the safety of any security programme.

Many large websites have had large data breaches in recent years, if your information has been entered into these sites, it could have been made public and exposed your private information.

11. Social engineering

Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated on security awareness topics that cover the most common social engineering techniques and the psychology of influence (for instance: scarcity, urgency, and reciprocity), in order to combat these threats.

For example, by posing as a viable client or offering incentives, private information can unwittingly be handed over to these malicious actors. Increasing employee awareness of the threat of these impersonations is critical in reducing the risk of social engineering.

12. Security at Home

Unfortunately, the threat of malicious actors does not stop when you leave the workplace. Many companies allow their employees to use their personal devices, which is a great cost-saving method and allows flexible working, however, there are risks associated with this. Unwittingly malware downloaded applications on personal devices can risk the integrity of the company’s network if, for example, log-in details are compromised.

Additionally, The growing network of digital resources available to workers and companies has increased connectivity and productivity. However, these applications also pose a risk to the user, a study by Propeller found that phishing campaigns targeted to Dropbox had a 13.6% click-through rate. Increasing employee knowledge, sharing encrypted files, and authenticating downloads will reduce the risk.

Other IT security awareness training topics

Alongside educating employees on security awareness training topics, as new regulations are imposed, compliance courses are increasingly necessary for employees. GDPR compliance in the EU has led to new regulations regarding email, which may require re-training for many employees. Breaching these rules can lead to heavy fines.

Employees should also be aware of changing finance regulations, data protection, tax and more. By enrolling in automated online platforms for policy management, you can keep your employees up to date with the latest changes in policy and make sure they stay in the know.

Getting end-user security awareness training right

All companies have different requirements, so ensuring a flexible cyber security awareness course that fits with your organization’s goals is vital to getting the right training for your staff. 

By promoting a culture of conversation and awareness in your business on a regular basis through end-user security awareness training, you can keep your employees up to date with the requirements to keep their personal and business information secure.”

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives