When you plan the defense of your organization’s information assets, are you resigned to the fact that all your efforts will be made in spite of your user population? It’s easy to view the workforce as part of the problem – one of several critical attack vectors, and perhaps the most likely to be exploited. According to the 2019 Symantec Internet Security Threat Report, ransomware attacks against enterprises were up by 12% in 2018, accounting for 81% of all such attacks.
Most organizations acknowledge the issue of end-user vulnerability and make some effort to educate employees in the basics of prudent data handling and online behavior. But too often, IT managers do little more than issue a handout with a few guidelines and call it a day. Doing so enables them to check the box that they’ve done something, knowing that the effort will ultimately fail at some point. And can you blame them? They would prefer to spend time and resources on IoT defense or implementing a sophisticated zero-trust cyber security strategy. Employee training lacks sizzle.
Think of it this way: Your organization’s employees could be the first line of defense, not the weakest link.
But the fact is, the bad guys are coming up with new threats that target employees all the time. CEO scams are a prime example. The bad actors pretend to be the CEO, sending out an email to a high-level employee such as a corporate financial officer asking for money to be transferred to a seemingly legitimate destination. Instead, the money goes to the fraudsters. A textbook case was reported in early 2019 in the UK. An employee of a Scottish publisher, transferred almost ￡200,000 to a fraudulent account as requested by scammers pretending to be her boss. Peebles’ bank refunded more than ￡85,000, but the company is suing the employee for the difference of ￡107,984. The employee’s defense is that she had no training on how to spot email scams.
With such threats emerging, you can and should do more to prepare your workforce. Think of it this way: Your organization’s employees could be the first line of defense, not the weakest link. There are three basic requirements for a strong security awareness program:
- Engaging. There is no substitute for effective communication. Sending out a printout or an email is not enough. Videos play a vital role, but videos must be high-quality to attract and hold employees’ attention. They must be topical, concise, and memorable.
- Measurable. Are people viewing the videos? Are they retaining the information? A brief before- and-after viewer quiz can answer those questions. Quiz results let you know who is keeping up to date and who is not – and let the employees themselves know how they are doing.
- Evolving. Because new threats are emerging all the time, security awareness information must be refreshed regularly in order to remain relevant. Just as cyber security defense strategies must continually adapt, security awareness training is never finished.
Security Awareness Services
Symantec’s Security Awareness Services (SAS) delivers comprehensive security awareness training in a multifaceted offering consisting of more than 70 training videos and ongoing support. Videos cover everything from how to create strong passwords, to best practices for working remotely, and of course, how to avoid falling victim to the latest phishing and spear-phishing attacks. The production values of SAS videos are high. Skilled presenters deliver concise information clearly and engagingly. Some “scary” videos inject humor into a serious subject – the better to create an impression on the viewer. New videos are being added all the time as existing threats evolve and new threats emerge. In addition:
- SAS web-based training is compliant with the Sharable Content Object Reference Model (SCORM). SCORM-compliant content is created once and can be shared and reused multiple times in different contexts without modification.
- SAS includes a quiz for each video to take the pulse of user security awareness, pointing out where user knowledge is high or where more work is needed.
- SAS includes newsletters, printable posters and email reminders for internal communication campaigns.
- Security awareness is far too important to embark on as a halfhearted new-hire ritual. Defending against cyber attacks is a vital and ongoing discipline that’s part of every employee’s job. SAS will help you build a strong security awareness program to transform your organization’s employees from a demoralized rabble waiting to be victimized into an effective army ready to do its part to protect your organization.
ISTR Volume 24 is here, providing insights into global threat activity, cyber criminal trends, attacker motivations, and other happenings in the threat landscape in 2018.
We encourage you to share your thoughts on your favorite social platform.