Training and awareness

First IT security challenge - employees training and awareness

A human firewall: strengthening your organization's ISMS through employee training and awareness

Once upon a time, in a lively office, employees received regular phishing awareness emails. To spice things up, the management introduced humor into these emails.

One day, John received a funny email from "The Supreme Overlord of Paper Clips," while Jane got one from "The Haemorrhoid Hero".  Both laughed, but Jane's was a real phishing email in disguise. The attackers infiltrated the company's network, causing an embarrassing breach.

This incident highlights the need for more sophisticated phishing email training, ensuring employees can identify and handle complex phishing attempts, even if they're disguised as humorous simulations or serious, formal, and urgent requests.

Data breaches often go undetected for extended periods, with attackers sometimes waiting for months, even 6-9 months after compromising the data, before launching a hacking attack. There are several reasons why this occurs:

1. Stealth tactics: Cybercriminals utilize advanced techniques to maintain a low profile, making it challenging for organizations to identify the breach. They often infiltrate systems and networks slowly, avoiding detection by security tools.
2. Gathering information: Attackers may spend considerable time within the breached system, studying it and collecting valuable data. This process helps them better understand the organization's structure, vulnerabilities, and key assets, enabling them to plan a more effective attack.
3. Waiting for the right opportunity: Cybercriminals often hold onto compromised data until they find the most convenient or profitable time to exploit it. This could involve waiting for specific events or triggers, like organizational changes or increased market demand for the stolen information.
4. Maximizing impact: By delaying the launch of an attack, cybercriminals can cause more damage. As they gain more access and control over a system, they can exploit multiple vulnerabilities simultaneously, making it more difficult for the organization to respond and recover.
5. Complicating attribution: Waiting to launch an attack can make it harder for investigators to trace the source of the breach. As time passes, evidence may be overwritten, deleted, or become outdated, hindering efforts to identify the perpetrators.

When employees don't know enough about keeping their company's information safe, they can accidentally cause problems. These problems can lead to hackers getting into the company's system and stealing data, sometimes even months after the employees made a mistake.

Some risks happen because employees don't know the right way to handle things, like:

1. Phishing emails: If employees don't know how to spot fake emails, they might click on bad links or download harmful files, which can hurt the company's computer system and private information.
2. Social media: If employees share too much about their work on social media, hackers can use this info to attack the company.
3. Not being careful with their stuff: Employees might use public Wi-Fi, leave their laptops alone in public, or not lock their computer when they're away from their desk, which can also put the company at risk.

To help fix these issues, the company should teach employees about staying safe online and in person. They should:

1. Have regular training: Make sure employees know the risks and how to avoid them by offering lessons and hands-on activities.
2. Test them with fake phishing emails: See if employees can spot and report fake emails, and give them feedback to help them learn.
3. Set rules for social media: Tell employees what they can and can't share about work online.
4. Teach them about physical security: Show employees how to keep their stuff safe, like using strong passwords and not using public Wi-Fi for work stuff.
5. Make it okay to report mistakes: Encourage employees to tell the company if they think they did something that might have put the company at risk. That way, the company can fix the problem before it gets worse.

By teaching employees how to stay safe and letting them know it's okay to report their mistakes, companies can lower the risk of hackers getting in and stealing data. This way, everyone can work together to keep the company's information and computer systems safe.

Hands-on activities play a crucial role in teaching employees about online and physical security because they allow employees to actively engage in the learning process. The "active recall method" is a powerful learning technique that helps to reinforce new concepts and skills by having employees practice and recall the information they've learned rather than passively consuming it through video lectures or text. You can search the “active recall method” on the Internet to learn more details.

Here are some ways to incorporate active recall and hands-on activities in security training:

1. Interactive workshops: Organize workshops where employees can participate in group discussions, role-playing scenarios, or problem-solving exercises related to potential security risks. This not only helps them remember the information better but also allows them to learn from their peers.
2. Phishing simulations: Test employees' ability to identify phishing emails by sending them simulated phishing emails. Encourage them to report suspicious emails and provide feedback on their performance. This hands-on experience will help them recognize real phishing attempts in the future.
3. Escape room-style training: Create an escape room scenario where employees must solve security-related puzzles and challenges to "escape" the room. This engaging activity forces employees to actively recall and apply their knowledge of security best practices.
4. Security quizzes and games: Develop quizzes and games that cover different aspects of information security. Employees can compete individually or in teams, encouraging active recall while making the learning experience more enjoyable.
5. Hands-on device security training: Provide employees with hands-on training on how to secure their devices and workstations. For example, teach them how to set up strong passwords, enable two-factor authentication, and encrypt sensitive data on their devices.
6. Clean Desk Case Study: Present employees with a scenario where an employee leaves sensitive documents and an unlocked computer on their desk when they go for lunch. Discuss the potential risks and consequences of this behavior, such as unauthorized access to sensitive information or theft of company property. After the discussion, have employees practice implementing a clean desk policy by securing their workstations, locking their computers, and properly storing sensitive documents when not in use.
7. Working in Public Places (Starbucks) Security Practices: Create a quiz or interactive exercise that tests employees' understanding of security best practices when working in public places like Starbucks. Include questions about using a VPN, avoiding public Wi-Fi, keeping devices secure, and being aware of shoulder surfing. After completing the quiz or exercise, discuss the answers and provide tips for maintaining security when working remotely.

Include up-to-date information and case studies in security training to keep employees informed about the latest threats and trends. Avoid using obvious and outdated examples, like easily identifiable phishing emails, and focus on more challenging and recent cases to maintain employee engagement and interest.

Some additional new security case studies for training sessions could include:

1. Compromised USB Charging Stations: Discuss the risks of using public USB charging stations at airports, which could be tampered with to steal data or install malware on devices. Teach employees about safe alternatives, such as carrying their own power banks or using wall outlets with their own chargers.
2. Deepfake Scams: Introduce employees to deepfake technology, where artificial intelligence is used to create realistic but fake videos or audio recordings. Explain how scammers might use deepfakes to impersonate company executives or clients, and discuss ways to verify the authenticity of such communications.
3. Internet of Things (IoT) Security: Present case studies involving IoT devices, such as smart thermostats or security cameras, that were hacked due to weak security measures. Discuss the importance of securing IoT devices within the organization and at home, including the use of strong passwords and regular software updates.

By incorporating new and relevant case studies into security training sessions, employees are better equipped to identify and respond to emerging threats. This approach ensures that training remains engaging, informative, and valuable, ultimately fostering a security-conscious culture where employees actively contribute to the organization's overall security posture.

Summary of the article:

1. Teach the risks: Help employees understand potential dangers.
2. Breaches can hide: Encourage reporting mistakes to catch issues early.
3. Interactive training: Use hands-on activities and engaging case studies.
4. Stay updated: Explain new threats with simple, relatable examples.