92% of all breaches could have been prevented with a Security Awareness Training program. Security Awareness Training is a means to educate and train employees within your organization with information necessary to protect themselves as well as your organization from cybercriminals through phishing attacks, account takeovers, wire transfers and more.
Security Awareness Training: What it is and Why it's Important?
Employees must understand that the bad guys are out there trying to trick them into gaining access to your critical information. The point of security awareness training is to educate employees on what is considered risky, what clues to look for that indicate a threat, and how to respond. Additionally, cyber threats are continually changing. Hackers can take over your organization’s network, hack into bank accounts, pose as a trusted source with a dummy account, infect your network with Ransomware and hold your data hostage, and so much more.
Staying Compliant with Security Awareness Training
If your organization must comply with industry regulations such as HIPAA (Health Insurance Portability and Accountability Act of 1996), PCI (Payment Card Initiative), NIST, GBLA or ISO, having a security awareness training program in place is critical.
HIPAA Journal States: According to Security Rule, HIPAA training is required “periodically”. Many businesses interpret “periodically” as annually, which is not necessarily accurate or effective.
Gramm-Leach-Bliley Act (GLBA) “Train staff to recognize and respond to schemes to commit fraud or identity theft, such as guarding against pretext calling"
Cybercrime is moving at light speed. A few years ago, cybercriminals used to specialize in identity theft, but now they take over your organization’s network, hack into your bank accounts, and steal tens or hundreds of thousands of dollars. Organizations of every size and type are at risk. Are you the next cyber-heist victim? You really need a strong human firewall as your last line of defense.
See a Social Engineering hack live in action by watching the above video.
Rather than a one-time event, security awareness training is most useful when used as an ongoing practice in the framework of a bigger security awareness program.
What Types of Issues Should Security Awareness Training Cover?
- What is Malware?
Short for malicious software, this covers many threats such as ransomware, viruses, adware, spyware, and more. Employees should learn how to identify malware and what to do if their device or network has been infected. The immediate response should be to turn off the system or device and inform management.
- Email Phishing
Malware typically enters networks through a phishing email with a request to click a link or download a file. It's critical for employees to know the signs of a phishing email and what to do about it. Phishing simulations utilize a phishing template from a recognizable source such as LinkedIn, to test employee awareness.
- Social Engineering
Social engineering scams are designed to take advantage of human behavior via multiple outlets. The most common type of social engineering is a phishing email. Additional platforms include text messaging (SMSishing), phone or voicemail phishing (vishing), and social media phishing.
- Safe Use of Social Media
Employees should know actions they can take for both work and personal to stay secure while sharing.
- Safe Internet Habits
Do not click on suspicious links. Refrain from installing software programs from unknown sources. Only access sites that are https - the s is for secure.
- Removable Media
Ever found a removable thumb drive or external hard drive and plugged it into your computer to see who it belongs to? What if that was planted in the parking lot at your office specifically for that reason, and it contains malware that takes over your computer or worse.
- Password Security
Complex passwords or passphrases are much harder to crack. Enable multi-factor authentication (MFA) as an extra layer of security. Set a cycle for password changes, requiring employees to change their passwords every 3 months.
- Clean Desk Policy
Anything sensitive or confidential should be removed from your desk and placed in a locked desk drawer or file cabinet.
- Mobile Computing
Working from home or on the go can pose risks as well. Public Wi-Fi should always be avoided.
- Software Patching
Perform regular updates to ensure your software is patched.
Image courtesy of KnowBe4
Although these are some of the things you can learn about, the overall objective is to build a culture around cyber security awareness. There's a lot to this for businesses to consider.
Security is everyone's responsibility. Even seemingly harmless behaviors or small mistakes can have big consequences. Security awareness training helps get everyone on the same page, reduces risks and incidents, and helps the entire workforce protect their organization and themselves.
If you’re looking for IT security services in the Tri-Cities, Washington or Bend, Oregon areas, or simply want to learn more about how to effectively structure your security, give us a call at 541.848.6072 in Oregon or 509-396-6640 in Washington.