What is cyber awareness?
Cyber awareness is a term that refers to how much an end-user knows about cybersecurity best practices and the cyber threats that can affect their network/organisation every day.
The term cyber awareness can also be associated with what the end-user is doing to ensure that the business’s information is being protected, like being aware when opening emails, browsing the web and interacting with information via the internet.
Some end users may be more aware than others and this is where the importance of cyber awareness training comes in.
Why is cyber awareness training important?
According to CISCO’s 2021 cybersecurity threat trends report at least one person clicked a phishing link in around 86% of organisations. The data went on to further suggest that phishing accounts for around 90% of data breaches.
Leaders of an organisation may be aware of this issue but need to take a more proactive approach to enable their workforce to help them maintain a level of security and protection to their organisation. It would be beneficial for leadership to implement a cyber awareness program that enables employees to incorporate and consider cybersecurity as an essential part of their job role.
It should be noted that making your employees more cyber aware doesn’t completely eradicate the risk of data theft or cybercrime to your business, but it does put your organisation in a much better position. It will enable your employees to act as the first line of defense against any potential cyber-attacks, safeguarding your organisation to a much better degree than if there was no cyber awareness within the organisation at all. This could be the difference between a very expensive and time-consuming ransomware infection and a message that is flagged to your IT team to notify them of an email that looks suspicious and that no links were clicked on.
By improving the digital literacy within your workforce, you are lowering the risk of security threats but are also freeing up your IT team’s time as less of it will be spent on dealing with cybersecurity breaches. The threat landscape moves on so quickly that you need to keep the workforce up to date regularly, annual training won’t be sufficient anymore.
This leads us onto what topics you should consider covering and how your organisation can get started with making your employees more cyber aware.
What topics should be covered in cyber awareness training?
You may have decided that you want to increase cyber awareness within your organisation, but you may be wondering which training topics you should be including.
Here are a few topics that we consider to be essential:
Phishing – as we mentioned earlier this accounts for around 90% of data breaches. Phishing is one of the most common methods and is becoming increasingly more sophisticated. We recommend giving employees regular training on how they can spot phishing attacks, especially raising awareness on new techniques, to ensure they aren’t using the previous conceptions of phishing emails being easy to spot. One way to ensure that this training has been beneficial is to conduct a phishing simulation that will mock a potential scenario but won’t cause any damage to your organisation. This will help identify individuals or departments that may need additional training in this area. By knowing where these weaknesses are you can address them and prevent them from being exploited by cybercriminals. A key part of this training is also to make each employee aware of how to report an attack so that the IT team can put measures in place and monitor any suspicious activity as well as warn others within the organisation.
Passwords and authentication – this topic is often one that is always overlooked but is a fundamental area that should be protected to safeguard large amounts of data that is stored in various accounts. Employees should avoid using common and easy to guess passwords across multiple accounts because once a cybercriminal has guessed it, they will try it on multiple platforms which will give them access to a huge amount of data. Your organisation should recommend to employees that they should use the National Cyber Security Centre guidance of three random words which will increase the difficulty for malicious actors to guess. These difficult passwords paired with two-factor authentication will help provide extra layers of security that will protect the integrity of employees’ accounts.
Physical Security – This relates to the documentation and personal information left on individuals’ desks, as well as ensuring their laptop or desktop is always locked when unattended. You may have heard the phrase ‘clean-desk’ policy, you will want to ensure that you implement this throughout your office space and for homeworkers as it will significantly reduce the threat of unattended documents being stolen or copied.
Working remotely – There has now been an increase in homeworking and potentially using personal devices for work purposes. Employees should be trained in knowing to always lock these when unattended and have the relevant anti-virus software installed to ensure the working setup is safer. As we move further into 2022, employees need to understand and manage their cybersecurity and be aware of all the implications that come when working from home. The policy that is set in the office should extend outside of the workplace; this shouldn’t lapse.
Public WI-FI – This is relevant for those that work remotely or are on the go for meetings/ work trips. They will need training on how to use public Wi-Fi safely as often several fake public wi-fi networks can leave users vulnerable to entering sensitive information into non-secure public servers. Making them aware of what to look for and how to avoid compromising the organisations’ data is of paramount importance especially when on the go.
Social Engineering – This is a common technique used by cybercriminals where they use impersonation to gain access to valuable personal information. It could be someone posing as a viable client or someone that may be offering incentives to the employee. Training should highlight the psychological techniques that criminals use such as scarcity, urgency, and reciprocity to help combat these threats as employees will be more aware of what to look for.
What can you do to get started with cyber awareness in your organisation?
The key element to making cyber awareness successful is to ensure that it is customised to your organisation’s needs. Applying the training to how your organisation operates will help your workforce relate more to the potential impacts and will aid them in recognising things quickly in their day-to-day role.
The best combination would be to get your employees to engage in formal security training and pair this with a monthly email that lists cybersecurity tips and tricks which will stay relevant with the fast-paced movements of the threat landscape. The constant discussion and reminder around cybersecurity will influence your employee’s behaviour.
This training will also encourage the employees to buy into the idea that cybersecurity is one of their job responsibilities.
Once you have found a balance between what you would like to do to implement a good cyber awareness training programme, you will need to ensure that you keep it consistent to align with keeping security as a top priority for your organisation.
The monthly newsletter will go a long way to help put preventative measures in place to reduce the risk of a cyber incident, acting as a constant reminder, especially as the workforce may be a mix of office-based and home working.
How iSTORM can help?
Information security is a key organisational risk, and it frequently appears on the board’s agenda.
As there continues to be an increase in high-profile cyber-attacks and associated data breaches, organisations need to understand what controls are required to protect the business and its information assets.
We have a specialist information security team that will work with you to support your organisation’s current and future security needs, adopting a pragmatic and business-focused approach to ensure that we deliver the right frameworks aligned with your budget requirements.
From phishing simulations to onsite training, we can help employees become more aware.
To find out more about our information security services click here.
For more details and guidance on how to stay cyber aware visit the guidance on the National Cyber Security Centre website here.