Skip to content

Search Marco

    The 5 Elements of a Successful Security Awareness Program

    By: Mike Burgard
    June 2, 2021

    Have your guard up. What we mean is, don't trust everyone. We teach our kids at a young age, don’t talk to strangers. If a man offers you candy from the back of his van, don’t trust it. Don’t leave the front door wide open when you go outside to play.

    That last one is mainly so your energy bill doesn’t become astronomical in the heat of summer, but also because it quite literally leaves the door wide open for intruders.

    In the same way we teach our kids to be cautious, it’s important for businesses to educate their employees on the basics of cyber security awareness, so they can do their part to help keep your business safe.

    employees attending security training

    How often should I conduct cybersecurity awareness training?

    With 480 new cyberthreats developing every minute, it’s no less than 100% necessary to conduct training at least once a year. Experts suggest that training as often as every 90 days will strengthen your defenses and leave your employees feeling empowered in the fight against cyber bullies.

    This is not a “one and done” kind of training. Cyberattackers are getting smarter, faster and more inventive as they develop new ways to retrieve company data.

    Here’s a list of some “must-haves” for your annual (or quarterly) cybersecurity awareness training.

    1. Education on the different types of cyber threats

    Spam

    This isn’t just limited to direct email anymore. You might receive an invite from a “friend” to add them on LinkedIn. Major social networks we trust are a common way for hackers to hide behind false identity and catch you in a weak moment.

    Malware

    Most simply defined as “malicious software,” malware is any type of software designed to cause harm to a device such as worms, viruses, trojans and rootkits.

    Phishing

    This is the practice hackers use to essentially cast a wide net of bait and pull in whatever they catch. Phishing consists of emails that look genuine but include dangerous links that steal passwords or personal information.

    Whaling

    Whaling attacks specifically aim for high-profile individuals, such as politicians or CEOs of large corporations with high-profile access to data and financial information. However, small business owners aren’t exempt.

    Fraud Prevention

    Businesses can face fraud in a number of ways. Identity theft tends to be the most prominent method with over 4.8 million reported cases in 2020. Other methods of fraud include: return fraud, money fraud, workers comp fraud and payroll fraud.

    2. Email, internet, social media and Privacy policies

    It’s important to explicitly outline rules for browsing and social media usage on company devices, and while using company email addresses. The browsing habits of your employees can be one of the largest threats your company faces in the fight against malicious cyber schemes.

    It is crucial that your cybersecurity training includes rules on “What Not to Click” and when to be hyper aware of social media emails that request a login.

    Certain websites are higher risks than others. So, to ensure complete safety, include training on what websites and social networks might be off limits while on the clock. Better yet, invest in software that flags suspicious emails and websites.

    3. Secure password policies Combined with Multifactor Authentication

    Your passwords are the key to your cyber kingdom, and hackers have plenty of ways to try to crack the code. The primary way cyber bullies obtain important passwords is by making educated and calculated guesses until they get it right. Educate your employees on the major Do’s and Don’ts in creating secure passwords.

    The most important passwords are both professional and personal email and social network passwords. If a hacker gains access to anyone’s email password they now have the liberty to click “Forgot My Password” on just about any account you’ve created.

    Scary, right? Make sure your employees are well-versed in creating solid, secure passcodes (or better yet, passphrases).

    The gold standard for password security occurs when a secure password is combined with multifactor authentication (MFA). MFA, sometimes called two-factor authentication (2FA), is an additional electronic authentication method required to access a device, website or application. MFA methodology stems from a combination of three elements to authenticate a user's identity: knowledge, possession and inherence.

    Application of MFA often varies and most services allow users to choose between a handful of authentication methods. Common MFA methods include one-time passwords (OTP) generated from a physical token, authenticator app or SMS message. Biometric authentication methods such as fingerprint or facial scans are becoming more common, especially in the mobile space.

    4. Threat recognition and response training

    Phishing techniques have come a long way since the, “You’ve been selected to receive $100,000, we just need your wiring info” tactic.

    For example, if employees receive an email that notifies them of a suspicious log-in attempt to their Google account, have them take another look. Often, these links can send users to a new page where inputting their login information grants the hacker the access they’re looking for.

    Suspicious activity can also include urgent requests that invoke an impulse click or downloadable PDF links that are corrupted. Regardless of the tactic, employees must have an incident response plan.

    What to do if you spot a suspicious email: notify your IT team immediately and do not click. Delete the email from your inbox or forward it to a secure inbox to be analyzed.

    Just remember, always be on the lookout for unknown senders.

    5. Regular vulnerability testing

    As a part of your ongoing training, you can implement risk assessment on your computer networks and applications to pinpoint failure areas before they happen.

    Highly trained professionals can administer vulnerability testing for you, identifying areas that compromise the privacy of your data and cause damage on multiple fronts.

    Create periodic emails and clickable links that simulate phishers to see if your employees are still alert and up to date in recognizing phony accounts and requests. By scheduling weekly, bi-weekly or monthly simulated attacks, your employees will actually become defense assets.

    A stronger program means a safer company

    Security awareness is good for your customers, your employees and for your business. Protect everyone involved and prioritize safety.

    Demonstrate your commitment to safety and begin building your own security training program, or leave it to the professionals. Marco is a dependable and honest choice for all your security needs, including helping you build the security training of your dreams.

    Identify, Assess, Develop and Track Cyber Security Risks Learn About IdentifyIT

    Topics: Security