Last week we took an in depth look at social engineering, and looked a phone and email examples in depth.
Cybersecurity awareness training is one of the most effective ways to combat these threats. Not everyone engaged in cybersecurity practice agrees about the effectiveness of this solution, but I have been delivering public cybersecurity courses for over a decade, and I know from the responses that I have gotten back from former students that it has benefited them. I never get calls from a student, for example, about how they just fell for a fake tech support call. But I do get calls asking about whether an email is a phish or not, and I usually have them forward it to me for further examination. So I know it has a positive effect.
The best elements of an effective program are going to include:
- Hire a pro. While your IT guys may think they can do this themselves, you would do well to work with a company with experienced trainers and an established curriculum.
- Make it interesting. Be brief and stay focused on your topic. Small bites are better than an all you can eat buffet. Provide pictures and examples of actual exploits. Give the students concrete solutions that they can use professionally and personally.
- Make it frequent. Many short classes provided monthly or quarterly beats one long class that people will forget. Give them as much as they can absorb in one setting, avoid doing a “brain dump.”
- Include the brass. Leadership starts at the top. Make sure owners, C-suite officers, and senior managers are seen participating in the training. Don’t be too busy or too important to participate. And seriously, you guys can be some of the worst offenders when it comes to falling for social engineering exploits. You certainly will be one of the principal targets, so you might as well find out what you are up against.
- Have plan for incident response and train it. When the inevitable happens, and an employee thinks they have a problem, do they know what to do. If they are afraid to report it, and hide it, this is just make the situation worse. Encourage and reward quick reporting of cybersecurity incidents. An effective incident response plan will identify the reporting chain and let everyone know what do in a crisis.
- Encourage staff to report suspected phish. Clever organizations are setting up “abuse” or “phish” mail accounts so that employees have somewhere to send suspicious emails for further analysis. Make sure the mailbox is staffed, and replies occur in a timely manner. Or teach your employees how to submit emails to VirusTotal for analysis. Have a similar mechanism in place for phone and in person social engineering attempts as well.
- Phish your own employees. Done well, this can be a fun way to test your employees cyber-alertness. Avoid punishing or shaming employees who fall for the scam. A program like this can let you see if your training is effective.
Cybersecurity awareness training can be the most cost-effective solution you can buy, and may provide better results than expensive, high tech security appliances. Plan to add this to your network security budget this year.
- Virustotal – Check Links and Attachments for Windows and Mac Malware
- MSISAC Cyber Security Toolkit