Awareness and training of staff on security issues

Cyber ​​security awareness and staff training: What is it and how does it work best?

There is an old saying in cybersecurity that says man is the weakest link in the security chain. This is increasingly the case as threat agents compete with each other over how to exploit gullible or careless employees.

cyber security

"But you can turn this weak link into a first line of defense," says Phil Muncaster of the ESET team.

The key is to implement an effective cybersecurity awareness and education program.

According to relevant , 82% of data breaches studied in 2021 involved the “human element”. Given today's cyber threat landscape, it is to be expected that employees are the number one target for attacks. "But give them the knowledge to spot the warning signs of an attack and understand when and how they might be putting sensitive data at risk, and there's a huge chance of reducing the risk," urges the expert from ESET.

Contents hide
What is cybersecurity awareness training?
Why is safety awareness training necessary?
Why is education important?
How to make training programs work

What is cybersecurity awareness training?

Perhaps the word "awareness" doesn't quite describe everything that IT security managers want to achieve with training programs. In fact, their goal is to change behaviors through education about where the key ones are hiding in cyberspace and what simple best practices can mitigate the risk.

Aim of this s is to empower employees to make the right decisions around cybersecurity risks. Therefore, it can be seen as a fundamental pillar for organizations wishing to create a corporate culture of security-by-.

Why is safety awareness training necessary?

Like any training program, the goal is to enhance the individual's skills to become better at their job. In this case, improving safety will not only help the individual to cope with various roles, but will also reduce the risk of a potentially harmful breach of safety.

The truth is that corporate users are at the heart of every organization. If they fall victim to a violation, then the body can also fall victim to a violation. Similarly, access to sensitive data and IT systems increases the risk of accidents that could also adversely affect the company.

There are several trends that highlight the urgent need for security training programs:

Passwords: Static credentials have been around for as long as computer systems have existed. And despite the cm of security experts over the years, they remain the most popular method of user authentication. The reason is simple: people instinctively know how to use passwords. The challenge is that they are also a huge target for hackers. If they can trick an employee into giving up their passwords, or if they can guess those passwords, then there's often nothing standing in the way of full access to the company's network.

It is estimated that more than half of all employees in the United States write their passwords on paper. Bad password practices open the door to hackers. And as the number of credentials that employees need to remember increases, so does the likelihood of misuse.

Social engineering: We humans are social creatures. This makes us vulnerable to persuasion. We want to believe in the stories they tell us and in the person who tells them. This is why social engineering works so well: the use of persuasive techniques, such as time pressure and malice, to deceive the victim and force him to carry out his orders. The social machine method is applicable, for example, to a phishing message, a text message (smishing) or a phone call (vishing), but it is also used in business e-mail breach (BEC) attacks and other scams.

The "professionalization" of cybercrime: Threat operators today have a sophisticated and sophisticated underground network of dark websites through which they buy and sell data and services - everything from web hosting to ransomware-as-a-service. It is said that the turnover of cybercrime amounts to trillions. This "professionalization" of cybercrime has naturally led malicious agents to focus their efforts on where the return on investment is highest. In many cases, this means that they are targeting the users themselves: company employees and consumers.

Hybrid work: Workers who work from home are considered to be more likely to click on phishing links and engage in dangerous behaviors, such as using work equipment for personal use. Therefore, the emergence of a new era of hybrid work has opened the door to attacks on corporate users when they are most vulnerable. Not to mention the fact that home networks and computers may be less well protected than their corporate counterparts.

Why is education important?

Ultimately, a serious breach of security, whether from a third party attack or accidental disclosure of data, could result in significant financial loss and damage to the company's reputation. A recent study found that 20% of businesses that suffered such a breach almost went bankrupt. Another study claims that the average cost of a data breach worldwide is now higher than ever: over $ 4,2 million.

It's not just a cost estimate for employers. Many regulations, such as HIPAA, PCI DSS, and Sarbanes-Oxley (SOX), require compliant organizations to conduct safety awareness training programs.

How to make training programs work

We explained the "why", but what about the "how"? Information Systems Security Officers (CISOs) should start with an introductory discussion with the human resources department, which typically manages corporate training programs. May be able to give advice or offer coordinated support.

Among the topics that could be covered by the training could be:

  1. Social engineering and phishing / vishing / smishing
  2. Accidental disclosure of information via email
  3. Internet protection (secure search and use of public Wi-Fi)
  4. Best password practices and multi-factor authentication
  5. Secure remote and home working
  6. How to detect internal threats

Above all, keep in mind that lessons should be:

• Fun and game-like (think positive reinforcement instead of fear-based messages).
• Be based on real world simulation exercises
• To be held at regular intervals throughout the year, in the form of short courses (10-15 minutes)
• Include all staff members, including executives, part-time employees and contract workers
• Be able to produce results that can be used to tailor programs to individual needs
• Adapt to suit different roles

Once all of this has been decided, it is important to find the right training provider. The good news is that there are many options on the internet at various prices, including free tools. ESET's Phil Muncaster concludes: "Given the current landscape of threats, inaction is not an option."

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.086 registrants.

better safety

security, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).