Take An Analytical Approach To Cybersecurity Training

Uploaded on 2019-02-20 in JOBS-Training, FREE TO VIEW, TECHNOLOGY--Resilience

The world is rapidly changing, and this digital transformation it's undergoing promises many wonderful new opportunities, different ways of doing business and exciting means to disrupt traditional market sectors. However, the dark side of this future is the massive growth in cyber criminality, which has seen an increasing number of ways being developed to utilise viruses, back doors and other exploits to access a company's most critical information for nefarious purposes.

While there is a plethora of hardware and software security solutions designed to protect businesses from just about any security threat, an enterprise's biggest weakness remains its people.

According to Wayne Woolard, Sales Manager for South Africa at KHIPU Networks, things like malware and ransomware are obviously dangerous, which is why it has become crucial to make staff aware of them and how they operate. By doing so, it becomes easier for individuals within an organisation to identify these threats before they can cause any damage.

While people inside the IT industry are generally well aware of the dangers posed by cyber-attacks, he says, there are still many employees in any given company that are not tech-savvy enough. It is for this reason that an enterprise that spends a small fortune on security hardware and software must not forget the importance of also training the users.

"Traditionally, employees were warned about potential security hazards like malware by the company's IT department. However, such warnings are often not even read by the staff, much less heeded.

“Moreover, providing proper external training around this can be a challenge for a large enterprise, after all, a business with hundreds of employees simply cannot afford to have such a large number of people missing work for training purposes," he explains.

"What's needed is for these enterprises to take an analytical approach to the risk that individual users pose to an organisation, by undertaking a campaign that can test both your systems and your people.

“In essence, it is a simulated phishing campaign, testing how well your security architecture performs, as well as how security conscious employees are, by sending simulated phishing attacks to specific recipients."

Woolard suggests a 'false flag' operation of this sort enables a company to target staff members who may have been identified as potential security risks and see exactly how they deal with a phishing e-mail or SMS.

"This is not about punishing people who may click on the link that is sent or even those who may actually enter credentials of some sort, but rather, it's about understanding who in the business is doing this and why. In this way, they can be upskilled to ensure they don't fall for a genuine scam, if and when this occurs.

"Once the campaign has concluded, follow ups must also be conducted with all affected employees, explaining what the campaign was about, providing them with tips to avoid getting caught out by cyber criminals and of course, ultimately providing additional training to those that require it."

He indicates the standard option for such training is online teaching, which is kept short and pointed, using videos and quizzes that take around half-an-hour to finish and complete. Additionally, there's an option for live, in-classroom training to be undertaken, should this be necessary.

"The idea here really is to get the concept of cyber security lodged in the back of these employees' minds and inculcating a healthy suspicion and a deeper awareness of things.

“For example, an accounts person may have received e-mails dozens of times from a particular individual, but we want them to be aware enough to notice if something like their writing style has changed, as this may be indicative of their mail address having been hijacked."

At the same time, he adds, such a campaign also provides a fundamental understanding of all the key security technologies a company is employing. It helps the IT department to clarify exactly how these work and where the weak spots are that can be exploited.

"After all, if a phishing mail campaign of this sort is conducted, such a mail first needs to get through the organisation's firewall and the mail gateway. If it does so, this is already a problem.

“The same goes for if a suspected malicious attachment is opened by an employee, if your anti-virus program fails to immediately recognise this as dangerous, you need to be asking why.

“Finally, a campaign like this also means the business is able to gauge the reactions of the internal security team with regard to how they handle this.

"Ultimately, the benefits of undertaking such a campaign are enormous. It delivers not only user education, but valuable information around the technologies you are using, as well as how your specialist teams deal with security emergencies.

“In the end, a campaign of this nature is the ideal way to test for security flaws across all the key aspects of the business, namely your people, your processes and your technology.

"At the end of the day, training your users on cyber security and how it can impact both their personal and work life is one of the most effective ways to raise awareness," concludes Woolard.

At CSI we agree and commend Woodlard’s analysis and suggestions and we would recommend using GoCyber by MeLearning, which will be launched in April 2019 - www.melearning.co.uk/

ITWeb:         Image: Nick Youngson

You Might Also Read: 

Military Cyber Training Methods:

 

« Dating Sites Fraudster Alert
Four Ways That Fake-News Sites Trick People »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Business Intelligence Associates (BIA)

Business Intelligence Associates (BIA)

BIA's TotalDiscovery is a defensible and cost-effective corporate preservation and legal compliance software solution.

DKCERT

DKCERT

DKCERT (Danish Computer Security Incident Response Team) handles security incidents on forskningsnettet, the National Research and Education Network (NREN) in Denmark.

360Logica

360Logica

360Logica is a software testing company offering numerous kinds of testing services to improve the quality and performance of your software and IT systems.

CipherPoint Software

CipherPoint Software

CipherPoint Software provides data-centric auditing and protection solutions for securing unstructured information

Siscon

Siscon

Siscon delivers tailor-made compliance solutions that are based on the customer's specific wishes and reality and then supplement with many years of experience in the field.

MAY Cyber Technology

MAY Cyber Technology

MAY Cyber Technology is a Security Management solutions provider located in Turkey & Germany.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Information Technology Industry Development Agency (ITIDA)

Information Technology Industry Development Agency (ITIDA)

ITIDA has two broad goals: building the capacities of Egypt’s local information and communications technology (ICT) industry and attracting foreign direct investments to boost the ICT sector.

RIGCERT

RIGCERT

RIGCERT provides training, audit and certification services for multiple fields including Information Security.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

Enzoic

Enzoic

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through compromised credential detection.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

6clicks

6clicks

6clicks is an easy way to implement your risk and compliance program or achieve compliance with ISO 27001, SOC 2, PCI-DSS, HIPAA, NIST, FedRAMP and many other standards.

HCS

HCS

HCS is an IT Company and Telecoms provider with an experienced team who are dedicated to ensuring our clients business systems are protected.

Resemble AI

Resemble AI

Resemble AI is an innovator in Generative Voice AI technology and tools to combat AI fraud including audio watermarking and deepfake detection.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.