And Six Recommendations Security Awareness Teams Can Put In Place
We’re about to enter a new year and that prompts thoughts about the security awareness challenges, threats, trends and employee behaviors that security awareness administrators need to plan programs and campaigns for in 2019.
These six security awareness challenges are good starting points for security awareness teams to focus on in 2019 in order to gain and maintain a cyber security conscious workforce. The list includes new issues that can touch every employee, as well as ongoing challenges that require continued attention, and perhaps a new approach, because they’re still a problem for organizations.
Preparing for more sophisticated phishing attacks and social engineering schemes. “Phishing and other social engineering schemes take advantage of the human risk factor, making it the No. 1 topic of training in most organizations,” said Theo Zafirakos, Chief Information Security Officer and CISO Coach, at Terranova Security. These attacks will become more sophisticated in 2019 as the bad actors use technologies, such as artificial intelligence, to evolve their attack scenarios and make fraudulent emails and messages appear more real and therefore difficult to distinguish as a scam. Security awareness programs will not only need to educate and train employees on spotting suspicious messages, phone calls and other social engineering tactics, they also will need to build a culture of cyber security without creating a practice of paranoia. “As the bait becomes harder to detect as fraud, employees will need to be trained to continuously operate in a mindset of security,” Zafirakos added.
Recommendation: Find out which users are prone to phishing attacks and social engineering schemes with phishing simulations.
Educating employees on best practices for user names and passwords – and seeing them do it! No matter how many security awareness training courses employees have been through, there will always be a percentage of people that reuse passwords or create a weak password just for simplicity. If credentials created in this manner are compromised, the damage will spread as hackers use the stolen user names and passwords in a credential stuffing attack. On Black Friday and Cyber Monday this year, Akamai estimated there were 155 million credential abuse / credential stuffing attacks. Training in secure password practices has been a part of any security awareness program from day 1, but if employees still use weak and reused passwords, add multifactor authentication to the mix.
Recommendation: Consider working with partners in the security awareness industry to create new and more effective approaches for training and education on strong passwords and authentication.
Preparing for the expansion of GDPR-like regulations. As other countries and individual states within the U.S. pass their own flavors of GDPR legislation, organizations will need to dig more deeply into their security, data protection and privacy systems and policies to address compliance and employee awareness. Finding that lowest common denominator among all the regulations is where businesses will need to start to address regulation specifics. As they expand into specific regulations, a focus on role-based training will be helpful to address compliance with GDPR and similar regulations.
Recommendation: Educate your staff on how to better protect personal information.
Teaching the basics about ransomware. A lucrative attack mechanism for cyber criminals, ransomware will continue in 2019 to be a concern for businesses. A ransomware attack can cost an organization plenty. FedEx attributed a $300 million loss in its first quarter fiscal year 2018 to the NotPetya virus, a form of ransomware. And the ransomware cost from an attack on the city of Atlanta is estimated to reach $17 million. In 2019, the ransomware threat is expected to shift from broad-based to more targeted attacks, making it even more important for every employee to understand how ransomware could infiltrate an organization, and what to do if you find yourself locked out of your systems.
Recommendation: Protect your organization by building a ransomware awareness program
Training employees to successfully report security incidents. This topic ranges from employee and user reporting to how an organization acts on the report. The biggest issue when it comes to reporting is ensuring the employee can identify a valid threat. Educated, well-trained and security-aware employees understand a real threat; they don’t cry wolf and tap the security team’s resources with non-threatening incidents. Other issues to assess when it comes to how organizations deal with incidents include: How quickly an employee reports an incident – if they report it at all? To whom did they report the incident? Did they immediately report they suspected they were phished, or did they wait a few days? And how does the organization respond to reported incidents? What action did it take?
Recommendation: Phish your users and monitor in real-time if they report phishing scams
Dealing with the shortage of security professionals. The security professional talent shortage will continue to challenge organizations in 2019. Cybersecurity Ventures estimates that by 2021, 5 million cybersecurity positions will go unfilled. Security awareness teams charged with educating and training employees about cyber security threats and responses are typically made up of just a few individuals who have other primary roles within an organization. Organizations looking for external assistance should seek a partner that can support the team with more than just tools and simulations. A partner should offer advisory services and be prepared to help build the business case, secure funding and ultimately lead the project from start to finish, if that’s what’s needed by the business.
Recommendation: Consider phishing or security awareness as a managed service
Cyber security threats in 2019 will be harder to detect, making it more challenging to protect systems and sensitive data. The security of a business will require the support of every employee. With a continuous security awareness program that is personalized for maximum effectiveness, an organization can create a culture of cyber security that is supported by every employee 24×7 and 365 days a year.
Get recommendations to design an effective security awareness program for 2019 with this free assessment:
Complete the Security Awareness Program Maturity Assessment to determine if your organization’s maturity level is: reactive, proactive or optimized. Gain immediate insight on how your organization rank against your peers