mopdf.com

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGNEW FORMS OF ATTACKIn recent years, attackers have also devised novel ways in which to attack organisations and access data.One of the more common methods in large-scale attacks in recent years has been the use of ransomware.Ransomware attacks involve infecting an organisation’s systems and then asking for a form of “ransom”in order to stop the attack and remove the infection.The success of these types of attacks was highlighted by the WannaCry event, in which 250,000 computers inover 150 countries, including systems in 16 NHS medical centers, were infected within less than a day.5 As withthe Equifax breach, a patch would have resolved the issue but, without a proactive focus on IT security,organisations incurred a significant cost.Business email compromise is another form of attack that is on the rise in recent years. The data shows thatbetween October 2013 and December 2016, hackers stole over 5.3billion in the U.S. alone through BEC attacks.6This style of threat is becoming more popular along with BYOD policies. Companies allowing their employeesto bring their own devices must be acutely aware of theimportance of email security and threat analysis.Many experienced professionals have fallen victim to sophisticated email attacks in recent years, simply due toa lack of education within organisations and a lack of attention to detail. The goal for the modern company is totrain employees to identify out of the ordinary requests and common strategies used by attackers to gain dataaccess.Prediction Models an Important Security Element within the current security field, AI-based prediction modelinghas become another important element in safeguarding companies against potential threats. Studies involvingthe use of AI-based machine learning programs are helping to determine when an organisation is mostvulnerable to attacks and through which channel a threat might be arise. This can give companies the upperhand in terms of defending their data and in threatmitigation over the coming years. The focus is now on helpingstaff work with these machine learning systems and on learning the measures to take when a threat with-5.3b-in-losses11

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGUSE OF APPLICATIONS AS A THREATWhile mobile applications are now helping improve the performance of smartphone and increasing thecapabilities at the hands of the mobile workforce, the data on mobile applications is at significant risk of attackin the modern area. Many organisations are now harnessing sever-less apps, which support greater scalability.These applications also capitalise on the use of data in transit. Data being sent between networks is at its mostvulnerable state and can be captured by coordinated attacks seeking out specification information on acompany, its employees and customers. The use of applications within their workforce can make companiesmore vulnerable to DDOS attacks, in which a server-less architecture might fail to scale with the demand forservice, leading to expensive disruptions for the company.90%of web applications haveinherent vulnerabilities caused bySECURITY FLAWSHPE Cyber Risk Report12

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGHOWSECURITYBREACHESOCCUR13

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAINING58%of UK companieshave reportedDATABREACHESin the last two yearsGFI Software and Infinigate UKHow Security Breaches OccurIn learning more on information security, business leaders must first study the most common types of securitybreaches and how orgnisations have been impacted by these events. The following are common techniques thatattackers use to breach the security of the modern company.SQL ATTACKSSQL attacks are considered the low-hanging fruit of the security field, as they are one of the easiest to preventand yet remain among the most common techniques deployed by attackers. The SQL attack allows a hacker toenter malicious code in a piece of text, perhaps in an email or a Word document. The malicious code then allowsthe attacker to take over the device and extract specific data. Using this technique, cyber criminals have beenable to gain access to company financial information, customer data, and other high-value items that might bestored on a server.STOLEN PASSWORDSAnother common way in which attackers gain access to information is by stealing passwords from a companydirectory. They might gain access via a traditional SQL attack or by simply by using social engineering to acquireinformation over the phone. Teams must learn more on how social engineering is being used to gain access toinformation. In this scenario, a person may call and say they are from the firm’s IT security department andrequire access to login credentials to update their computer. In many cases, employees simply trust the personon the phone and provide their details of their own free will.14

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGA password can also be stolen easily if the user has kept their default password or if the password hasn’t beenupdated regularly. Hackers are now using botnets to brute force attacks using default passwords on millions ofcomputers over a short space of time. Keeping the default username and password on the device leaves the uservulnerable to password theft and data loss.MALWARE INSTALLATIONAnother common form of attack in recent years is through the use of malware. Malware is a form of malicioussoftware that, when installed on the target system, can be used to control system data and allow the attackerto steal all available information. The malware is often installed after an email is sent to the target. The email isusually designed to look as if it came from an authority within the company or a software manufacturer offeringan update. By accidentally installing malware on their computer systems, users can then allow the malware tospread throughout the company’s network, infiltrating all data areas and causing significant issues. It’s part ofthe reason that companies are now educating their employees on how to spot the signs of a malware infestationand guiding them on mitigating the issue before it begins to cost the company and its customers.DEVICE THEFTIn the BYOD era, companies are now giving mobile staff members the option of bringing their device with themand then using their personal device to communicate with customers and other employees. Data retained onthese devices has become highly valuable to attackers as it often contains the credentials for logging into secureareas of the company network. And so, when a device is lost or stolen, it can put the company at risk of asignificant financial loss. Proactive companies are now building policies that help to safeguard data in the eventof theft or loss.They are also encouraging employees to back-up their device data on cloud-based system to mitigate the threatand implementing BYOD policies such as document protection to ensure lost devices don’t lead to furtherfinancial loss for the company.65%of companiesdon’t enforce theirpassword policyPonemon Institute15

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGDOCUMENTATION ERRORSHuman error is another of the leading causes of security issues within the modern organisation. With the vastamount of documentation being disseminated throughout the globe, companies are now focused on usingthese documents effectively and preventing private document data from getting into the hands of cybercriminals. Oftentimes, a security breach within a large company is the result of a simple documentation error byan employee.The employee might simply make the mistake of publishing private data on a public resource,giving access to awebsite or the email address of a company employee which then leaves their data vulnerable. The forwarding ofsensitive information is another common mistake. Choosing the wrong email address or adding information thatshould have remained on a private server to the email chain can have a significant impact on the company.It’s why so many are now taking the time to teach their employees about how to work with documents and howto control the flow of information from their computer.FAILURE TO BACK UP DATAThe failure to back up the data on the server could make a security breach costlier when teams have to add thedata back into the system. Many security breaches not only result in the theft of data but also the loss of datafor the company. In the case of a stolen device for example, this could leave the team with no understandingon which data was lost and who has been impacted. Take the time to back up data regularly and find out whois using which data on the system. This data retention process can help create a chain of custody for the dataand prevent significant costs being incurred in the future. In view of these threats, what can companies do tosafeguard their data? There are multiple steps that should be followed in ensuring that data is safe and securitybreaches are eliminated. Our team at Cyber Risk Aware specialises in advising companies on IT security and werecommend the following steps be taken to prevent data breaches: Institute end user awareness training through a qualified company Craft a comprehensive encryption policy Perform regular vulnerability reviews with the team Apply patches regularly and review new patch options Back up all data regularly16

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGTHE THREATSFACING YOURORGANISATION17

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGIn safeguarding their company in the current landscape, business leaders must learn more on the commonthreats to their organisation and its data. Each industry faces varied risks from threat actors, each with their ownmotivation and intent. As leaders in the cyber security marketplace, Cyber Risk Aware staff regularly work withour clients in mitigating threats to their business and we have found the following threats to become a growingissue within today’s organisations:MAN IN THE MIDDLE ATTACKSOne of the more common modern techniques hackers use is a sophisticated version of the traditional man inthe middle attack. The attacker finds their way into the organisation and then places a keylogger or anothertracking system on a computer. New attacks use IOT devices to listen in on all wireless communications acrossthe network. They then gain access to a company email address and watch the communications that take placebetween the user and others in the company. Because they have access to the user’s credentials and theirpasswords, they can then act as the person in emailing others for financial information and private data.PHISHING SCAMSA recent phishing scam conducted by a Lithuanian cyber-criminal cost Facebook and Google more than 100milliion combined7. There are still rich rewards for phishing attacks and firms must be prepared to mitigate theissue. Companies continually fall victim to phishing scams, despite this technique being one of the morecommon and widely understood issue within the security marketplace. The typical phishing attempt involves asimple email which is designed to look like it came from an authority within the company. The email might askthe person to download a document or click a link within the content. Once the desired action has beencompleted, the attacker is given control of the device and can then access device data and act as the user ofthe system.BOTNETSA botnet attack begins with a single computer virus. The virus then spreads to connectedcomputers on the network, and then sends a signal back to its command center, which is operated by the cyber-criminal. From their command center, the criminal can then control all the computers within the botnet, anduse any data they discover as the review the network. Botnet attacks are on the rise across the globe and manyskilled hackers are even now offer botnets for hire for others to use. It’s a billion-pound industry that is only setto grow with the increasing success of botnet events.MALICIOUS JAVASCRIPTThe websites that we click on every day during work hours can detail specific information about our locationand our computer. Those with criminal intent can create sites that have a malicious JavaScript written into theprogramming to allow the instant download of a virus once the user opens the site. One click from a user withina company network can cause the download of a virus that shuts down the entire network, and potentially coststhe company thousands of pounds in lost revenue. This is yet another reason behind the importance of secureweb use and for installing the latest virus scanning and removal facebook-email-fraud/#2xmPdw5nLqqM

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGHARNESSING THEVALUE OF SECURITYAWARENESS TRAINING19

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGTraining employees how to recognize and defendagainst cyber-attacks is the most under spent sectorof the cybersecurity industry.”John P. Mello Jr. – Tech BeaconWith the wide-ranging threats facing organisations in the modern business climate, the need to educateemployees is clear. But most companies still have little understanding on the importance that a comprehensiveemployee-training program can bring to their business and so here our experts will lay out the value providedthrough security trainingPROTECTING THE BUSINESSThe latest threats from computer hackers are designed to impact your business and steal money and data.Only through a proactive approach to security awareness training can companies ensure that each teammember is security savvy. Security awareness training can help keep businesses running effectively whena security incident arises. Training can also help to minimise business downtime and showcase the firm’sunderstanding of the current climate and its commitment to protecting customers and employees.REMOVE THE WEAKEST LINKWhile the technology teams use is often designed with the goal of mitigating threats and ensuring businesssafety, those using the technology aren’t always adept in effective security practices. One of the key benefitsof working with a training specialist on a security awareness program is that it removes the weakest link withinyour security infrastructure – the employee.It provides the individual with the knowledge they need to detect and stop threats before they impact thebusiness. By empowering the employee to take the measures required to protect the company, firms are nowminimising the potential for attackers to target individuals. After training is completed, problems related tosocial engineering and other individually-focused attacks can be reduced.20

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGCONSISTENT APPROACHA lead benefit of security training is that it keeps every team member is on the same page when it comes tosecurity. When a threat arises, each team member will know exactly what the process is for dealing with theproblem effectively. While the burden of responsibility is still on the individual employee, they are given the toolsand resources required to act on potential threats. Team members can work together in resolving security issues,building an environment of trust and confidence among coworkers.A FOCUS ON PREVENTIONPrevention is far more affordable than responding to a security issue. Companies can save millions of poundsby using security awareness training to prevent potential attacks on their systems. Security awareness trainingis the ideal investment for the growing business intent on harnessing the newest technology.SPEEDIER DETECTIONIn the event that hackers try to access company data or use any of the more common techniques such asphishing, man in the middle attacks, and social engineering, trained employees will be able to detect and reporta security incident in a much more efficient manner. Their security training, awareness, and vigilance will allowthem to notice the changes that have taken place on their system as a result of their training, and they can thenalert their managers who will initiate the appropriate response process.The average 10,000-employee company spends 3.7 million a year on dealing with phishing attacksPonemon21

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGOutlining Key Features in YourSecurity Awareness Training ProgramIn considering security-training companies, business leaders must take into consideration the style ofprogramoffered by the firm. Only quality programs can ensure the best return on investment in security training.Let’s look at the key features of a comprehensive security awareness-training program:INCORPORATE A VARIETY OF TOOLSThe leading security awareness training programs incorporate a range of tools and content to getthe message across. From quizzes to hand-on training services, programs should be diverse toincorporate all the methods employees require for education on security.INTEGRATED TESTINGThe top companies completing awareness training offer integrated testing measures that simulate asecurity event and test the teams based on their response to the simulated threat. Such testing hasproven critical in improving team knowledge and giving management staff a clear understanding onthe points-of-weakness within the organisation.REGULAR TRAININGThe training program should include regular education classes to give employees the opportunityto build their understanding on a week-by-week basis. Conducting short, regular training over thelong-term has been shown to increase user understanding and help teams remember key trainingelements during their everyday activities.SECURITY ROLES ASSIGNMENTAdditional training should be provided for those in management positions in order to overseeemployee actions and deliver maximum return on investment. Management teams should betrained on the steps required to help team members move forward within simulations and testing.They should also undergo training on the actions required when real-time security issues arereported by team members.22

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGCOMPREHENSIVE REPORTING FEATURESThe training programs featuring built-in reporting tools help provide actionable data on the strengthof the company’s security, and ensure the information is available to decision-makers. This helps tosignificantly enhance the value of the program and support team members in meeting their securitygoals. Reporting tools allow teams to see in clear detail where room for improvement exists and thento target these areas in upcoming training.GUIDANCE ON REAL-TIME ACTIONSThe training should prepare all individuals on how to respond to real-time security issues and helpthem take active steps in managing the issue the moment it occurs. One of the key benefits of securityawareness training is in reducing the time it takes to respond to a security threat. The best programsguide team members on immediate responses to real-time events and help teams build acomprehensive policy for protecting data and hardware in real-time when a security issue arises.UPDATES ON THE SECURITY ENVIRONMENTThrough their regular training, employees will also be able to learn more on the security environmentas it evolves. In a fast-paced marketplace such as this, it can be difficult to track and respond to thelatest threats with a one-off course. A regular training course allows the specialist to help guideemployees on new issues facing companies in their sector. Whether it’s a new botnet or a new pieceof malware, knowing what to look for can help mitigate potential damage within the business.TRAIN OUTSIDE THE BOXImplement gamification techniques into your training plans. Challenge your training participants totake on the mission of security; use real world scenarios for them to encounter obstacles and then haveto role play the decision of what to do next. By inserting themselves into these scenarios, they will beactively engaging in security practice and learning through hands on experience how they themselveswould or should act. Also, take the opportunity to offer recognition of participant accomplishment

Understanding the cyber security landscape. 7 How security breaches occur: 13 The threats facing your organisation: 17 Harnessing the value of security awareness training: 19 Outlining key features in your security awareness training program: 22 Refined security awareness training - be