THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGTHEULTIMATEGUIDE TOSECURITYAWARENESSTRAININGIndexUnderstanding the cyber security landscape.7How security breaches occur:13The threats facing your organisation:17Harnessing the value of security awareness training:19Outlining key features in your securityawareness training program:22Refined security awareness training- best practices checklist:24Partner across departments:25Listen to your staff:25Incentivise awareness:26Commit to measurement:26Use relevant data:26Conduct random simulations:26Communicate:26The advantage of the cyber risk awaresecurity awareness program:27Conclusion - fortify your company andsecure your place in the digital market:283


THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGIntroduction to Information SecurityThe use of technology is an inescapable component of modern business operations. From manufacturing tomarketing, sales to finance, and every aspect of communications therein, technology plays an ever-increasingrole.Yet the risks associated with technology are well known. A recent report in the Atlantic found that 92% of IT firmshave reported attacks on their clients’ systems1. The dangers of leaving computers unprotected and theirrespective systems and data vulnerable, have cost companies millions of pounds per year. Therefore the impetusis on proactive management teams to guide their staff, through policies and training, on the critical importanceof cyber security.Consider the 2017 Equifax breach, in which, over a period of several months, millions of consumers wereimpacted. The company was initially warned that they needed to patch a software vulnerability, but their IT teamdid not follow the required protocol. They ran scans that should have detected the vulnerability but didn’t.Believing they were safe, business went on as usual.Then on May 13, hackers gained access to the Equifax servers, reportedly via one member of staff. The hackersthen instantly had information, including: social security numbers, private financial data, and addresses for over143 million people. The attack would only grow from that point on, demonstrating how a seemingly small securityflaw can become one of the largest and perhaps costliest attacks in history.There are thousands of stories of various scale, from businesses across the globe. Far and wide, cyber attacksand data breaches have increased in frequency and extent, and one has only to look at the aftermath of many ofthese disasters, to be prompted into action.For example, here is 2018, 5 years after the Target super-store data breach; the company is still dealing with theramifications of their security incident. Not only has Target spent upwards of 140 million pounds1 on their cleanupefforts and legal fines, but their settlement includes a requirement to strengthen their security program:including hiring a Chief Information Security Officer, improving security processes, and establishing a securitytraining program for their staff.1 -security-breach-settlement.html5

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGResearch released by the Global Cyber Security Capacity Centre affirms the indisputable importance of trainingin mitigating security risk. 2 It is only through committing to a comprehensive training program, one that willguide individuals on the elements of data safety, that organisational protection is possible.Our team at Cyber Risk Aware has decades of experience in the IT security industry. We’ve worked with clientsacross the globe in building security-training programs that safeguard their systems and support their teams.We’re now providing you with the tools to help your team meet its security objectives in the coming years. Thisguide will help provide a clear answer to this question and introduce you to the most strategies for mitigatingthreats to your company’s security. In the following pages you’ll learn more on: Understanding the modern cyber security landscape The techniques hackers use to gain entry to your systems The threats facing your company and its customers The value of a security awareness training program The key elements of a robust security awareness training program The best practices for commencing and sustaining security training22 ive/2016/09/ransomware-us/498602/6


THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAINING39%of businessessurveyed found a BYO device ontheir network that had downloadedMALWARECrowd Research Partners BYOD and Mobile Security ReportAs we come to depend more on technology in business as within our day-to-day lives, the threat to our systemsis evolving. We’ve moved on from simple viruses that attack a vulnerable PC leading to hours of removal andrepair work. We’re now in an era where the wireless technology is being used to control devices across theorganisation; where each individual has their own smart phone. Now, each team member has their own roleto play in protecting their organisation and its customers from outside threats. And so, the question becomes:What can organisations do to empower and guide individuals in supporting organisational security in this era ofincreased digital dependency?AN EVOLVING THREATWith an increasing consumer awareness on security breaches and data risks, companies must now be moreproactive in how they manage their systems. The studies show that cyber-attacks are increasing in bothfrequency and scale. Research by digital services company Gemalto found the number of data breachesworldwide increased by 164% between 2016 and 20173. And many growing companies across the countryare still not prepared to face the new and emerging threats.Let’s look at the factors that are influencing the current cybersecurity landscape and shaping the len.html

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGDEVICE CHANGESThe diversity and number of devices that both employees and customers of the modernorganisation use isincreasing. Whether it’s the latest iOS system or the newest Android release, mobile devices are nowincreasingly being targeted by hackers directly as a way to access business information and extract valuabledata.The newest devices might feature the latest security protocols, but companies must still put safeguards in place,and educate employees on the benefits of their use. This is particularly true within an organisation with a BYODpolicy, where outside devices are being brought into the office. Policies of this nature might give employees moreflexibility and autonomy within their positions, but they also present a threat to companies in which data controland access limitations are critical security considerations.THE IoTThe Internet of Things is a developing marketplace in which every item within the office, from the thermostat tothe refrigerator, is connected to the Internet to provide a constant data link that helps automate various elementsof office life. While this increasing automation is making the life of the modern employee easier, and helpingcompanies reduce costs, it also presents a very real security risk.70%of IoT devices onthe market today areVULNERABLEout of the box.Entrpreneur.com9

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGIn an environment where many systems are connected to the same server, it only takes a small flaw in a rarelyused product to allow access to the entire data infrastructure. And, all too often, connected devices are leftvulnerable through the use of default passwords, and standard security protocols that have long since beeninfiltrated by hackers.The IoT trend has given rise to the looming threat of botnets, which are automated systems that scan largeswaths of information in seconds for potential weaknesses. Botnets use default passwords and other standardsecurity processes to log-in to unprotected devices, allowing them to control the device after entry and then usethe data they find to impact the company, its staff and employees.In capitalising on the IoT trends within their companies, teams must maintain clear sight on their security goalsand mitigate the impact of automation on their security structure.LACK OF ONSITE SKILLSWith the increasing need for IT security guidance and the rising challenges emanating from across the globe,there’s a dearth of onsite skills for the modern business to utilise. Specialists in IT security, particularly inmodern IT security threats are few and far between.Recent data shows that 75% of organisations worldwide lack acybersecurity expert on their staff4. And this is leading companiesto turn to outside sources for a response to the challenge.It’s the reason many are outsourcing their security educationand working with trusted companies in ensuring their ITteams and other office staff have the information theyneed to make more effective security choices.10

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGNEW FORMS OF ATTACKIn recent years, attackers have also devised novel ways in which to attack organisations and access data.One of the more common methods in large-scale attacks in recent years has been the use of ransomware.Ransomware attacks involve infecting an organisation’s systems and then asking for a form of “ransom”in order to stop the attack and remove the infection.The success of these types of attacks was highlighted by the WannaCry event, in which 250,000 computers inover 150 countries, including systems in 16 NHS medical centers, were infected within less than a day.5 As withthe Equifax breach, a patch would have resolved the issue but, without a proactive focus on IT security,organisations incurred a significant cost.Business email compromise is another form of attack that is on the rise in recent years. The data shows thatbetween October 2013 and December 2016, hackers stole over 5.3billion in the U.S. alone through BEC attacks.6This style of threat is becoming more popular along with BYOD policies. Companies allowing their employeesto bring their own devices must be acutely aware of theimportance of email security and threat analysis.Many experienced professionals have fallen victim to sophisticated email attacks in recent years, simply due toa lack of education within organisations and a lack of attention to detail. The goal for the modern company is totrain employees to identify out of the ordinary requests and common strategies used by attackers to gain dataaccess.Prediction Models an Important Security Element within the current security field, AI-based prediction modelinghas become another important element in safeguarding companies against potential threats. Studies involvingthe use of AI-based machine learning programs are helping to determine when an organisation is mostvulnerable to attacks and through which channel a threat might be arise. This can give companies the upperhand in terms of defending their data and in threatmitigation over the coming years. The focus is now on helpingstaff work with these machine learning systems and on learning the measures to take when a threat with-5.3b-in-losses11

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGUSE OF APPLICATIONS AS A THREATWhile mobile applications are now helping improve the performance of smartphone and increasing thecapabilities at the hands of the mobile workforce, the data on mobile applications is at significant risk of attackin the modern area. Many organisations are now harnessing sever-less apps, which support greater scalability.These applications also capitalise on the use of data in transit. Data being sent between networks is at its mostvulnerable state and can be captured by coordinated attacks seeking out specification information on acompany, its employees and customers. The use of applications within their workforce can make companiesmore vulnerable to DDOS attacks, in which a server-less architecture might fail to scale with the demand forservice, leading to expensive disruptions for the company.90%of web applications haveinherent vulnerabilities caused bySECURITY FLAWSHPE Cyber Risk Report12


THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAINING58%of UK companieshave reportedDATABREACHESin the last two yearsGFI Software and Infinigate UKHow Security Breaches OccurIn learning more on information security, business leaders must first study the most common types of securitybreaches and how orgnisations have been impacted by these events. The following are common techniques thatattackers use to breach the security of the modern company.SQL ATTACKSSQL attacks are considered the low-hanging fruit of the security field, as they are one of the easiest to preventand yet remain among the most common techniques deployed by attackers. The SQL attack allows a hacker toenter malicious code in a piece of text, perhaps in an email or a Word document. The malicious code then allowsthe attacker to take over the device and extract specific data. Using this technique, cyber criminals have beenable to gain access to company financial information, customer data, and other high-value items that might bestored on a server.STOLEN PASSWORDSAnother common way in which attackers gain access to information is by stealing passwords from a companydirectory. They might gain access via a traditional SQL attack or by simply by using social engineering to acquireinformation over the phone. Teams must learn more on how social engineering is being used to gain access toinformation. In this scenario, a person may call and say they are from the firm’s IT security department andrequire access to login credentials to update their computer. In many cases, employees simply trust the personon the phone and provide their details of their own free will.14

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGA password can also be stolen easily if the user has kept their default password or if the password hasn’t beenupdated regularly. Hackers are now using botnets to brute force attacks using default passwords on millions ofcomputers over a short space of time. Keeping the default username and password on the device leaves the uservulnerable to password theft and data loss.MALWARE INSTALLATIONAnother common form of attack in recent years is through the use of malware. Malware is a form of malicioussoftware that, when installed on the target system, can be used to control system data and allow the attackerto steal all available information. The malware is often installed after an email is sent to the target. The email isusually designed to look as if it came from an authority within the company or a software manufacturer offeringan update. By accidentally installing malware on their computer systems, users can then allow the malware tospread throughout the company’s network, infiltrating all data areas and causing significant issues. It’s part ofthe reason that companies are now educating their employees on how to spot the signs of a malware infestationand guiding them on mitigating the issue before it begins to cost the company and its customers.DEVICE THEFTIn the BYOD era, companies are now giving mobile staff members the option of bringing their device with themand then using their personal device to communicate with customers and other employees. Data retained onthese devices has become highly valuable to attackers as it often contains the credentials for logging into secureareas of the company network. And so, when a device is lost or stolen, it can put the company at risk of asignificant financial loss. Proactive companies are now building policies that help to safeguard data in the eventof theft or loss.They are also encouraging employees to back-up their device data on cloud-based system to mitigate the threatand implementing BYOD policies such as document protection to ensure lost devices don’t lead to furtherfinancial loss for the company.65%of companiesdon’t enforce theirpassword policyPonemon Institute15

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGDOCUMENTATION ERRORSHuman error is another of the leading causes of security issues within the modern organisation. With the vastamount of documentation being disseminated throughout the globe, companies are now focused on usingthese documents effectively and preventing private document data from getting into the hands of cybercriminals. Oftentimes, a security breach within a large company is the result of a simple documentation error byan employee.The employee might simply make the mistake of publishing private data on a public resource,giving access to awebsite or the email address of a company employee which then leaves their data vulnerable. The forwarding ofsensitive information is another common mistake. Choosing the wrong email address or adding information thatshould have remained on a private server to the email chain can have a significant impact on the company.It’s why so many are now taking the time to teach their employees about how to work with documents and howto control the flow of information from their computer.FAILURE TO BACK UP DATAThe failure to back up the data on the server could make a security breach costlier when teams have to add thedata back into the system. Many security breaches not only result in the theft of data but also the loss of datafor the company. In the case of a stolen device for example, this could leave the team with no understandingon which data was lost and who has been impacted. Take the time to back up data regularly and find out whois using which data on the system. This data retention process can help create a chain of custody for the dataand prevent significant costs being incurred in the future. In view of these threats, what can companies do tosafeguard their data? There are multiple steps that should be followed in ensuring that data is safe and securitybreaches are eliminated. Our team at Cyber Risk Aware specialises in advising companies on IT security and werecommend the following steps be taken to prevent data breaches: Institute end user awareness training through a qualified company Craft a comprehensive encryption policy Perform regular vulnerability reviews with the team Apply patches regularly and review new patch options Back up all data regularly16


THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGIn safeguarding their company in the current landscape, business leaders must learn more on the commonthreats to their organisation and its data. Each industry faces varied risks from threat actors, each with their ownmotivation and intent. As leaders in the cyber security marketplace, Cyber Risk Aware staff regularly work withour clients in mitigating threats to their business and we have found the following threats to become a growingissue within today’s organisations:MAN IN THE MIDDLE ATTACKSOne of the more common modern techniques hackers use is a sophisticated version of the traditional man inthe middle attack. The attacker finds their way into the organisation and then places a keylogger or anothertracking system on a computer. New attacks use IOT devices to listen in on all wireless communications acrossthe network. They then gain access to a company email address and watch the communications that take placebetween the user and others in the company. Because they have access to the user’s credentials and theirpasswords, they can then act as the person in emailing others for financial information and private data.PHISHING SCAMSA recent phishing scam conducted by a Lithuanian cyber-criminal cost Facebook and Google more than 100milliion combined7. There are still rich rewards for phishing attacks and firms must be prepared to mitigate theissue. Companies continually fall victim to phishing scams, despite this technique being one of the morecommon and widely understood issue within the security marketplace. The typical phishing attempt involves asimple email which is designed to look like it came from an authority within the company. The email might askthe person to download a document or click a link within the content. Once the desired action has beencompleted, the attacker is given control of the device and can then access device data and act as the user ofthe system.BOTNETSA botnet attack begins with a single computer virus. The virus then spreads to connectedcomputers on the network, and then sends a signal back to its command center, which is operated by the cyber-criminal. From their command center, the criminal can then control all the computers within the botnet, anduse any data they discover as the review the network. Botnet attacks are on the rise across the globe and manyskilled hackers are even now offer botnets for hire for others to use. It’s a billion-pound industry that is only setto grow with the increasing success of botnet events.MALICIOUS JAVASCRIPTThe websites that we click on every day during work hours can detail specific information about our locationand our computer. Those with criminal intent can create sites that have a malicious JavaScript written into theprogramming to allow the instant download of a virus once the user opens the site. One click from a user withina company network can cause the download of a virus that shuts down the entire network, and potentially coststhe company thousands of pounds in lost revenue. This is yet another reason behind the importance of secureweb use and for installing the latest virus scanning and removal facebook-email-fraud/#2xmPdw5nLqqM


THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGTraining employees how to recognize and defendagainst cyber-attacks is the most under spent sectorof the cybersecurity industry.”John P. Mello Jr. – Tech BeaconWith the wide-ranging threats facing organisations in the modern business climate, the need to educateemployees is clear. But most companies still have little understanding on the importance that a comprehensiveemployee-training program can bring to their business and so here our experts will lay out the value providedthrough security trainingPROTECTING THE BUSINESSThe latest threats from computer hackers are designed to impact your business and steal money and data.Only through a proactive approach to security awareness training can companies ensure that each teammember is security savvy. Security awareness training can help keep businesses running effectively whena security incident arises. Training can also help to minimise business downtime and showcase the firm’sunderstanding of the current climate and its commitment to protecting customers and employees.REMOVE THE WEAKEST LINKWhile the technology teams use is often designed with the goal of mitigating threats and ensuring businesssafety, those using the technology aren’t always adept in effective security practices. One of the key benefitsof working with a training specialist on a security awareness program is that it removes the weakest link withinyour security infrastructure – the employee.It provides the individual with the knowledge they need to detect and stop threats before they impact thebusiness. By empowering the employee to take the measures required to protect the company, firms are nowminimising the potential for attackers to target individuals. After training is completed, problems related tosocial engineering and other individually-focused attacks can be reduced.20

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGCONSISTENT APPROACHA lead benefit of security training is that it keeps every team member is on the same page when it comes tosecurity. When a threat arises, each team member will know exactly what the process is for dealing with theproblem effectively. While the burden of responsibility is still on the individual employee, they are given the toolsand resources required to act on potential threats. Team members can work together in resolving security issues,building an environment of trust and confidence among coworkers.A FOCUS ON PREVENTIONPrevention is far more affordable than responding to a security issue. Companies can save millions of poundsby using security awareness training to prevent potential attacks on their systems. Security awareness trainingis the ideal investment for the growing business intent on harnessing the newest technology.SPEEDIER DETECTIONIn the event that hackers try to access company data or use any of the more common techniques such asphishing, man in the middle attacks, and social engineering, trained employees will be able to detect and reporta security incident in a much more efficient manner. Their security training, awareness, and vigilance will allowthem to notice the changes that have taken place on their system as a result of their training, and they can thenalert their managers who will initiate the appropriate response process.The average 10,000-employee company spends 3.7 million a year on dealing with phishing attacksPonemon21

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGOutlining Key Features in YourSecurity Awareness Training ProgramIn considering security-training companies, business leaders must take into consideration the style ofprogramoffered by the firm. Only quality programs can ensure the best return on investment in security training.Let’s look at the key features of a comprehensive security awareness-training program:INCORPORATE A VARIETY OF TOOLSThe leading security awareness training programs incorporate a range of tools and content to getthe message across. From quizzes to hand-on training services, programs should be diverse toincorporate all the methods employees require for education on security.INTEGRATED TESTINGThe top companies completing awareness training offer integrated testing measures that simulate asecurity event and test the teams based on their response to the simulated threat. Such testing hasproven critical in improving team knowledge and giving management staff a clear understanding onthe points-of-weakness within the organisation.REGULAR TRAININGThe training program should include regular education classes to give employees the opportunityto build their understanding on a week-by-week basis. Conducting short, regular training over thelong-term has been shown to increase user understanding and help teams remember key trainingelements during their everyday activities.SECURITY ROLES ASSIGNMENTAdditional training should be provided for those in management positions in order to overseeemployee actions and deliver maximum return on investment. Management teams should betrained on the steps required to help team members move forward within simulations and testing.They should also undergo training on the actions required when real-time security issues arereported by team members.22

THE ULTIMATE GUIDE TOSECURITY AWARENESS TRAININGCOMPREHENSIVE REPORTING FEATURESThe training programs featuring built-in reporting tools help provide actionable data on the strengthof the company’s security, and ensure the information is available to decision-makers. This helps tosignificantly enhance the value of the program and support team members in meeting their securitygoals. Reporting tools allow teams to see in clear detail where room for improvement exists and thento target these areas in upcoming training.GUIDANCE ON REAL-TIME ACTIONSThe training should prepare all individuals on how to respond to real-time security issues and helpthem take active steps in managing the issue the moment it occurs. One of the key benefits of securityawareness training is in reducing the time it takes to respond to a security threat. The best programsguide team members on immediate responses to real-time events and help teams build acomprehensive policy for protecting data and hardware in real-time when a security issue arises.UPDATES ON THE SECURITY ENVIRONMENTThrough their regular training, employees will also be able to learn more on the security environmentas it evolves. In a fast-paced marketplace such as this, it can be difficult to track and respond to thelatest threats with a one-off course. A regular training course allows the specialist to help guideemployees on new issues facing companies in their sector. Whether it’s a new botnet or a new pieceof malware, knowing what to look for can help mitigate potential damage within the business.TRAIN OUTSIDE THE BOXImplement gamification techniques into your training plans. Challenge your training participants totake on the mission of security; use real world scenarios for them to encounter obstacles and then haveto role play the decision of what to do next. By inserting themselves into these scenarios, they will beactively engaging in security practice and learning through hands on experience how they themselveswould or should act. Also, take the opportunity to offer recognition of participant accomplishment

Understanding the cyber security landscape. 7 How security breaches occur: 13 The threats facing your organisation: 17 Harnessing the value of security awareness training: 19 Outlining key features in your security awareness training program: 22 Refined security awareness training - be