Training to win

Start looking at people as your strongest cybersecurity asset and not your biggest problem. Unfortunately, viewing people through the lens of a problem to be dealt with is rampant amongst cybersecurity professionals. A look at the headlines and stats pushed out constantly reinforce this concept. “Employees cause more cyber breaches in healthcare than other industries, report finds,” “A hacked Kaiser Permanente employee’s emails led to breach of 70,000 patient records,” and “Verizon 2022 DBIR: 4 of 5 Data Breaches Cause by ‘Human Element,’ Business Partners Involved in 3 of 5” are only a small percentage of the cybersecurity news reporting bites out there. Even our own site, www.quantumvigilance.com, uses one of those statistics on our landing page, “85% of cybersecurity breaches involve a human element.” I do not want to deny that this has been an issue and continues to be an issue in cybersecurity. I want to change the paradigm from being a challenge to overcome, into an untapped opportunity. Employees must interact with your business systems and data, otherwise there is no business. We believe every employee can become a cybersecurity champion in any organization. Employees educated with a cybersecurity awareness mindset at the inception of time with your organization can be transformative. Instead of focusing on people as the most likely source of a data breach, we can ensure that they are also the most likely toto detect and sound the alarms when one does occur.

It Starts at the Beginning

Just like all cybersecurity measures, training is something that should be baked in the hiring process and not thrown in as an afterthought. Cybersecurity awareness training should be part of the onboarding process. Training should be brief and targeted to the new hire’s roles and responsibilities. Administrative staff members should not have the same access to data and technology than someone working as an information technology help desk staff member. Customization needn’t be something that is overly burdensome, as many of the same topics will apply across a large spectrum.

Onboarding Cybersecurity Awareness Training Must Have Topics

• Basic information technology terminology

• Basic cybersecurity terminology

• Acceptable use policies

• Cybersecurity incident detection and prevention

• Point of contact for cybersecurity incident reporting

While this list of topics may seem disparate, their range and scope cover most roles and responsibilities in your organization. Once the general topics have been covered, more focused components of job responsibilities can be tacked on to provide context.

How much more focused does it need to be? Let’s look at a what a targeted addition to training would look like for an administrative staff member. A receptionist’s training could include what a social engineering and a phishing attack would look like.

From: Jose Colon <ceo@quantumsvigilance.com>

To: John Reception <JR@quantumvigilance.com>

Cc:

Subject: Get this done ASAP!

Hey John,

I left the office in a rush and I am to jump in meeting that I can’t get out of. I’m going to

forward the details in a second, I need you to follow the directions and get the funds wired to

the account listed. This is a big account that we may lose if they don’t get funds by end of day.

Thanks,

Jose Colon

Once we get passed the fact that I have atrocious grammar (as can be attested to in the above email), the trainee may notice that the email address for me is a bit off. It reads quantumsvigilance.com instead of QuantumVigilance.com. Additionally, there is a sense of urgency that the sender trying to impart. Creating a sense of urgency is a manner of social engineering that flusters the recipient and may make them overlook my terrible grammar and incorrect email address. Effective cybersecurity awareness training would allow the receptionist to determine that this is a phishing attack. They would then quarantine the message in spam and know who to notify that they received the message. More importantly, the receptionist should know that it is of the utmost importance that they report such an incident even if they accidentally fell victim to the attacks (I just hope it wasn’t too large of a wire transfer, but then again why does the receptionist have access to banking information for a wire transfer anyway? This is a topic for another post).

Far too often, in life as well as in business, we have that “uh oh, I shouldn’t have done that,” moment and choose to bury our heads in the sand hoping no one realizes what we did (I’m reminded of all the times I have slipped on ice and taken a hilarious tumble here in Chicago). Instead, we want the employees to feel empowered by their newly acquired knowledge to seek out someone to let them know there was an “oopsy.” I guarantee, any cybersecurity professional would much rather hear about the mistake that may have happened instead of the mistake that no one admits ever happened. Empowering employees to report suspected cyberattacks will lead to better outcomes regardless of whether they made a mistake. There is a direct correlation between the percentage of people contributing to the organization’s cybersecurity awareness and the likelihood of positive outcomes in cases of cyberattacks such as phishing campaigns. The conclusion of the training would include some acknowledgement of the training and record that the concepts covered are understood.

Building on a Solid Base

Unfortunately, many companies flub onboarding and introductory training. Often, training falls to the wayside as a sunken cost instead of an investment. The Verizon Data Breach Investigation Report for 2022 reveals that cybersecurity training is still lagging despite an increase in cyberattacks. Cybersecurity awareness training has to be an ongoing investment in an organization’s cybersecurity strategy. Cybersecurity is a constantly changing landscape and training that was fresh and applicable this year may be outdated and irrelevant next. Additionally, training is best consumed on a regular basis instead of at a single instance to be remembered eternally. Continually reinforcing and adding to knowledge learned at the beginning of their tenure enables your people to have a refreshed sense of the dangers on the horizon. Regular training with employees does not need to be mundane classroom instruction. Interactive and enjoyable training is effective training

3 ways to engage employees in cybersecurity awareness training

1. Having a lunch and learn where your employees are provided a nice lunch and get to listen to a brief training presentation on cybersecurity awareness trends is an informal setting that can prove fruitful. We see companies doing a modified version of this with remote workers participating in a Zoom call and they’re provided with a GrubHub or similar credit to order the lunch they’d like. The added incentive of a free lunch may counteract the Zoom-fatigue we are all dealing with.

2. Simulated phishing campaigns are also useful. A simulated phishing campaign can act as a reinforcement of the cybersecurity awareness training that covers phishing. In addition to reinforcing knowledge, a simulated phishing campaign can provide important data points for follow up training and overall usefulness.

3. Gamification of training can also be highly useful when trying to break up standard training delivery. This can be combined into a team building exercise. Teams are created at the beginning of the month (no creating an all IT team, no cheat codes allowed) and provide daily or weekly clues tied directly to cybersecurity awareness. At the conclusion of the month, the teams get together (in person or virtually) and compete against one another for prizes. When done correctly these events are great for building comradery and employee morale (assuming the prize is something they will enjoy).

Regardless of the delivery method, cybersecurity awareness training conducted regularly can have positive outcomes in decreasing cybersecurity incidents.

Other Benefits

Cybersecurity awareness training has benefits beyond the added security provided by your increased knowledge base. An ongoing documented cybersecurity awareness training within your organization can show clients that you have a commitment to protecting their digital identity. Additionally, insurers are increasingly requiring companies show proof of their cybersecurity programs in place. A robust and continual cybersecurity awareness training cycle will assist in showing compliance with your insurer’s requirements and may lead to lower cybersecurity insurance premiums.

Insurers aren’t the only ones looking at your organization’s cybersecurity awareness training. It is becoming commonplace for various regulatory compliance entities to require established cybersecurity programs that include recurrent cybersecurity awareness training. This can be seen in the insurance industry with Kentucky, Maryland, and Vermont’s Insurance Data Security Laws. A cybersecurity awareness training requirement has been a staple in the healthcare industry as provisioned in HIPAA. The writing is on the wall, a strong cybersecurity program with a cybersecurity awareness training component will soon be a requirement for businesses moving forward in the digital age.

Fail to train, train to fail

Successful cybersecurity programs are wholistic endeavors that require buy-in from the leadership down. Cybersecurity cannot be seen as a single application or piece of hardware that solves all the bad things that can happen to your organization’s information technology infrastructure. Cybersecurity should be baked into the whole organization. The policies and procedures should reflect your organization’s commitment to cybersecurity. Continual training for all members of your organization is another way to show that commitment. We here at Quantum Vigilance can help your organization’s cybersecurity program with policy and procedure guidance, training initiatives, and more.

Resources:

1. https://www.healthcaredive.com/news/employees-cause-more-cyber-breaches-in-healthcare-than-other-industries-re/624269/

2. https://techcrunch.com/2022/06/14/hacked-email-kaiser-permanente-breach/

3. https://www.cpomagazine.com/cyber-security/verizon-2022-dbir-4-of-5-data-breaches-caused-by-human-element-business-partners-involved-in-3-of-5/

4. https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering

5. https://www.usnews.com/360-reviews/privacy/what-is-phishing

6. https://arxiv.org/pdf/2112.07498.pdf

7. https://www.verizon.com/business/resources/reports/dbir/

8. https://www.forbes.com/sites/forbestechcouncil/2021/07/23/16-strategies-to-ensure-a-phishing-exercise-has-a-strong-and-lasting-impact/?sh=18c5d79b2079

9. https://www.forbes.com/sites/forbestechcouncil/2020/03/17/the-gamification-of-cybersecurity-training/?sh=6d665a852a39

10. https://www.forbes.com/advisor/business/what-is-cybersecurity-awareness/

11. https://www.securitymagazine.com/articles/97858-lowering-cybersecurity-insurance-premiums-with-managed-security-services

12. https://www.huntonprivacyblog.com/2022/05/04/two-states-enact-insurance-data-security-laws/

13. https://www.huntonprivacyblog.com/2022/06/09/vermont-enacts-insurance-data-security-law/

14. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/accountability.pdf