Cybersecurity Awareness Series: Is Cybersecurity Training Necessary and How Do I Know It’s Working?
Welcome to Cybersecurity Awareness Month! Throughout this month, we will explore a series of topics that revolve around essential questions to ask when reviewing your cybersecurity posture. Given the dynamic and complex nature of this field, we aim to initiate meaningful discussions within your organization. As the month continues, we hope these topics will spark valuable conversations and empower you to navigate this ever-expanding landscape effectively.
No matter the size or industry, one of the most important, but also most overlooked areas of cybersecurity, is employee training. It's no secret that the vast majority of data breaches and incidents stem from human error. Many of these incidents are caused by otherwise well-meaning or trustworthy employees who were never fully trained on security risks related to the data they handle on a daily basis. However, even the best-trained employee can slip up, which is why training not only needs to take place, but follow-up must be enforced with alerting and protections that ensure the security training communicated is actually being followed.
Here, we'll outline some of the most vital training topics and the necessary follow-up to ensure their efficacy.
Data Security Training
What it is:
Data Security Training or Security Awareness Training is perhaps the most comprehensive and broadest form of security training required within an organization and, for that reason, is often the most daunting. However, studies show that 95% of cybersecurity breaches are caused by human error. A significant number of these incidents occur due to a lack of knowledge or education on proper security protocols, making it necessary for all employees to receive at least basic security awareness training.
While the content, methods, and topics in this type of training could easily warrant their own series of whitepapers, at a summary level, the following are topics that should be considered:
Types and classifications of secure data: Depending on the industry and the types of data accessed, training should cover what constitutes protected or sensitive data. This data should include both data protected by compliance regulations such as Personally Identifiable Information (PII) or financial data, as well as company-specific information such as vendor data, company secrets, part numbers, legal data, etc.
Secure data storage: Users should be educated on secure storage locations for protected data. This will likely focus on digital file storage and network locations but may also include physical security, depending on the environment.
Secure data transfer: One of the most common security errors made by users is transferring data via the most convenient, rather than the most secure means. This may include using personally owned removable drives, emailing to personal accounts, unsecured chat, etc.
Security practices: Keeping data secure relies on maintaining high levels of password hygiene, using encryption appropriately, and following security protocols.
How do I know if it’s working?
As general security awareness training encompasses many areas of the organization, including data categorization, endpoint workflows, and data protection practices, evaluating the training's success can be just as challenging as the training itself.
First, ensure that the security policies taught during the awareness program are well-communicated and available to the users after the training has been completed. These same policies should also be clearly reflected in the security software available within the organization. Rule sets, search terms, Group Policy Objects (GPOs), and system scans should be adjusted as needed to align with the policies covered in the training.
Secondly, it is vital to ensure that feedback can be received and tracked at the endpoint itself, as the majority of data handling, data changes, and data creation will occur at that location. For example, network-based monitoring applications will not provide metrics on removable drives in use or warnings when large amounts of protected data are being stored in unapproved locations on the desktop.
Lastly, consider systems that can provide real-time feedback and direction to the end user. Report after report confirms that most internal data incidents are caused by negligent or accidental disclosure of data. In many cases, the end user does not even realize the data is present or misplaces a file during a rush. Offering direct feedback to users not only reinforces the training provided but also helps prevent the next breach.
Phishing and Social Engineering
What it is:
If the topics of phishing and social engineering have not yet found their way onto an organization's threat list, they soon will. Phishing, along with its specialized variants such as spear phishing, whaling, vishing, and more, is rapidly proliferating and challenging to mitigate. While these threats originate from outside the organization, they specifically target individuals or groups, necessitating heightened vigilance among endpoint users. Compounding the risk is the fact that employees working remotely have caused email phishing risks to surge by up to 80%.
Phishing is a type of social engineering that seeks to deceive users into divulging data or granting access to confidential information, often involving passwords, Personally Identifiable Information (PII), or company infrastructure. Email is the most common medium for phishing, although malicious actors may also employ text messages, phone calls, or website links impersonating legitimate co-workers, vendors, or authorities.
Phishing and social engineering training primarily revolve around awareness. While phishing attempts are becoming increasingly sophisticated, often involving stolen data to more convincingly impersonate others, many cases still exhibit warning signs. In fact, 80% of companies employing social engineering training methods have reported success in making employees less susceptible to requests for information in calls and emails and more cautious regarding unusual links or contact information.
How do I know it's working?
Given the growing threat of phishing, many programs exist to train employees, provide follow-up materials, and conduct spot-testing by sending simulated emails or phone calls to unsuspecting employees. Nevertheless, continuous monitoring of email and other communication channels is a necessity to ensure that, when a genuine phishing attempt occurs, the organization's data remains securely protected. Outgoing emails should be continuously scanned for red flags, including sensitive content such as PII, company data, or unencrypted IP addresses in outgoing emails to suspicious domains or foreign domains.
Work-From-Home Security Practices
Even with employees gradually returning to office buildings, working from home has become an inevitable aspect of every organization. While this may not be new, the challenges in securing this mobile workforce persist. In fact, according to a recent report by Gitnux, 66% of companies report an increase in cybersecurity risks when employees work from home. Employees who work remotely or split their time between locations require technical guidelines, protection, and training to ensure they can handle data securely while off the network.
While some of this training may be covered by general security awareness training, such as identifying protected data and secure data storage, additional topics and risks need to be addressed, including:
Handling or creating hardcopy data while offsite
Proper use of VPN or remote access
Sharing home resources
Time management and expectations
"Cross-contamination" of data between home and other employment
How do I know it's working?
Follow-up and tracking of activity and security incidents that occur offsite are perhaps the most challenging aspects of managing a remote workforce. Many traditional security tools rely on network connectivity to monitor and protect data effectively, making it a challenge when a user connects from home or hotels as their workflow becomes a black box. This is the primary reason why endpoint-based security that provides data beyond the network is crucial for organizations supporting work-from-home or traveling users.
In addition to continuous monitoring and security alerts, understanding the training status of remote employees requires a holistic approach. Since new risks arise in unregulated environments, gaining a comprehensive understanding of all aspects of a user's day is necessary to prevent data breaches and issues such as the misuse of personal storage drives, communication with unapproved third parties, time theft, or unauthorized access to organizational assets. Given that 52% of remote employees use their work computer for personal use, tracking security issues, compliance risks, and workflow changes provides valuable insights into both training successes and gaps that may need addressing.
Metrics required to fully analyze the success of security training for offsite workers may also include:
Applications in use during the workday with activity statistics
Analysis of significant workflow changes over time
Identification of sensitive data accessed, usage patterns, and changes
Direct violations of policies covered in training
Compliance violations by user or department
Cloud Security and Acceptable Use
What is it:
Cloud security training, in some sense, brings together many other aspects of security awareness training for both traditional office-based employees and remote employees. While the IT world continues to rapidly adopt cloud resources and software, organizations struggle to control access to these resources and secure their expanding perimeter. Gartner states that in the coming year, 99% of cloud security failures will be the customer's responsibility. The only way to begin combating this risk is to ensure reasonable usage policies are in place, published to employees, security training extends to the use of cloud resources, and usage is monitored to ensure governance.
An additional challenge that must be addressed when working on cloud security training is the never-ending scope of cloud resources available. While the most commonly used resource among employees will likely be cloud storage or file sharing, cloud usage also extends to web portals, data repositories, file management systems, email, and more.
How do I know it's working:
Monitoring the use of cloud resources is best managed by reviewing feedback and security alerts from multiple software sources. Web proxies and network-based tracking software are valuable here as a first line of defense, providing awareness of which websites and services are being utilized, at what times, and by which departments. However, web filtering and reporting software may not provide the other feedback needed, which is "how is my data handled when using these resources." For this answer, you will need file and activity-based monitoring and alerting. Policies being reviewed for training success should include metrics on:
What sites are accessed, and do these align with our acceptable use policies?
What data is being transferred to secure sites such as internal web portals?
When are files being uploaded to web-based email systems for storage or sending?
Are websites or FTP being accessed on or off of VPN, and for what purposes?
If files are being downloaded from web repositories, where are they stored after arriving on the machine?
How is data being entered into repositories or databases, and is it being copied or pasted elsewhere as well?
As we come closer to the end of Cybersecurity Awareness Month, we’ll be focusing our next feature on a few ways to improve general awareness of risks that exist in the environment.
