Security Awareness Training

Businesses That Do Not Provide Cybersecurity Awareness Training are Taking a Huge Risk

Most people are aware of the importance of cybersecurity and the need to take care when opening emails, browsing the internet or downloading apps on their mobile phones. If you ask anyone whether they are knowledgeable about cybersecurity and if they can recognize a malicious website or email, there’s a high chance that they will say yes.

A recent survey conducted by AT&T on 2,000 U.S. adults confirms that. 70% of the respondents to the survey said they were knowledgeable about cybersecurity, two-thirds of people said they know how hackers gain access to sensitive information on devices, and 69% of people said they were able to recognize suspicious websites at a glance.

However, despite being aware of the importance of cybersecurity, cybersecurity best practices are not always followed. People take considerable risks with email and the Internet, and the survey suggests that the confidence in the ability to recognize scams, malicious websites, and suspicious emails is misplaced.

While most people claim to be able to recognize a suspicious website, only 45% of respondents said they knew those sites carried a risk of identity theft. 46% of respondents were unaware of the difference between active and passive cybersecurity threats. Passive cybersecurity threats are those where a threat actor simply monitors communications and gathers sensitive information, whereas an active attack involves some action or modification of communications. An example of a passive attack is a malicious actor eavesdropping on a connection to a website via an evil twin Wi-Fi access point. An example of an active attack would be a malware attack.

The average person lands on 6.5 malicious websites or suspicious social media accounts every day and in many cases, those sites are accessed deliberately. Suspicious websites include those that start with HTTP rather than HTTPS, which means the connection between the web browser and the website is not encrypted. Suspicious sites include those with lots of pop-ups, or unverified sites and social media accounts.

39% of respondents said they accessed suspicious streaming websites to view major sporting events, 37% would download files from suspicious websites if they wanted to find a song or video game that they couldn’t find elsewhere, and these sites would be used to make purchases if they were offering a big discount. Considering that 70% of people said they were knowledgeable about cybersecurity, it is alarming that less than 40% of people consider common security risks when accessing the Internet. Only 32% of people considered the possibility of a network intrusion and just 31% of people considered whether an app or software could be malicious. The survey also revealed people take big security risks with passwords. 42% of people reuse passwords on multiple websites and alarmingly, 31% of people use a birthday as a password.

Businesses should take note of this survey. The survey was conducted on a sufficiently large number of people that it should be considered representative of the population as a whole and makes it clear that there is a need for cybersecurity awareness training to be provided by employers to bring the level of knowledge about cybersecurity up to scratch and be taught the importance of following cybersecurity best practices. Even people who are aware of the risks will take shortcuts for convenience, so businesses should also consider restricting access to certain websites.

If you want to improve cybersecurity, you should start with the human element and try to eradicate risky behaviors. TitanHQ offers businesses a comprehensive cybersecurity awareness training platform – SafeTitan – that covers all aspects of security and cybersecurity in the workplace. The platform can be used to improve understanding of risks and teach the best practices that should be followed at all times. The training content is gamified, interactive, and fun, and has been shown to be highly effective at eradicating risky behaviors. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to risky behaviors by employees. When a risky action is taken, the platform automates the intervention and delivers the relevant snippet of the company policy and training content specific to that risk or threat.

Businesses can also take advantage of WebTitan Cloud – a DNS-based web filtering solution that prevents employees from accessing known malicious websites. When an attempt to visit a malicious website is made, the connection to the site will not be made and the user will be informed that the site has been blocked. Businesses can also use the category-based filters in WebTitan Cloud to prevent employees from accessing certain types of websites, such as those that carry a risk of malware infections. Peer-to-peer file sharing networks for example.

By educating the workforce on cybersecurity and implementing controls to restrict access to risky websites, businesses will be able to prevent more costly cyberattacks and data breaches. For more information on cybersecurity awareness training and web filtering, give the TitanHQ team a call.

How to Provide Security Awareness Training and Ensure it is Effective

Technical defenses need to be implemented to protect against cyber threats, but it is also important to provide security training to the workforce. Security awareness training involves teaching users how to identify and avoid cyber threats, and training users to follow the security best practices that are necessary for protecting devices, networks, and data.

When businesses analyze security incidents, they often find that the threat could have easily been identified and avoided. A ransomware attack, for example, could have been prevented had an employee recognized the phishing email that gave the attackers the credentials they needed to access the network. Employees are commonly thought of as a weak link in the security chain, but employees can actually be security assets. Through training, they can become important sensors that help to protect the company.

Security awareness training is necessary for all members of the workforce, from the CEO down. Security awareness training needs to be provided to all individuals when they join the company, and then periodically thereafter. 20% of businesses provide security awareness training once a year or less, but something so important needs to be provided more frequently as employees cannot be expected to retain all of the information from a single, annual training session and then apply that information to real-life situations continuously throughout the year.

Many businesses need to change their thinking on security awareness training from it being a checkbox item that needs to be completed for compliance or to take out cyber insurance. Effective training is required, and that means it needs to be provided continuously. If you don’t exercise, your muscles will become weak. The same applies to security awareness training.

Classroom or computer-based training should be provided, which should be augmented with presentations, quizzes, infographics, and videos. Regular refresher training sessions should be provided in bite-sized chunks that are easy to take on board and remember. The aim of security awareness training is to create a security culture where everyone knows to be constantly alert.

Businesses need to develop an incident response plan to ensure the business can continue to operate in the event of a disaster. Backups need to be made of critical data to ensure that no data is lost in the event of computer failure or a ransomware attack. If you don’t test those plans and backups, it is impossible to know if they work. The same is true for security awareness training. It is necessary to test to see if the knowledge from training has been retained by the staff, if that knowledge is being applied in real-world situations, and whether security awareness training is actually influencing behavior.

One of the best ways to do this is with phishing simulations. Phishing simulations are exercises that are conducted to determine how effective training has been and to identify any areas where training needs to be improved. If a large number of employees have fallen for a particular phishing simulation, it is clear that the training has not covered that particular threat in sufficient detail. Training can then be adapted to help employees understand. If an employee falls for a simulation, there should be consequences, but the consequences should not be punitive. The purpose is to improve security not to punish employees, so the threat needs to be explained to the employee at the time to make sure that if it is encountered again, they will recognize it for what it is and act appropriately.

TitanHQ can help businesses with security awareness training and phishing simulations. SafeTitan is the only behavior-driven security training solution that delivers contextual training in real-time. With SafeTitan, alerts are generated when users take actions they shouldn’t, and those alerts are used to trigger timely training content with context. Since that training is delivered with context, the content provided is always relevant. SafeTitan also allows businesses to monitor how effective training is over time and how training is actually reducing risk.

“Every time an alert is triggered and comes into us, we map that alert or behavior in our database. This allows us to see the frequency of that behavior and monitor how it changes over time. You can measure this by user, by department, by country, by office, by business unit, and by organization,” says Stephen Burke, Product Director of SafeTitan, and founder and CEO of Cyber Risk Aware, which was recently acquired by TitanHQ. “And the beautiful side of it is, unlike most enterprise-grade software, it doesn’t just give mid to large enterprises the ability to demonstrate how effective their training is. MSPs can also offer this technology to their SMB clients, who maybe don’t initially know to seek that information.”

If you want to find out more about security awareness training, this interview with Stephen Burke with Expert Insights is a good place to start. We also recommend starting training with SafeTitan – You can get started today at zero cost by taking advantage of the SafeTitan free trial!