Security Awareness Training

How to Improve the Effectiveness of Your Security Awareness Training

Cyberattacks on businesses have been increasing at an astonishing rate and attacks are becoming much more sophisticated. A successful attack can cause long-lasting problems for businesses due to the reputational damage caused, especially when sensitive customer data is stolen. Customers will be lost and may never return and lawsuits following successful cyberattacks are increasingly likely. That is on top of the disruption to business while remediating an attack and the potential for permanent loss of data.

Many businesses invest considerable money into technical cybersecurity measures and while these are important and will block many attacks, some will bypass those defenses and will reach employees. Employees are an important line of defense and they should not be neglected. Education of the workforce on security best practices and the threats they may encounter can be the difference between a thwarted attack and an extremely damaging data breach.

An increasing number of businesses are recognizing that security awareness training for employees is a good investment and can significantly improve their security posture, but simply providing a training course to employees may not provide the expected benefits. You must make sure the training is effective to get a good return on your investment.

Security awareness training is important because cybercriminals usually target an organization’s employees. The Verizon Data Breach Investigation Report suggests 82% of data breaches involve the human element, which includes responses to phishing emails, misconfigurations, and other mistakes that can open the door to hackers. Through security awareness training, bad security practices can be reduced and employees can be trained to be more security aware and taught how to identify the telltale signs of phishing emails and other types of cyberattacks.

Security Awareness Training Tips to Make Training More Effective

Many security awareness training programs are not as effective as they should be, so to get the best bang for your buck you should consider the following.

Create a baseline against which progress can be measured

If you have yet to start providing security awareness training, make sure you create a baseline against which you can measure the success of the training program and ensure you continue to record metrics that allow you to measure progress. Keep records of training, who has completed each module, test results, the number of security incidents that you experience, and phishing simulation metrics.

Provide ongoing training

Security awareness training should be provided to all new hires as part of the onboarding process but don’t stop there. Even an annual training session is not sufficient. Training needs to be an ongoing process provided throughout the year. Only through continuous training are you likely to develop a security culture and be able to keep employees up to date on the latest threats.

Tailor the training to individuals

A one-size-fits-all training course is unlikely to be effective. Your workforce will consist of people that learn in different ways and have different levels of understanding about security, so your training content should reflect that. Staff members well versed in security will likely get bored by basic courses, and make them too advanced too quickly and people will get left behind. You should also provide training based on the threats employees will likely encounter – Those threats will be different for different roles.

Use a professional training course

You can develop a training course from scratch, but it will require a lot of effort to make sure it is effective for all employees, and then ensure it is kept up to date with the latest threat intelligence. You will likely have far greater success if you use a training solution provided by a cybersecurity company that has put the time and effort into making quality, engaging, fun, and gamified content, regularly updates that content, and provides a platform that allows training to be largely automated.

Ensure the training is engaging

Try to avoid classroom sessions where you explain threats and teach best practices. Also ensure that training is provided in manageable chunks that can be easily assimilated. Training should be engaging, interactive, and enjoyable, and should include a mix of training materials, including multimedia content, quizzes, and exercises.

Conduct phishing simulations

Ensure that the training process includes phishing simulations. These will allow you to measure how effective the training is and how people improve over time. Phishing simulations allow you to test to see whether training is being applied in the workplace and will identify individuals who require further training. Phishing simulations give employees practice at identifying phishing attempts and prepare them properly for real threats.

Provide training to everyone

Anyone can encounter a threat, and the CEO and board members are often targeted by cybercriminals as they have access to the most valuable data. Providing training to all will also help with the development of a security culture and employees are more likely to take training seriously if they know that everyone in the company must go through the same training process.

Security Awareness Training and Phishing Simulations from TitanHQ

TitanHQ has developed a comprehensive security awareness training program called SafeTian to help organizations develop a security culture and change employee behavior. The platform includes an extensive library of training content, split into small modules that are easy to fit into busy workflows. The content is interactive, gamified, and engaging to improve knowledge retention and allows training to be tailored to different abilities and roles.

The platform also includes a phishing simulation platform for ongoing testing against specific phishing threats, and the platform will automatically deliver training in real-time in response to security mistakes by employees, ensuring training is provided where it is needed most at the time when it is most likely to be effective.

For more information about improving security awareness through SafeTitan, give the TitanHQ team a call and take a big first step toward creating a security culture in your organization.

Search Engine Poisoning for Malware Distribution

There has been a notable increase in search engine poisoning for distributing malware. Search engine poisoning is the term given to the manipulation of search engine results to display links to malicious websites. These websites can be used to phish for sensitive information, but this technique is most commonly used for distributing malware.

Search engine poisoning can be achieved in different ways. One of the ways search engine poisoning is used to target businesses is to create a webpage and use search engine optimization techniques to target specific search queries. It can take a lot of time an effort to get webpages appearing in the organic search results for key search terms, but since the queries typically targeted have little competition, it is quite easy to get pages appearing high up in the organic search engine listings. Attackers typically target low volume business search queries, such as searches for contract templates, forms, and agreements. Since the person performing the search is looking to download the content, they can easily be tricked into downloading a malicious file. Oftentimes the user will get the file they are looking for but will silently install malware when the file is opened.

Google is well aware that the higher up a webpage is in the search results, the more likely it will be visited. The prime spots are at the very top of the search engine results, and that area is reserved for sponsored links. Getting a malicious site in these links will maximize the traffic to a website, and advertisers compete for these advertising slots through the Google Ads online advertising platform. Advertisers can bid for these slots for key search terms that they want to target.

Google Ads are increasingly being used by malicious actors as an alternative method of search engine poisoning, and they achieve the greatest success when they target popular software downloads. An attacker will create a website advertising a popular software solution, often cloning the website of a legitimate brand. They will offer a download of that software on the site but will alter the installation file so that in addition to installing the software, malicious code will be executed silently which will install malware.

The domain names used closely mirror those used by the legitimate brand, and typically include the brand name with additional characters or words to make it appear that the domain is official. The file downloads are usually signed with invalid certificates, and while invalid, have been issued to recognizable brands. If the warning signs are ignored and the installation file is executed, malware will be installed.

The key to defending against these attacks is to prevent these malicious files from being downloaded, and ideally, prevent users from visiting the malicious websites. The early stages of the attack can be blocked with an ad blocker or web filter. A web filter can be configured to prevent a user from visiting the malicious website, whereas an ad blocker will only block the adverts and will not block search engine poisoning in the organic listings. A web filter can also be configured to block downloads of certain file types, such as executable files. In addition to blocking search engine poisoning, preventing downloads of executable files will help IT teams to control shadow IT – unauthorized software installations.

These methods of malware distribution should also be covered in security awareness training. Businesses should teach their employees security best practices and make them aware of risks such as phishing and email-based attacks, and search engine poisoning and other web-based attacks. Security awareness training adds an important layer of protection and helps to improve human defenses, which is vital as the majority of cyberattacks are the result of human error.

TitanHQ can help improve security through its portfolio of cybersecurity solutions which include SpamTitan Email Security, WebTitan Web Filtering, and the SafeTitan Security Awareness Training and Phishing Simulation platform. For more information, to arrange a product demonstration, or to register for a free trial with full product support, give the TitanHQ team a call today.

Review Your Cybersecurity Strategy to Ensure it is Still Effective

There has been an increase in the use of information-stealing malware by cybercriminals. Info stealers are typically installed to steal a range of sensitive data from a user’s device, such as system information, usernames and passwords, and cryptocurrency wallets. Infostealers typically have keystroke logging capabilities, allowing usernames and passwords to be obtained, which are then exfiltrated to the attacker’s command and control server, allowing the user’s accounts to be accessed.

In 2022, cybercriminals increasingly used these types of malware in their attacks on businesses. The latest information stealers have been developed specifically for this purpose and instead of targeting individual accounts, they are being used for much more extensive attacks on businesses, and steal system information and session cookies that allow multifactor authentication controls to be bypassed.

If the malware is installed, changing passwords will have little effect, as the attacker will already be in the system. Multifactor authentication can prevent stolen credentials from being used to access accounts, but modern malware is capable of stealing session cookies allowing accounts to be accessed. While multifactor authentication is important, it is not effective if the system has already been compromised. Further, phishing kits are now used that are capable of obtaining session cookies and bypassing multifactor authentication.

Phishing attacks have also become more sophisticated and it is now common for a wide range of malicious attachments to be used for distributing malware and directing users to malicious websites. While Office documents are commonly used, now compressed files, ISO files, ZIP files, OneNote files, image files, HTML files, and more are used for malware distribution, many of which are not blocked by email security solutions. To protect against these new malware variants and multifactor authentication-bypassing phishing attacks, businesses need to rethink their protections.

An email security solution is required to block malware delivery via email and identify and block the phishing emails that are used for credential theft. Email security solutions will block previously seen phishing emails, and are regularly updated with the latest threat intelligence; however, many are not effective at detecting zero-day threats. An email security solution with machine-learning capabilities is required to block more of these new threats, and for malware protection, sandboxing is required in addition to standard antivirus protection. Any attachments that pass AV inspection – which looks for signatures of known malware –  are sent to the sandbox for behavioral analysis. This allows zero-day malware threats to be identified and blocked. SpamTitan has AI/machine learning capabilities and provides AV protection and sandboxing.

Even advanced email security solutions such as SpamTitan should not be used in isolation, as no email security solution will block every threat. Email security solutions will massively reduce the number of malicious emails that are delivered to inboxes, but will not block SMS-based phishing attacks and web-based attacks. One way of improving protection is to use a web filter. A web filter is used to carefully control access to the Internet and can restrict access to websites that serve no work purpose. Web filters are updated with the latest threat intelligence and will block access to known malicious websites, and can be configured to block downloads of risky files from the Internet. They will also significantly improve protection against malicious hyperlinks in emails, providing time-of-click protection. WebTitan Cloud is one of the easiest web filters to implement, and can be set up in just a few minutes and will protect against cyberattacks over the Internet.

Multifactor authentication is important and will protect against the majority of automated attacks on accounts, but not all MFA is the same. The latest phishing kits can steal session cookies and bypass multifactor authentication controls. Businesses should consider implementing phishing-resistant MFA based on FIDO standards, as this will provide a much higher degree of protection.

An often neglected layer of security is security awareness training. Businesses are increasingly realizing the importance of security awareness training and more businesses now provide training to their employees, but providing once-a-year training sessions is not enough. Security awareness training needs to be regular if it is to be effective, so training courses should run continuously throughout the year. A modular course that delivers training every month in short sessions will be far more effective than a once-a-year training session. Businesses should also provide targeted training, with training courses developed based on an individual’s role and the threats they are likely to encounter. Phishing simulations should also be conducted to identify areas where training is not proving to be effective and to allow targeted training to be provided to individuals who fail to recognize threats. TitanHQ can help in this area through the SafeTitan security awareness training and phishing simulation platform.

With cyberattacks increasing in number and sophistication, there is no better time to revise your defenses than now. For more information on how you can improve your defenses against phishing, malware, business email compromise, and other cyberattacks, give the TitanHQ team a call.

QBot Malware Distributed via SVG Files and Hijacked Message Threads

A phishing campaign has been detected that is being used to deliver QBot malware, one of the oldest malware families still in use. QBot malware has been around since at least 2009 and is known by many different names, including QakBot, QuackBot and Pinkslipbot. One of the primary functions of the malware is to steal passwords, although the latest variants also serve as a backdoor into victims’ systems. As is the case with many other Trojan malware variants, the group operating the malware works as an initial access broker for ransomware gangs. After the gang has achieved its aims, access to compromised devices is sold to ransomware gangs.

The threat actors behind QBot malware have previously worked with the operators of the Emotet botnet, and used the Emotet malware for delivering QBot; however, the law enforcement takedown of the Emotet botnet in January 2021 forced the group to switch attack vectors, and since then QBot malware has been primarily distributed using phishing emails. Now the group has been observed using a new tactic in its phishing campaigns that use Scalable Vector Graphics (SVG) files.

SVG files have become popular due to their ability to support interactivity and animations and are a web-friendly XML-based vector file format. It is the support for interactivity that makes SVG files a good choice for malware distribution. SVG files can include HTML tags, and JavaScript can be included in the <script> tags in the image. In this case, the JavaScript is malicious. The phishing campaign involves emails that have an HTML attachment, which loads an SVG file from the Internet. The SVG image will be specified within an <embed> or <iframe> tag and will be displayed, but the JavaScript in the image will also be executed.

In this campaign, the JavaScript within the SVG image assembles the malware directly on the user’s device, instead of downloading the malware from the Internet, as that would risk detection by security solutions. The malware is packaged into a ZIP file that is password protected, so antivirus solutions cannot scan the content. The user is provided with the password to open the zip file in the HTML. The user is told that if the file is not displayed correctly, they will need to open the downloaded file, which will trigger the installation of QBot, bypassing traditional network defenses.

One of the ways that these campaigns can be identified and avoided is through security awareness training for the workforce to educate employees about the risks of opening files sent via email. One of the standard tenets of security awareness training has been to tell employees not to open files in unsolicited emails or from unknown individuals. That advice is not particularly helpful, as employees are often required to open emails from unknown individuals or unsolicited messages as part of their jobs, and in this case, that advice would not be effective.

QBot, like Emotet, is capable of hijacking message threads on infected devices and inserting its malicious content. In this campaign, a previous email correspondence is hijacked and text is inserted and the message is sent. That text is simple, yet effective “Good afternoon, Take a look at the attached file. Thanks.” The email will have been sent from a genuine email address, the individual is known to the recipient, and the email is not unsolicited as there has been a previous conversation. The only clue that the message is not a genuine reply is the email conversation is old. In this case, from two years ago.

It is important to provide security awareness training to the workforce but in order to be effective, the training needs to be ongoing and should include examples of the latest phishing techniques, such as this technique for distributing QBot.

5 Reasons Why You Should Conduct Phishing Simulations on Employees

Cybersecurity experts agree that security awareness training is an important part of any cybersecurity strategy. You can implement next-generation technology to repel malicious actors and prevent and rapidly detect cyberattacks, but it is important not to forget about the human element. According to the Verizon 2022 Data Breach Investigations report, 82% of all data breaches involve the human element. Through training, you can teach cybersecurity best practices and reduce risky behaviors that open the door to hackers, and you can train employees how to identify phishing.

The percentage of companies providing security awareness training to their employees is increasing as the importance of training is now better understood, but one aspect of the training process that is often neglected is conducting phishing simulations on the workforce. Phishing simulations are fake but realistic phishing emails that businesses send internally to employees. You may wonder why you should do such a thing. Well, there are clear benefits that come from doing so. Here we provide five reasons why conducting phishing simulations on employees is beneficial.

1.   Create a Baseline to Measure the Effectiveness of your Training

Many companies provide security awareness training but are unable to measure its effectiveness, other than a reduction in data breaches and phishing incidents. Phishing simulations are a great way to monitor the effectiveness of training over time and clearly show the return on investment. Conduct phishing simulations before you start your training program and you have a baseline against which you can measure the effectiveness of training over time and see the ROI.

2.   Test the Effectiveness of Training in a Work Setting

You can show an employee the signs of phishing that they need to look out for, and you can test to make sure they have understood the training at the end of the training course, but that does not mean the training will be remembered nor that it will be applied when they are at work. Phishing is often successful because the emails arrive in inboxes when employees are busy, and that is why mistakes are made. Phishing simulations allow you to test whether training is being applied and whether it is proving to be effective.

3.   Identify Weak Links

While most employees will take the training on board, will take greater care, and will follow the security best practices they have learned, there will always be employees who do not.  Phishing simulations allow you to identify the weak links and take proactive action to address the problem before the employee falls for a real phishing email. A failed phishing simulation is an opportunity for intervention training. You can deliver training instantly in response to the problem, and provide a specific training course relevant to the mistake that was made. Providing relevant training at the point when the error is made is the most effective way of eradicating risky behaviors.

4.   Practice Makes Perfect

You should not expect every employee to become a security Titan the second they complete their training course. They will not be able to instantly identify every phishing threat. It takes time to build up security awareness and create a security culture. Phishing simulations are a great way to do this. They give employees practice at identifying phishing threats in a safe setting. When a real threat arrives in their inbox, they will be much more likely to be able to identify the malicious message.

5.   Identify Weaknesses in the Training Course

Phishing simulations identify human weaknesses to allow further training to be provided, but they also identify problems with the training course. If you send a phishing simulation that a large number of employees fail, that is likely to indicate a problem with the training course – A type of threat that you have not covered sufficiently well. You can then update your training course to ensure that specific threat is properly explained.

SafeTitan from TitanHQ

TitanHQ has developed a comprehensive security awareness training solution for businesses called SafeTitan. The platform includes an extensive library of training content on all aspects of security, with the courses divided into short computer-based training modules of no more than 10 minutes, which makes them easy to fit into busy workflows.

The training content is fun, gamified, and engaging, and is proven to help eradicate risky security practices and reduce susceptibility to phishing attempts. The platform includes a phishing simulator for testing whether employees can recognize phishing attempts – the most common way that cybercriminals attack businesses. Phishing simulation data shows susceptibility to phishing attacks can be reduced by up to 80% with SafeTitan.

If you have yet to provide security awareness training to your workforce and are not conducting phishing simulations, the ideal time to start is now. Contact TitanHQ today for more information or sign up for a free trial of the solution and put it to the test before deciding on a purchase.

Businesses That Do Not Provide Cybersecurity Awareness Training are Taking a Huge Risk

Most people are aware of the importance of cybersecurity and the need to take care when opening emails, browsing the internet or downloading apps on their mobile phones. If you ask anyone whether they are knowledgeable about cybersecurity and if they can recognize a malicious website or email, there’s a high chance that they will say yes.

A recent survey conducted by AT&T on 2,000 U.S. adults confirms that. 70% of the respondents to the survey said they were knowledgeable about cybersecurity, two-thirds of people said they know how hackers gain access to sensitive information on devices, and 69% of people said they were able to recognize suspicious websites at a glance.

However, despite being aware of the importance of cybersecurity, cybersecurity best practices are not always followed. People take considerable risks with email and the Internet, and the survey suggests that the confidence in the ability to recognize scams, malicious websites, and suspicious emails is misplaced.

While most people claim to be able to recognize a suspicious website, only 45% of respondents said they knew those sites carried a risk of identity theft. 46% of respondents were unaware of the difference between active and passive cybersecurity threats. Passive cybersecurity threats are those where a threat actor simply monitors communications and gathers sensitive information, whereas an active attack involves some action or modification of communications. An example of a passive attack is a malicious actor eavesdropping on a connection to a website via an evil twin Wi-Fi access point. An example of an active attack would be a malware attack.

The average person lands on 6.5 malicious websites or suspicious social media accounts every day and in many cases, those sites are accessed deliberately. Suspicious websites include those that start with HTTP rather than HTTPS, which means the connection between the web browser and the website is not encrypted. Suspicious sites include those with lots of pop-ups, or unverified sites and social media accounts.

39% of respondents said they accessed suspicious streaming websites to view major sporting events, 37% would download files from suspicious websites if they wanted to find a song or video game that they couldn’t find elsewhere, and these sites would be used to make purchases if they were offering a big discount. Considering that 70% of people said they were knowledgeable about cybersecurity, it is alarming that less than 40% of people consider common security risks when accessing the Internet. Only 32% of people considered the possibility of a network intrusion and just 31% of people considered whether an app or software could be malicious. The survey also revealed people take big security risks with passwords. 42% of people reuse passwords on multiple websites and alarmingly, 31% of people use a birthday as a password.

Businesses should take note of this survey. The survey was conducted on a sufficiently large number of people that it should be considered representative of the population as a whole and makes it clear that there is a need for cybersecurity awareness training to be provided by employers to bring the level of knowledge about cybersecurity up to scratch and be taught the importance of following cybersecurity best practices. Even people who are aware of the risks will take shortcuts for convenience, so businesses should also consider restricting access to certain websites.

If you want to improve cybersecurity, you should start with the human element and try to eradicate risky behaviors. TitanHQ offers businesses a comprehensive cybersecurity awareness training platform – SafeTitan – that covers all aspects of security and cybersecurity in the workplace. The platform can be used to improve understanding of risks and teach the best practices that should be followed at all times. The training content is gamified, interactive, and fun, and has been shown to be highly effective at eradicating risky behaviors. SafeTitan is the only behavior-driven security awareness training platform that delivers intervention training in real-time in response to risky behaviors by employees. When a risky action is taken, the platform automates the intervention and delivers the relevant snippet of the company policy and training content specific to that risk or threat.

Businesses can also take advantage of WebTitan Cloud – a DNS-based web filtering solution that prevents employees from accessing known malicious websites. When an attempt to visit a malicious website is made, the connection to the site will not be made and the user will be informed that the site has been blocked. Businesses can also use the category-based filters in WebTitan Cloud to prevent employees from accessing certain types of websites, such as those that carry a risk of malware infections. Peer-to-peer file sharing networks for example.

By educating the workforce on cybersecurity and implementing controls to restrict access to risky websites, businesses will be able to prevent more costly cyberattacks and data breaches. For more information on cybersecurity awareness training and web filtering, give the TitanHQ team a call.

How to Provide Security Awareness Training and Ensure it is Effective

Technical defenses need to be implemented to protect against cyber threats, but it is also important to provide security training to the workforce. Security awareness training involves teaching users how to identify and avoid cyber threats, and training users to follow the security best practices that are necessary for protecting devices, networks, and data.

When businesses analyze security incidents, they often find that the threat could have easily been identified and avoided. A ransomware attack, for example, could have been prevented had an employee recognized the phishing email that gave the attackers the credentials they needed to access the network. Employees are commonly thought of as a weak link in the security chain, but employees can actually be security assets. Through training, they can become important sensors that help to protect the company.

Security awareness training is necessary for all members of the workforce, from the CEO down. Security awareness training needs to be provided to all individuals when they join the company, and then periodically thereafter. 20% of businesses provide security awareness training once a year or less, but something so important needs to be provided more frequently as employees cannot be expected to retain all of the information from a single, annual training session and then apply that information to real-life situations continuously throughout the year.

Many businesses need to change their thinking on security awareness training from it being a checkbox item that needs to be completed for compliance or to take out cyber insurance. Effective training is required, and that means it needs to be provided continuously. If you don’t exercise, your muscles will become weak. The same applies to security awareness training.

Classroom or computer-based training should be provided, which should be augmented with presentations, quizzes, infographics, and videos. Regular refresher training sessions should be provided in bite-sized chunks that are easy to take on board and remember. The aim of security awareness training is to create a security culture where everyone knows to be constantly alert.

Businesses need to develop an incident response plan to ensure the business can continue to operate in the event of a disaster. Backups need to be made of critical data to ensure that no data is lost in the event of computer failure or a ransomware attack. If you don’t test those plans and backups, it is impossible to know if they work. The same is true for security awareness training. It is necessary to test to see if the knowledge from training has been retained by the staff, if that knowledge is being applied in real-world situations, and whether security awareness training is actually influencing behavior.

One of the best ways to do this is with phishing simulations. Phishing simulations are exercises that are conducted to determine how effective training has been and to identify any areas where training needs to be improved. If a large number of employees have fallen for a particular phishing simulation, it is clear that the training has not covered that particular threat in sufficient detail. Training can then be adapted to help employees understand. If an employee falls for a simulation, there should be consequences, but the consequences should not be punitive. The purpose is to improve security not to punish employees, so the threat needs to be explained to the employee at the time to make sure that if it is encountered again, they will recognize it for what it is and act appropriately.

TitanHQ can help businesses with security awareness training and phishing simulations. SafeTitan is the only behavior-driven security training solution that delivers contextual training in real-time. With SafeTitan, alerts are generated when users take actions they shouldn’t, and those alerts are used to trigger timely training content with context. Since that training is delivered with context, the content provided is always relevant. SafeTitan also allows businesses to monitor how effective training is over time and how training is actually reducing risk.

“Every time an alert is triggered and comes into us, we map that alert or behavior in our database. This allows us to see the frequency of that behavior and monitor how it changes over time. You can measure this by user, by department, by country, by office, by business unit, and by organization,” says Stephen Burke, Product Director of SafeTitan, and founder and CEO of Cyber Risk Aware, which was recently acquired by TitanHQ. “And the beautiful side of it is, unlike most enterprise-grade software, it doesn’t just give mid to large enterprises the ability to demonstrate how effective their training is. MSPs can also offer this technology to their SMB clients, who maybe don’t initially know to seek that information.”

If you want to find out more about security awareness training, this interview with Stephen Burke with Expert Insights is a good place to start. We also recommend starting training with SafeTitan – You can get started today at zero cost by taking advantage of the SafeTitan free trial!