
What’s the most powerful weapon in a cybercriminal’s arsenal? It’s not malicious software or botnets. It’s you — or more accurately, your ignorance.
And they’ll gladly exploit it. Remember that close to 88 percent of data breaches are the result of human error. You want to do everything you can to make sure you don’t become part of that statistic.
That’s why cybersecurity training is so important, and why, in a world increasingly defined by remote work and digital technology, it’s no longer optional. But what should your training focus on? What are the most important security topics for your business?
We’ll go over them below.
Humans will always be the weakest link in any system — and hackers know it. Unless there’s a vulnerability that they can exploit, criminals will almost always try to target your employees first. Why would a criminal spend hours or days trying to break through a firewall when they can just fool Jim from accounting into giving up his passwords?
Social engineering attacks work through psychological manipulation. They might create a sense of urgency or excitement to make a target act without thinking or pretend to be someone a user trusts. They also tend to occur during times of the day when users are more likely to be tired or distracted.
Phishing is the most common form of cyber crime, and also one of the oldest. How it works is simple. By posing as someone their target is likely to either know or trust, a criminal tries to trick them into doing one of the following:
Common phishing tactics include:
Something of a middle-ground between phishing and fraud, BEC involves a cybercriminal impersonating a trusted source. The goal is to trick a user into thinking they’re legitimate, at which point they can request either sensitive data or money. Common impersonation tactics include:
The best way to defeat a social engineering attack is through mindfulness training. Teach your employees to always step back and think before doing anything that could potentially put themselves or your data at risk. Is that email really from their department manager; is their friend actually contacting them with an opportunity on Facebook?
Most of us have heard of ransomware by now, a form of malicious software that locks down systems or data until the victim pays the attacker a ransom. Ransomware infections can occur just about anywhere, including compromised ad networks, infected websites, malicious links and even infected updates. Some ransomware will also wipe a system after a certain time limit or download data to another server.
Ransomware training should focus on three areas. First, it should emphasize to your employees that they need to inform your IT or security team if they do anything they think may have put your systems at risk. Second, it should emphasize the importance of keeping regular, isolated backups of all important systems and files.
Lastly, it should cover what to do in the event of a ransomware infection. This includes cutting off all infected systems to prevent the ransomware from spreading and making sure that your business’s backups aren’t also infected. Emphasize the importance of never paying the ransom, as well.
Imagine that your business is a little bit like a bank vault. If someone wants to rob that vault, they could go to all the trouble of disabling security cameras, turning off the alarms, and cracking the door. But why bother doing that when they could just have someone who works at the bank let them in?
This is what’s known as an insider threat — when someone in a position of trust knowingly works with bad actors. These malicious insiders aren’t careless. They know what they’re doing, and are motivated either by greed or a desire to damage your business.
Teach employees about the warning signs that someone could have gone rogue. This might include changes in behavior, irregular working hours, or unusual access requests for sensitive information.
Most of your employees probably fall into one of two groups:
Some employees even fall into both. That’s a problem. Criminals can gain access to your business either by stealing data from another company that has nothing to do with you or else guess an employee’s password and brute force their way in.
Provide your employees with a password manager and teach them how to use it. Coach them on the importance of having strong, unique passwords for each account, and show them how to enable multi-factor authentication wherever possible.
Most attacks are now digital — but that doesn’t mean you can afford to be careless with your devices. Smartphones and laptops that contain sensitive data could cause serious problems if they’re stolen. It’s important that your security training at least touch on physical security.
This one is pretty easy. Just explain the risks of leaving important devices or documents unattended. You might also consider implenting what’s known as a clean desk policy: Before an employee leaves their desk, all sensitive items should be stored.
More people than ever are now working remotely, whether from home or while on the road. While some employees still prefer the office, remote work isn’t going away anytime soon. Unfortunately, while it can improve productivity, job satisfaction and work/life balance, remote work also introduces several new security risks, including:
Emphasize that employees should never connect to a public WiFi network without some form of security such as a virtual private network (VPN), and even then, there are still risks. Beyond that, you can probably just explain that by applying the same practices at home as they do in the workplace, employees can keep themselves safe as well as your business. You may also want to provide employees with some kind of secure remote desktop software and teach them how to use it.
AI is still a pretty new technology, but most businesses at this point have either adopted it or are considering adoption. Sadly, bad actors have already come up with a ton of different ways to use it in their attacks. They’ve also figured out ways to turn your business’s own AI models against it.
Cybersecurity training programs need to include AI as a focus.
How your training will look in this case depends who you’re delivering it to. If it’s general training, focus on teaching people who to recognize and identify potential deepfakes. You’ll also want to discuss the potential risks generative AI might pose to compliance and intellectual property.
For anyone who’s working with and training AI, your training should cover data poisoning, a tactic in which a criminal manipulates the training data of an AI model. This can take a few different forms, including injecting false information, deleting part of the data set, or changing part of it. Discuss the steps your employees can take to identify and mitigate potential data poisoning attacks.
Now you know both why cybersecurity training is important and what your training should focus on. Next up, why not read about cybersecurity awareness training and how it relates to cyber risk management? You could also learn more about cybersecurity labs and their role in an effective training program.