By Kevin Ricci, director, Citrin Cooperman
In the battle against cybercriminals, there is no singular solution that fully protects us from the relentless barrage of attacks that continue to imperil our personal and corporate data. There is, however, something that is affordable, extraordinarily effective, and the closest thing to a cybersecurity silver bullet that exists in today’s world. That secret weapon is cybersecurity awareness training, and it is one of the greatest deterrents against the onslaught of attacks that plague individuals and corporations alike.
In order to understand why training is so critical to defending our digital assets, it is important to understand how most modern attacks occur. In the not-too-distant past, attackers would attempt to battle their way through firewalls and intrusion detection systems to get to a victim’s data. However, these attacks were very time-consuming and increasingly thwarted by ever-improving defensive technologies.
At some point, attackers realized that they needed a new approach to stealing information, so they adopted the nefarious tactic known as social engineering. This is when attackers bypass technological fortifications and instead attempt to deceive end users into doing their bidding.
Pretending to be a contact we know is one of the most common social engineering strategies employed by villainous attackers and can be delivered by email (phishing), text (smishing), or voice (vishing). Gone are the days of easily-identifiable phishing emails (e.g., a kind prince asking for a small loan), as attacks are now laser-focused messages that appear to originate from a trusted source.
A frighteningly significant number of individuals are fooled by these deceitful and malicious attacks, resulting in a spate of ransomware infections, fraudulent wire transfers, or compromised sensitive information.
With social engineering attacks lurking within our inbox, it quickly becomes evident that education and awareness are paramount to keeping us safe – empowering employees with the ability to detect and avoid attacks. While there is no magic formula for creating the perfect training solution, here are some best practices that can give training the greatest chance of success.
- Develop training that is accessible to the entire team, as companies have employees that exist on each end of the technological-sophistication spectrum. Distill complex concepts down to easily digestible bullet points that can be grasped by everyone, regardless of whether they are technically savvy or not.
- Streamline the training to encourage retention and avoid information overload. Anything longer than 20 minutes may cause many employees to grow bored or become overwhelmed, limiting their ability to absorb and retain key concepts.
- Deliver on-demand training as opposed to training programs delivered live and in person. While live training sessions have their advantages, it is not cost effective to have a trainer deliver the content every time a new employee comes onboard or when someone needs a refresher course. On-demand training also eliminates the logistical challenges associated with employees who may be unable to travel to the office, providing them with flexibility to receive training when and where it is most convenient.
- Update the training as new threats are identified. Cybercriminals are constantly refining their methods of stealing information, so be sure to refresh the content on a regular basis.
- Include a quiz after the training to ensure key concepts are being retained. The risk of users investing only a fraction of their attention to the training is very real, so utilize a set of questions to confirm that critical information was absorbed.
- Combine training with a spear-phishing campaign to gauge awareness. Simulate phishing attacks and require additional training for employees that were unable to identify malicious emails.
Social engineering attacks are the weapon of choice for cybercriminals and difficult to stop with technology alone. Educated employees who have been armed with awareness through cybersecurity training create a virtual “human firewall,” greatly increasing the chances of repelling social engineering attacks and keeping the company safe and secure.
Visit Citrin Cooperman for more information on protecting your data and your business. Kevin Ricci is a director at Citrin Cooperman with more than 20 years of experience in the information technology field. As part of the firm’s Technology and Risk Advisory Consulting (TRAC) team, Kevin offers clients specialized technology expertise and cybersecurity solutions.