Managing Employee Cyber Literacy
Most technical specialists associate information security primarily with technical means, such as firewalls, antiviruses, etc. However, these means may be absolutely useless if users themselves disclose information to which they have access in accordance with their job responsibilities. Here we can talk about both deliberate disclosure (by insiders) and the use of social engineering methods by intruders. In this article, we will consider the second case, when users are deliberately misled in order to obtain the necessary information from them in one way or another. We will consider the main mechanisms of protection against social engineering and general methods of training users in information security issues.
Security training
Security awareness training is the formal process of educating employees on cybersecurity best practices, making them more aware of the many threats they may face at work and at home. Security awareness training may include:
Programs to educate employees about common threats
Phishing simulations and other interactive techniques to demonstrate real-world examples of threats
Individual responsibility for the company's security policy
Metrics to measure company success, from phishing rates to culture surveys
An effective security awareness program is essential for any organization, but simply training employees is not enough. Organizations must evaluate the effectiveness of the program. Accountability is also key, as employees must understand the importance of following security protocols and the consequences of not following them. By taking these steps, organizations can better protect themselves from security threats and reduce the risk of data breaches. Security awareness training can be broken down into four stages:
Determining the current level of employee awareness of safety and the culture of compliance with it
Developing a Security Awareness Program – From Topic to Frequency to Success Targets
Implementation of a security awareness program among employees
Evaluate the effectiveness of the program and make changes as needed
Main threats of social engineering
Before we start talking about cybersecurity training, it would be useful to look at the main threats we may face.
Let's start with the well-known calls from “bank security services”, “investigators” and other “interesting” people. Such methods are also actively used in IT. Here, fraudsters rarely call their victims directly, although this does happen. But now, much more often, attackers use instant messengers as a channel of communication with victims.
A typical story is when someone from the company's management (their name and avatar are the same) knocks on an employee's messenger and says that some serious incident has occurred and that a certain security advisor will contact him now (they once wrote about state security, it sounds more funny than stern) and then this person starts telling horror stories about how something needs to be done urgently (transfer money, transfer information, etc.) otherwise things will be very bad for everyone.
Another classic is email scams, also known as phishing. These are scams in which scammers pose as legitimate companies or acquaintances to trick people into revealing personal or financial information. It is important to carefully examine email addresses, links, and attachments and check them for signs of fraud.
A typical example: an employee receives a letter allegedly from the IT service (with the required formatting) asking for help testing a new web portal. To do this, you need to follow the link in the letter and enter your credentials. This phishing resource may be completely similar to a similar corporate resource, differing only in the name (different domain). As a result, the attacker will receive the users' credentials.
Malware is the same as viruses, worms, Trojans, ransomware, spyware, and adware. Employees should understand how malware is spread (via email attachments, infected software downloads, malicious websites) and how to protect themselves with reliable antivirus software, a firewall, and safe browsing habits.
Understanding secure password management involves understanding the importance of strong, unique passwords for all accounts and following company guidelines for secure passwords (passphrases or combinations of uppercase and lowercase letters, numbers, and symbols). It is important to communicate to users that they cannot use the same passwords for personal resources (email, social networks) and for corporate credentials. Understanding secure password management also involves knowing multi-factor authentication (MFA) methods and not sharing passwords.
Another interesting attack vector is removable media. Using removable media such as USB drives, external hard drives, and SD cards is associated with certain risks. A flash drive found at the entrance to the office may contain malware specifically designed to attack your network. Another device may be hiding under the guise of a flash drive, pretending to be a keyboard and executing certain commands on behalf of the current user when connected (BadUSB attack). Infection can lead to the unintentional spread of malware. Losing such media can lead to data leakage. It is recommended to use only trusted devices, check all removable media for viruses before use, and, if possible, avoid using them to store confidential data.
Safe Internet practices include understanding safe web browsing guidelines, including recognizing secure websites (https), being careful when downloading files or software from unknown sources, not clicking on suspicious links, and being careful when sharing personal or financial information online.
Finally, social media. Users should be aware of the threats associated with using social media platforms, such as phishing attempts, identity theft, cyber attacks, etc. Good practices include adjusting privacy settings, being careful about the information you share, and being vigilant about impersonators or suspicious messages. In particular, avoid sharing phone numbers or work email addresses publicly.
Having considered the main threats, let's see how you can protect yourself from them.
Security Awareness Strategies
Given the above, it is clear that security awareness events need to be taken seriously. Let us consider some recommendations for organizing such events.
It is clear that ordinary users (accountants, managers) usually do not have deep knowledge of information security issues. This also fully applies to top managers, who are also a tasty morsel for fraudsters, because hardly anyone would dare not to follow an order from high management.
In this regard, it is necessary to establish a process of training personnel in information security issues in the organization. Of course, you can organize courses on cybersecurity issues in an offline format. But there is a high probability that attendance at such events will not be very high, since employees always have a lot of specific work and they do not really want to be distracted by unimportant, in their opinion, things.
It is much better to prepare materials in the format of longreads, possibly with video fragments. In this case, users themselves can find the time when it is convenient for them to watch these materials. Although here there is a risk that many will ignore regular reminders about the need to complete the training.
And to combat this approach, an organization must have a security-focused organizational structure, then you must have a team of people responsible for implementing your security awareness program. This could be an administrator who manages the program and a security specialist in each area of the organization who can facilitate the implementation and support the development of a security culture. It is important to understand that if roles are not clearly defined, security awareness training can become a routine activity that is never fully implemented.
It is important to check user awareness regularly. To do this, first of all, tests should be developed to assess the level of user awareness. It is also necessary to conduct exercises, for example, sending a certain group of letters with offers to go to a web resource and enter their credentials. With those users who do this, it will be necessary to conduct additional work, and then repeat the tests again.
Well, in general, it is necessary to understand what tasks you set for information security awareness events, and for this it is necessary to create a threat model and conduct a risk assessment.
Conclusion
Ensuring that employees are aware of information security issues will significantly increase the security of corporate resources as a whole and reduce the likelihood of network compromise due to their careless actions.
We invite everyone interested in the topic of information security to the open lesson “Comprehensive Cybersecurity of a Company” on August 22.
As a result of the webinar, participants will learn how to build an information security landscape in modern realities, what needs to be remembered and what not to forget when we work with cybersecurity. Participants will also learn how to tell businesses that information security is not an expense, but an investment. You can register using the link.
