Launching a cybersecurity training program at your workplace is quite an accomplishment. But your role in helping reduce the risk of cyber threats doesn’t stop when your employees complete all onboarding training activities and you get to check a box for compliance.
Ongoing training and continuous analysis of training data will help you determine how to best reduce cyber risk for your organization. Plus, cyber criminals are always trying to be one step ahead by launching more sophisticated attacks.
ArsTechnica recently published an article about a phishing tactic, dubbed BitB, which stands for "browser in the browser." It uses a fake browser window inside a real browser window to spoof an OAuth page for credential capture. While not new (first reported in 2020), it is a good example of how cyber attacks can be sophisticated and fool even tech-savvy individuals.
If you’re looking to keep employees engaged and empowered to recognize and report cyber threats, here are some best practices based on our discussions with customers of our Cybersecurity Awareness Training platform.
Tips for ongoing cybersecurity awareness training:
Share relevant news articles
“I like to share the top ten popular passwords every year when the report comes out and remind employees, if any of these look familiar, you need to address that ASAP,” says Eric Normandin, CIRA Security Analyst. “Sharing relevant articles or anecdotes, and encouraging others to do so as well, can spark interesting discussions and contribute to building a strong cyber-conscious culture in the workplace.”
It can be as simple as sharing a link in a company-wide chat with some added context, further instructions, or a reminder of a workplace policy. Particularly if there is a cyber attack that takes place close to home, or within the industry you work in, it can be a great reminder that no organization is too small to be a target for cyber criminals.
Conduct regular phishing simulations
Most of our customers decide to deliver one phishing simulation to users on a monthly basis (selected randomly from a bank of pre-built emails). This cadence keeps building the habit of recognizing phishing red flags, while not overburdening users with too many tests.
Phishing simulation programs are good reminders that there is something for everyone to learn. With the variety of tactics used in the simulations—appealing to different emotions, appearing like a trusted brand, or technical abilities like spoofing an internal email address—many admins find that even their most technically capable users aren’t on guard 100% of the time.
Identify higher-risk groups
Some departments in your organization, like finance, may have access to more sensitive data and therefore it makes sense to assign supplementary training to them. Within our training platform, you can easily identify these higher-risk groups by filtering reports by department, made easier by mapping divisions with Active Directory. You will be able to pull reports to see if there are any departments more prone to clicking on a phishing simulation link.
Assign new courses
With the shift to a hybrid/work-from-home workforce, many of our customers have assigned courses that educate employees on topics like how VPNs work and staying safe while working remotely. Privacy, social media-based attacks and password hygiene were also popularly assigned course topics in the past year.
More training program tips
Based on the best practices and talking to hundreds of customers that have rolled out a cybersecurity awareness training program, we’ve put together a guide to help admins successfully implement training. It might not be possible to stay completely protected from cyber attacks, but with these tips, you’ll be equipping your employees with the tools they need to help you stay one step ahead.