Cybersecurity Training is a Must in 2018
By: Frank J. Ohlhorst
Organizations looking towards preventing the latest cyber-attacks need to focus more on educating end users, as evidenced in the rise of phishing, spear phishing, and whaling attacks. A recent security report from Microsoft indicates that the top threats to businesses are growing, with phishing and ransomware leading the charge. According to the company, as software vendors increasingly build in stronger security measures, cybercriminals are looking to "low-hanging fruit" methods to infiltrate users' systems in an easier, less costly way.
With phishing becoming the number one threat vector, it becomes evidently clear that end users must become better trained to resist those types of attacks. After all, successful phishing attacks rely on gathering sensitive data from unsuspecting victims. This task usually involves an end user opening an email and answering questions, or filling out a form on a seemingly legitimate website, or even responding to an inquiry that starts with a text message.
What’s more, an effectively executed phishing attack can lead to end users unwittingly revealing login information or other access credentials, which in turn can open a whole network to attack. That can introduce all sorts of malware, ransomware, or other serious attacks across the enterprise. With that in mind, it becomes obvious that end users must be trained to identify potential threats and report them as a matter of operational best practices.
Successfully training staffers may sound easier than it actually is, especially when one considers how quickly threats can change and evolve over short periods of time. That said, there are still some industry best practices that can lead to a more aware workforce, for example:
- Businesses should start cyber awareness training as part of the onboarding process. The first time a new hire walks through the door, cybersecurity awareness should be part of the orientation process, highlighting the importance cyber security is to an organization.
- Businesses should make “live fire” training exercises part of a regular training regimen. Simulated attacks are one of the best ways to keep staffers on their toes. By orchestrating a simulated attack, IT management can better uncover weaknesses and gauge how to improve training, while also addressing specific areas that may need more training.
- Organizations should conduct regular evaluations and audits: Training goals should be established and HR should participate in the process of making sure staffers have access to training resources and the effectiveness is measured.
Of course there are numerous other best practices, but those can vary based upon the organizational type. For example, healthcare businesses may need to incorporate the rules around HIPAA regulations, while financial services businesses may need to focus on protecting customer records. Irregardless, threats are evolving, and training is a must.
Naturally, training is only one part of a cybersecurity enforcement scheme. Attack prevention and mitigation are just as critical. With that in mind, IT staffers need to institute the solutions that can prevent attacks and mitigate the impact of phishing. One way to accomplish that is to incorporate multi-factor authentication (MFA) as a way to reduce the possibility of breaches. When configured properly, MFA can eliminate the threats posed by stolen credentials, metadata mining, phishing attacks, chatbot gathered information, and countless other attacks that use subterfuge and data gathering to reveal user account information. By combining several elements, such as user account name, passwords, PINs, keys, challenge questions, and so forth, secure access can be maintained and IT is given a better indication of the who/what/when/where of access is.
For more information on how MFA can improve security, meet compliance requirements, and be quickly extended across an enterprise, please visit https://authanvil.com/features/two-factor-authentication.