Security awareness

How to create an employee cybersecurity awareness strategy

Pedro Tavares
October 29, 2018 by
Pedro Tavares

We live in a digital era where sensitive information, digital networks and critical infrastructures are all susceptible to cyberthreats. We only need to look at our everyday routines, with e-government, e-business, online banking and online healthcare increasingly connected everywhere.

As a consequence of this growth, a lot of sensitive information has been moved onto the Internet. Now everyone is vulnerable to cybersecurity threats, from the highest government officials to children.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Even those that are not connected to the Internet can be affected by cybersecurity threats. Someone else, such as a business, government, healthcare system or even someone in their social circle, can have personal information about you that is available on a computer that can be reached through the Internet.

This article focuses on cybersecurity awareness to promote foundational understanding of cyberthreats, risk, cyber-hygiene and appropriate response options. Employees within an organization must be informed on best practices and proactive measures when confronted with cyber-risks and should even build their own strategy — a handbook to survive in the cyber-era.

The big picture

Hackers are constantly seeking vulnerable points that can provide the best move on the table to steal data from a person or an organization. As the information about a person or even an organization remains available online, a cybercriminal only needs to plan a simple strategy to gather the necessary information to develop a well-succeeded attack.

Data is everywhere, and it should be noted that the horizon of information is continuously growing. Giant problems in this era can be represented by, for example, unattended devices, email and device scams, compromised passwords that can be used in other systems and the uncontrollable expansion of social networks and public profiles. The Internet is an enormous database that is always available for crooks to use for their own profit.

One must keep in mind that multiple software combined, pieces of hardware, and much more will not resolve all the problems related to security of organizations, as many times the door key is left under the rug.

The problem discussed is directly related to employee awareness landscape, many times undervalued by organizations. Raising cybersecurity awareness is not simply passing the message that we should not open an email with a strange link. More than that, it should be considered as a resource, a day-to-day tool that allows to protect systems from emerging threats but also to keep personal data safe — as information is currently considered as the new petroleum.

Let’s look at WannaCry ransomware as an example. Can you list the causes associated to WannaCry proliferation?

  1. First, WannaCry has been exploited through a known vulnerability in the Service Message Block (SMB v1) from Windows operating systems. This vulnerability, called Eternalblue, was not fixed by IT administrators in time. That allowed a well-executed exploitation by crooks. Because of this, several organizations were impacted worldwide.
  2. Even if the company did not have a software update plan and a quick and effective response to react to these scenarios, IT employees should take these subjects to their meetings. Awareness is part of everyone’s job, all the employees within an organization need encourage the organization and especially C-level administrators to take actions to keep their entire infrastructure updated. The SMB v1 crash had already been fixed in March by Microsoft, but many companies did not apply the update.
  3. When employees are infected by ransomware, they should know how to act at that moment, and also know the right steps to respond to threats of that nature.
  4. Typically, such malicious campaigns are disseminated via email, and all employees should know how to identify a potentially dangerous email. Remember that: Phishing campaigns continue on the rise and business email compromise (BEC) attacks are projected to exceed $9 billion in 2018.

Summing up, the problem is usually caused by a human failure and not a technological or infrastructural problem. In this sense, employees’ skills should be further improved with continuous learning and solid knowledge in cybersecurity.

Making the plan - The awareness and education continuum

Cybersecurity awareness, or cyber-awareness, should be seen by organizations as a continuum strategy in these days. Speaking about awareness is not enough when we do not know the whole cycle of an awareness culture.

Cyber-awareness can be defined by seven crucial pillars.

Awareness

This step refers to the first time that the employees had a contact with the issue. Note that awareness not the same as deep knowledge: For example, when software is installed on a computer, it might be vulnerable and compromise the computer. The same is true for incoming emails, as some malicious links may be embedded in the email body, or it may have been sent by a thug impersonating a C-level executive.

Education

The specific information is presented to the employee. At this time, he knows the issue.

For example: As I have received many legitimate and illegitimate emails, I can rapidly notice if it represents a fraudulent campaign.

Knowledge

This is seen as an achievement, when the educational material has been retained and can be transmitted to other co-workers. At this point the employer has total knowledge about the issue.

For example: I'm sure that the email received is a phishing campaign, and I can easily identify some features that lead me to reinforce my findings.

Skills

The employee obtained a group of skills developed over time.

Ability

Employees have the capacity to perform the skills required for proficiency.

These five steps can occur simultaneously, or they may take a longer period of time depending on the type of issue, audience receptiveness and current level of knowledge.

Habit

Habit occurs when the skills and knowledge are put into practice and become part of the employee’s daily routine.

Cultural Change

Social change of this nature takes a long time. Cultural change will occur when all of these steps aforementioned are part of an organization’s DNA. The message is correctly shared with future employees and all members within the organization follow the same principles.

Developing a new culture — Advantages and how employees should act

As in any training program, it should be adjusted to an organization’s need.

Organization — How to Promote Employees’ Awareness Training

  • Promote security aspects via static posters spread throughout the organization in specific areas. It can be the simplest message: “Do you know the danger of using the same password on multiple systems? Use unique passwords!”
  • Change the computer desktop of their employees. This represents a good practice that can warn employees about some emerging threats. “Do you keep passwords on the desktop of your computer? Did you know that you can use an organization-sponsored password manager, and easily create unique passwords?” Images also can be used instead of only messages.
  • Promote cybersecurity awareness training regularly. The organization should encourage its employees to develop their skills in regular training sections (for example, video training modules).
  • Tools are one of the best ways to learn and practice. Employees should be faced with social engineering scenarios (internal faked campaigns).

Employee — Let’s Create Our Own Routine

Do not expect an organization to do it all for you! Below are some measures that you can start now at your job.

  • You need to know where data is. Spend time with all departments who use systems and data. Knowing the systems and business is an important step you need complete before anything goes wrong.
  • What have you done if there is a data breach? You need to have a list of the right stakeholders for these scenarios and a place to create a “red room” when incidents of this nature occur. Think about it, be proactive and create your own cyber-routine. Do not expect the organization to define every step of your day-to-day life.
    • Share events with your colleagues. Tell them how to proceed in those cases and get their opinions. Promote the knowledge.
    • Use strong and complex passwords and change them periodically. Do not use the same password in multiple systems and devices — once it is stolen, all of your systems can be compromised. To help you in this task, use a password manager to generate and store unique passwords.
    • Minimize all sensitive information. Keep saving only the data that you need. Do not keep sensitive information or a copy of critical data, projects, files and so forth on portable or mobile devices (such as laptop computers, tablets, phones, memory sticks, CDs/DVDs or USB devices) unless they are properly protected.
    • Never share your personal password or click on unknown links or attachments sent via email.  Be careful what you share: your private information is very precious.
    • Protect data when using the Internet and email. Access websites with https certificate and send email messages with digital signature over secure connections.
  • Stay away from malware. Maintain software up-to-date and use an antivirus in order to protect your device.
  • Encrypt your computer's hard drive. This will prevent breaches in the event that an attacker steals your physical disk and tries to access it on a third-party computer. Disk encryption adds a layer of protection  to your data.
  • Shut down, lock or log off your computer and other devices before leaving them unattended.
  • Do not install or download unknown or unsolicited programs to your devices.
  • Secure your area before leaving it unattended by implementing the clean desk concept.
  • Make backups of data you are not willing to lose. Store it very securely and in various places (inside and outside the internet).
  • And the most important advice: share your ideas with your colleagues. Provide useful experience and information to others within your organization.

Awareness depends on the work of everyone. If we all adopt these measures, over time we will be able to achieve a significant change in employees' cyber-habits — not only useful in day-to-day life in the organization, but also in the everyday life of any citizen.

The secret is so simple: make it happen and repeat it.

Final thoughts

Cybersecurity awareness training, when implemented correctly, is a crucial necessity for any organization. If all employees are aware of what to watch for, prevention procedures could stop a lot of threats that affect many infrastructures and organizations worldwide.

We can take WannaCry as an example. The impact of WannaCry could have been minimized had there been a culture of cyber-awareness within organizations. Employees should be much more careful when opening potentially malicious emails. In this sense, malware proliferation will be slowly and quickly contained by security teams. On the other hand, the risk would be reduced with the systems updated, and the malicious payload would be ineffective.

More than ever, the implementation of cyber-awareness training within organizations is seen as a mandatory rule. Security awareness training is not the be-all-end-all, however it is a significant layer of security to add to existing security measures.

To finalize and corroborate this important matter, let me tell you what some authors have written: that the next 9/11 could be a cyber-attack. Take care and look around, as an emerging threat can reach you when you least expect.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Sources

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog seguranca-informatica.pt.

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.