5 steps of a successful cybersecurity user awareness program | SoftwareOne Blog (2023)

This blog has been updated January 2023 and continues ourcyber security user awareness campaign, all of which can be viewed here:

1. How to fight fraud with security intelligence
2. The 6 biggest email security risks for enterprises
3. Security is not privacy: ways to keep personal data secure
4. Building a mobile threat defense for your enterprise devices
5. How to cut security risks for remote workers
6. 10 surprising security risks in your office
7. Do you know all types of internet security threats?
8. Steps of a successful cyber security user awareness program
9. How to reduce security risks in the future

In 2019, businesses were confronted with a ransomware attack once every 14 seconds. While many of these businesses were able to evade this threat with their existing cyber security measures, many unprepared businesses had to pay an average of $713,000 to regain access to their data.

A modest investment in cyber security awareness can help prevent the stress caused by these attacks and save your businesses hundreds of thousands of dollars. Many businesses immediately reach for technical security solutions, such as advanced anti-malware suites or additional network security measures, with the hope this will be sufficient. However, cyber-criminals aren’t always targeting exploits in your infrastructure, network or applications. They’re also targeting your employees directly.

About 95 percent of cyber security breaches have been directly attributed to human error but despite this, many organizations spend the bulk of their cyber security efforts on sealing up technical vulnerabilities. Organizations need to learn how to detect and prevent these attacks by finding vulnerabilities within their workforce. Let’s take a look at how to get started.

Common cyber security risks to watch for

Your cybersecurity strategy is only as strong as your least informed employee. As a result, your entire organization, ranging from contractors to interns to the C-suite, need to understand and abide by certain cybersecurity standards. When designing a cybersecurity awareness plan, make sure your employees are aware of the following vulnerabilities:

Social engineering

Social engineering exploits human psychology to gain access to restricted information or areas. For example, a skilled social engineer may comb through your employee’s social media to learn more about them, and then leverage that information to convince an employee to give them secret information – like logins, important emails, building passcodes, and more. They could then use that information to launch an attack on your business.

Unsecured connections

Teach your employees to always watch the URLs of the websites they access – if a website’s URL is “http://” the connection is not secured with encryption and cybercriminals can intercept data. Therefore, employees should avoid conducting business over these channels, completing transactions, inputting passwords, or otherwise transmitting sensitive data. Instead, they should use sites with “https://” in the URL as these provide encrypted data transfer.

Password strength

Employees should ensure they use strong passwords. Remind employees that they shouldn’t use personal information, like only the street they were born on or the name of their cat, as a password. Employees should even avoid using real words in their passwords. Instead, ask employees to create a passphrase with a long string of letters and numbers (minimum 12 characters) they can easily remember – like “MyHouse;isNew-20” or “I.Love.Photography$.5D4”.

Password handling

Even if an employee creates a strong password, hackers can still access their accounts if they are not secretive with them. Employees should avoid writing down their passwords on sticky notes or in notebooks and should not send passwords to coworkers through email. Additionally, don’t input passwords on networks or devices you don’t control as there may be keyloggers or spyware present.

Reusing passwords

Employees need to use different passwords on each of their accounts – especially if those accounts contain sensitive information. Otherwise, if a hacker manages to learn one of the passwords, they may be able to access most of their online accounts. Keep in mind it can be difficult for your employees to remember 20, 50, or even hundreds of passwords – it’s strongly recommended to give them access to a password manager to ensure compliance.

Shoulder surfing

When employees work in public areas, like airports, train stations, or busy cafés – there’s a chance they could be watched by a malicious individual. If this person watches your employee take out a credit card, type in a PIN, or read a sensitive document, they could use this information against your company at a later time. To prevent shoulder surfing, ask your employees to avoid working in crowded public areas. If that’s difficult for certain roles – such as traveling salespeople – then outfit their computer and/or mobile device with a privacy screen.

How to create a cyber security awareness plan

As a reader, you’re now aware of six serious cyber security threats that can be solved through employee awareness – but how can you make your fellow team members more aware of common cyber security threats? It’s not as difficult as you may think – just follow these five steps, and you’ll be well on your way.

1. Align with leadership & get employee buy-in

Before you can get a cyber security awareness plan started, you need both leadership and employees to understand how important it is. Start by having a meeting with the CIO or another high-ranking individual to stress the importance of cyber security awareness and make it clear that some modest investments will be needed to help employees stay secure. Once leadership accepts, reach out to employees and begin pitching them on why they need to take cyber security seriously – namely, how much poor security costs the business, and how those costs can trickle down to them.

2. Train employees

Once you have buy-in about cyber security awareness training, start building your lesson plan. This should include information your core business needs, common threats within your line of business, and sample cases of how these attacks may play out in practice. Additionally, tell employees exactly how they should respond to and report these cyber security threats to ensure the hacker does not succeed.

3. Test employees

After training is complete, it’s time to test what your employees learned with hands-on exercises. A few days or weeks after the training concludes, pretend you’re a malicious actor and try to get as many employees to fall for your tricks as possible. This may include sending malicious attachmentsfrom an outside email account, phishing via email, or trying social engineering tactics on your employees. If they don’t fall for it, give your employee some kind of reward for their diligence - like a gift card, free lunch, or a box of treats. If they are tricked, fall back to step 2 and retrain your employees.

4. Conduct a threat assessment

Threat assessments help you determine vulnerabilities within your organization, and quantifies the cost of different cyber security attacks, helping you prioritize risks based on your most critical business areas. Once the assessment is complete, share the findings with both general employees and the IT team. When you send this document to a typical employee, include suggestions on how they can help secure these business areas. When you send it to the IT team, let them know they should closely monitor the most high-risk parts of your business.

5. Assist security teams

Make sure your security team is aware of the findings within your threat assessment, and ensure they are equipped to handle the most pressing threats within your assessment. Check in with them regularly and consider providing them with a list of what’s currently trending in the world of cyber security. By taking this step, your business is more likely to have everything it needs to prevent a breach.