5 Reasons to Consider Security Awareness Training

5 Reasons to Consider Security Awareness Training

Schadenfreude (/ˈʃɑːdənfrɔɪdə/German: [ˈʃaːdn̩ˌfʁɔʏ̯də] (About this sound listen)lit. ‘harm-joy’) is the experience of pleasure, joy, or self-satisfaction that comes from learning of or witnessing the troubles, failures, or humiliation of another. (source: Wikipedia)

The press can’t get enough of corporate data breaches. They delight in showcasing the latest horror story about a business that lost massive amounts of private records or millions in revenue to the latest hack. I would call that schadenfreude, but wait …you could be next.

Despite all the funds you may have spent on state-of-the-art security software, the bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.

Yet by far, the most effective strategy in combatting these attacks is also one of the most poorly implemented – security awareness training. The long list of “worst practices” for user education is almost endless – break room briefings while people eat lunch and catch up on email; short instructional videos that provide no more than superficial understanding; and the time-honored practice of hoping for the best and doing nothing.

It’s better to start a new-school security training method sooner rather than later. Thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.

Here are the Top 5 reasons to consider Security Awareness Training: 

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and its sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018, when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting the budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breached data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job

Hold the schadenfreude and learn from the mistakes of others! Find out more about our Security Awareness Training here: https://www.cybriant.com/cybersecurity-awareness-training/

Related: How to Prevent Zero-Day Attacks in 5 Steps

Free Security Training Tools

Cybersecurity trends 2018: Cyberattacks will continue to surge

Cybersecurity trends 2018: Cyberattacks will continue to surge

To predict what will happen in 2018, let’s take a look at what happened in 2017. In the first six months of 2017 alone:

  • There were 918 data breaches that compromised 1.9 billion data records in the first six months of 2017, which is an increase of 164% compared to 2016.
  • Of these 918 breaches, 500 breaches had an unknown number of compromised records, while 22 of the largest data breaches involved more than one million compromised records.
  • Almost 2 billion data records around the world were lost or stolen by cyberattacks in the first half of 2017 and the number of breaches reported by companies looks set to rise.
  • Governments around the world are introducing legislation that will force more companies to disclose data breaches.

Take a look at just a few of our top predictions for cybersecurity trends in 2018:

Companies will feel more pressure to be transparent and reveal data breaches

New regulations such as the U.K. data protection bill, the European Union’s General Data Protection Regulation (GDPR), and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are set to come into force in the coming months and years and will push firms to disclose hacks and security breaches.

Hackers will move to more profitable targets

The hope is that the profitability of traditional ransomware will decline as cyber risk protection, user training, and corporate cybersecurity strategies improve. This means, however, that hackers will move to more profitable targets like high net-worth individuals, connected devices, and businesses, according to McAfee’s Threat Predictions Report. 

There is no easy fix for cybersecurity. It’s important to create a “Zero Trust” mindset in your organization – including all employees, contractors, board members, and C-suite members – that hackers are constantly trying to access your data. It’s important to be vigilant. A dedicated, well-financed actor who is after something in your enterprise is going to get it, even if they use the weakest link–people–to do so. This means adapting your security setup to focus on detection, response, and remediation.

Companies will be judged based on their Cyber Score

After the largely publicized breaches in 2017, consumers and organizations alike will lean on a company’s cybers score to determine its security posture. According to TechRepublic, “Historically, organizations would go to credit rating agencies and find out the creditworthiness of their partner, but now that companies are handing out data to their partners, they need to understand what their posture is. For example, FICO offers an Enterprise Security Score for an objective measure of cybersecurity risk.

Tools like Artificial Intelligence (AI) and machine learning will become mainstream

Changes in cybersecurity will require new types of skills in data science and analytics. The general increase in information will mean artificial security intelligence is necessary. Adaptive skills will be key for the next phase of cybersecurity. The battle with hackers moves fast, so AI and machine learning can predict and accurately identify attacks quickly. See how Cybriant is using machine learning to protect our clients. 

Cybersecurity skills shortage will continue

If the trend continues as it is today, we have a global shortage of two million cybersecurity professionals, “The fastest growing job with a huge skills gap.” Security Analysts are the blockers or tacklers of cybersecurity. Many companies are finding ways to automate and outsource this skill. Cybriant has the best of the best when it comes to Security Analysts.

Here are a few trends that we hope will happen:

Companies will develop a common cybersecurity foundation

The government, cybersecurity experts, and many organizations are coming together to develop a common language around cybersecurity, NIST Cybersecurity Framework. This is a set of broad guidelines that will provide a secure foundation that will then allow you to refine based on your business functions, systems, and operating environment. Cybriant can help you develop this foundation to arrive at the right blend for your organization. Together, we will consider any regulations, emerging threats, new and legacy technologies, and systems, in addition to your business goals.

Managed Patching

Many data breaches in 20107 were the result of forgotten/failed/slow patches. This is an often ignored problem that has reaped a lot of damage in the past.Cybriant offers a patch management service which includes detecting and deploying missing patches on your system. This service will simplify patch management across your organization—even on remote and mobile endpoints.

Continuous Monitoring

Too often, companies think that security is a ‘set it and forget it’ operation. Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry. This is where Cybriant comes in – read more about our continuous monitoring solution. 

Let's Talk

Get Your Automated Security Awareness Program, ASAP!

Get Your Automated Security Awareness Program, ASAP!

More than ever, your users are the weak link in your network security. It is time for a comprehensive approach to effectively manage this problem, managed by people with a technical background. Cybriant has partnered with KnowBe4 to offer our clients an integrated Security Awareness Training and Simulated Phishing platform. 

Many IT pros don’t exactly know where to start when it comes to creating a security awareness program that will work for their organization. We’ve taken away all the guesswork with our new, no-charge Automated Security Awareness Program (ASAP).

ASAP is a revolutionary tool for IT professionals, which allows you to create a customized security awareness program for your organization that will help you to implement all the steps needed to create a fully mature training program in just a few minutes!

free cybersecurity program cybriant

The program is complete with actionable tasks, helpful tips, courseware suggestions and a management calendar. Your custom program can then be fully managed from within the KnowBe4 console. You also have the ability to export the full program as a detailed or executive summary version in PDF format, use it for compliance requirements, and reporting to management.

The process of creating the program is simple enough, answer 15-25 questions about your goals and organization, and a program will be scheduled for you automatically. The program tasks will be based on best-practices how to achieve your security awareness goals. You have an easy calendar view to plan and deploy your security awareness program.

Here’s how it works:

  • 15-25 questions depending upon answers
  • Suggested training materials based on answers
  • Choose and change your program start date and tasks
  • Calendar and list view of tasks
  • Dashboard with program status, % complete, tasks overdue, etc.
  • Detailed and summary exportable PDF versions of your program
  • Fully mature awareness program ready in 10 minutes
  • Find out what YOUR program will look like. There is no cost… Start ASAP!

GET STARTED ASAP! Be sure to enter Cybriant as the partner.

Find out what YOUR customized program will look like.

Cybersecurity Emerging Trends: Law Firms Targeted

Cybersecurity Emerging Trends: Law Firms Targeted

Law firms and their clients’ sensitive information are a treasure trove for hackers. They not only hold valuable client information but also are regularly emailing attachments to clients, providing a possible means to get into client systems.

Law firms are seen as high-value targets for the rapidly growing use of ransomware and extortion schemes because they have historically weak defenses and are seen as able to pay large sums.

Here are some recent high-profile cyberattacks in the legal industry:

DLA Piper ransomware attack

Panama Papers

Cravath and Weil Gotshal

According to the BitSight’s Fourth Annual Industry Index Report, Legal service providers are arguably one of the most widely used third parties across the world, supporting some of the world’s largest banks and other well-known organizations. To steal intellectual property, trade secrets, and other sensitive information from companies with strong security measures, cyber criminals may target their outside counsel rather than the company itself.

Hackers attack legal providers because they may have weaker security measures in place. Compared to other industries examined, BitSight finds that companies in the Legal sector actually have high-security ratings and low rates of vulnerabilities that could lead to man-in-the-middle attacks. Despite these findings, the industry remains a key target for cyber criminals.

The Legal sector had the second highest percentage of companies with a security rating of 700 or higher, only trailing Finance and in-line with Retail.(BitSight Security Ratings measure the security performance of organizations. These ratings range from 250-900, with a higher rating indicating better security performance.)

More than 60% of organizations examined from the Legal sector are exposed to DROWN, a major SSL/TLS vulnerability.(DROWN is a vulnerability, discovered earlier this year, that could allow a criminal to decrypt secure communications and potentially expose information sent over HTTPS, such as passwords, usernames, and credit card details.)



Update web server configurations
IT security teams should update their security protocols and ensure that the most recent patches have been implemented across the network.

Invest in training for employees
Employees should be aware of the cyber risks they encounter when surfing the web. Clicking on suspicious online ads, for example, can introduce vulnerabilities into the network. More on cybersecurity awareness training. 

Continuous security monitoring
Teams should strive to continuously monitor the cybersecurity posture of their law firms and other legal service providers (alongside other critical vendors) to ensure that no new threats emerge through these third parties. More on continuous monitoring. 

Establish cybersecurity benchmarks
Organizations should establish security benchmarks to help them take appropriate action depending on changes in the security posture of their own organization or their critical third parties.

Discuss cybersecurity with Board of Directors
Successfully protecting an organization from cyber attacks requires a team. Organizations should add cybersecurity to Board-level discussions.


Examples of Ransomware: 7 Cyber Security Trends To Fight Back


→ Read Next: Lessons learned from Equifax Cybersecurity Hack 

Free Cybersecurity Training Tools

Red Flags of Phishing Attacks

Red Flags of Phishing Attacks

Back in the early days of the Internet, phishing emails were full of typos and laden with obvious clues—appeals from faraway princess or rich relatives you never knew you had. These were very easy to spot. But cybercriminals have upped their game since then. For example, some cybercriminals go to great lengths to match the branding, color schemes, and logos associated with the companies they are trying to impersonate.

Phishing emails may be more difficult to identify these days, but there are some important steps you can take to avoid becoming a victim. If you answer “yes” to any of the questions below, there’s a very good chance that you’re looking at a phishing email.

  1. Does the message ask for personal information?
    Always remember that reputable businesses do not ask for personal information—such as social security and
    credit card numbers—via email.
  2. Does the offer seem too good to be real?
    If it seems too good to be true, it’s a fake. Beware of emails offering big rewards—vacations, cash prizes, etc.—
    for little effort.
  3. Does the salutation look odd?
    Reputable companies will use your name in the salutation—as opposed to “valued customer” or “to whom it
    may concern.”
  4. Does the email have mismatched URLs?
    If you receive an email from an organization that includes an HTML link in it, hover your mouse over the link without clicking and you should see the full URL appear. If the URL does not include the organization’s exact name, or if it looks suspicious in any other way, delete it because it’s probably a phishing email. Also, you should only visit websites that begin with “https” because the “s” at the end indicates advanced security measures. Websites that begin with “http” are not as secure.
  5. Does it give you a suspicious feeling?
    Trust your instincts when it comes to email. If you catch yourself wondering whether it’s legitimate, and your instinct is to ignore and delete it—then pay attention to that gut check.

As email scams become more sophisticated, it is more likely that an employee at your company will fall victim to a phishing technique.

Cybersecurity Awareness Training