creating-a-cybersecurity-program

5 Steps to Success

Cybersecurity Awareness Program

5 Steps of a Successful Cybersecurity User Awareness Program

In 2019, businesses were confronted with a ransomware attack once every 14 seconds. While many of these businesses were able to evade this threat with their existing cybersecurity measures, many unprepared businesses had to pay an average of $713,000 to regain access to their data.

A modest investment in cybersecurity awareness can help prevent the stress caused by these attacks and save your businesses hundreds of thousands of dollars. Many businesses immediately reach for technical security solutions, such as advanced antimalware suites or additional network security measures, with the hope this will be sufficient. However, cybercriminals aren’t always targeting exploits in your infrastructure, network or applications. They’re also targeting your employees directly.

About 95 percent of cybersecurity breaches have been directly attributed to human error but despite this, many organizations spend the bulk of their cybersecurity efforts on sealing up technical vulnerabilities. Organizations need to learn how to detect and prevent these attacks by finding vulnerabilities within their workforce. Let’s take a look at how to get started.

Common Cybersecurity Risks to Watch For

Your cybersecurity strategy is only as strong as your least informed employee. As a result, your entire organization, ranging from contractors to interns to the C-suite, need to understand and abide by certain cybersecurity standards. When designing a cybersecurity awareness plan, make sure your employees are aware of the following vulnerabilities:

Social Engineering

Social engineering exploits human psychology to gain access to restricted information or areas. For example, a skilled social engineer may comb through your employee’s social media to learn more about them, and then leverage that information to convince an employee to give them secret information – like logins, important emails, building passcodes, and more. They could then use that information to launch an attack on your business.

Unsecured Connections

Teach your employees to always watch the URLs of the websites they access – if a website’s URL is “http://” the connection is not secured with encryption and cybercriminals can intercept data. Therefore, employees should avoid conducting business over these channels, completing transactions, inputting passwords, or otherwise transmitting sensitive data. Instead, they should use sites with “https://” in the URL as these provide encrypted data transfer.

Password Strength

Employees should ensure they use strong passwords. Remind employees that they shouldn’t use personal information, like only the street they were born on or the name of their cat, as a password. Employees should even avoid using real words in their passwords. Instead, ask employees to create a passphrase with a long string of letters and numbers (minimum 12 characters) they can easily remember – like “MyHouse;isNew-20” or “I.Love.Photography$.5D4”.

Password Handling

Even if an employee creates a strong password, hackers can still access their accounts if they are not secretive with them. Employees should avoid writing down their passwords on sticky notes or in notebooks and should not send passwords to coworkers through email. Additionally, don’t input passwords on networks or devices you don’t control as there may be keyloggers or spyware present.

Reusing Passwords

Employees need to use different passwords on each of their accounts – especially if those accounts contain sensitive information. Otherwise, if a hacker manages to learn one of the passwords, they may be able to access most of their online accounts. Keep in mind it can be difficult for your employees to remember 20, 50, or even hundreds of passwords – it’s strongly recommended to give them access to a password manager to ensure compliance.

Shoulder Surfing

When employees work in public areas, like airports, train stations, or busy cafés – there’s a chance they could be watched by a malicious individual. If this person watches your employee take out a credit card, type in a PIN, or read a sensitive document, they could use this information against your company at a later time. To prevent shoulder surfing, ask your employees to avoid working in crowded public areas. If that’s difficult for certain roles – such as traveling salespeople – then outfit their computer and/or mobile device with a privacy screen.

How to Create a Cybersecurity Awareness Plan

As a reader, you’re now aware of six serious cybersecurity threats that can be solved through employee awareness – but how can you make your fellow team members more aware of common cybersecurity threats? It’s not as difficult as you may think – just follow these five steps, and you’ll be well on your way.

1. Align with Leadership & Get Employee Buy-In

Before you can get a cybersecurity awareness plan started, you need both leadership and employees to understand how important it is. Start by having a meeting with the CIO or another high-ranking individual to stress the importance of cybersecurity awareness and make it clear that some modest investments will be needed to help employees stay secure. Once leadership accepts, reach out to employees and begin pitching them on why they need to take cybersecurity seriously – namely, how much poor security costs the business, and how those costs can trickle down to them.

2. Train Employees

Once you have buy-in about cybersecurity awareness training, start building your lesson plan. This should include information your core business needs, common threats within your line of business, and sample cases of how these attacks may play out in practice.  Additionally, tell employees exactly how they should respond to and report these cybersecurity threats to ensure the hacker does not succeed.

3. Test Employees

After training is complete, it’s time to test what your employees learned with hands-on exercises. A few days or weeks after the training concludes, pretend you’re a malicious actor and try to get as many employees to fall for your tricks as possible. This may include sending malicious attachments from an outside email account, phishing via email, or trying social engineering tactics on your employees. If they don’t fall for it, give your employee some kind of reward for their diligence - like a gift card, free lunch, or a box of treats. If they are tricked, fall back to step 2 and retrain your employees.

4. Conduct a Threat Assessment

Threat assessments help you determine vulnerabilities within your organization, and quantifies the cost of different cybersecurity attacks, helping you prioritize risks based on your most critical business areas. Once the assessment is complete, share the findings with both general employees and the IT team. When you send this document to a typical employee, include suggestions on how they can help secure these business areas. When you send it to the IT team, let them know they should closely monitor the most high-risk parts of your business.

5. Assist Security Teams

Make sure your security team is aware of the findings within your threat assessment, and ensure they are equipped to handle the most pressing threats within your assessment. Check in with them regularly and consider providing them with a list of what’s currently trending in the world of cybersecurity. By taking this step, your business is more likely to have everything it needs to prevent a breach.

Final Thoughts

Promoting cybersecurity awareness among all of your employees can be daunting – but when it’s successful, every member of your team will know exactly what to do in the event of a security incident. Considering the cost of a successful breach, each deflected attack will pay for your efforts many times over.

When your entire organization understands the risks inherent in modern business, and also are equipped with the knowledge and tools required to mitigate this risk, you can better protect your organization’s data. Keep in mind that creating a cybersecurity awareness program isn’t a one-time exercise – it’s important to train new employees, consistently retrain existing employees, and test every member of your organization, ranging from interns to the CEO. This continuous initiative will give you many of the tools you need to defend against today’s most pressing cyber threats.

If you still feel overwhelmed or in case your resources are limited, SoftwareONE is here to help you. Our Cybersecurity User Awareness trainings close the knowledge gap of your workforce and increase the resilience and security of your organization.

Want to Increase the Strength of Your Cybersecurity Awareness Program?

Contact us to learn how to craft one for your organization.

Find out more
  • Managed Security, Cybersecurity User Awareness
  • Social Engineering, Cybersecurity, Password Security

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment

Author

Bala Sathunathan

Bala Sethunathan

Director, Security Practice & CISO

Cybersecurity

Related Articles

Cyber Security Update April 2021 | SoftwareONE Blog
  • 12 May 2021
  • Bala Sethunathan
  • Managed Security, Cybersecurity User Awareness, Cyber Threat Bulletin

Cyber Security Update April 2021

98% of cyber-attacks rely on social engineering. Keep your business protected and learn more about the latest tactics on the rise.

the-current-state-of-password-security-in-2021
  • 05 May 2021
  • Bala Sethunathan
  • Managed Security, Cybersecurity User Awareness, Cybersecurity

The Current State of Password Security in 2021

Do you use '12345' in your password? How about dictionary words? If so, you might not be secure – read our tips to learn more.

Cybersecurity Update March 2021
  • 13 April 2021
  • Bala Sethunathan
  • Cybersecurity User Awareness, Cyber Threat Bulletin, Cybersecurity, Managed Security
  • Cyber-Threats

Cyber Security Update March 2021

About 80% of breaches occur due to poor passwords. Keep your business protected and learn how to improve your password security.