Cybersecurity Training Philosophy
I believe training should be engaging and short due to employee’s limited time to focus on it vs their daily jobs.
Phishing training
Phishing is a term more people are becoming familiar with. It is a very popular way to get tricked into giving away your email login or bank credentials. You’re directed to a website you think is safe while the true purpose is something more nefarious.
Website Malware Safety
Following links in email that you don’t know can be dangerous. Check the sender, strange formal names, irregular grammar, and emotional calls to action like fear of missing out or the boss telling you to ‘rush’ this through.
Submitting passwords through unsecured websites is another telltale sign you might be where you don’t belong. Look for the ‘lock’ at the top of the browser’s website to make sure you’re secure.
Email safety through secure email
Don’t send credit cards through regular email. Personal or confidential information shouldn’t be sent through email either. Check with your company’s IT department on how to send things securely.
Social engineering
Phone calls can also be used to trick victims into revealing information they wouldn’t normally. Beware of phone calls from your bank asking for information to reactivate your account, or requesting your ATM PIN because your card is compromised. The normal reaction is to trust someone asking for information. A simple way to turn this around is to ask for a number to call back. Then call your bank directly and report the situation to them.
Training should be recurring
The once a year training isn’t nearly enough. We forget and end up being reminded so irregularly it makes us more vulnerable to successful attacks. Send out email reminders to the team regularly. Talk about it in meetings, even if it’s briefly mentioned.
Feedback and effectiveness through testing
Learning methods have proven that feedback to the person learning is critical to get the most out of training. Testing frequently between learning sessions engages the mind, putting it into a better learning state.
How do you know your training is effective as an organization? As a leader, you need feedback too.
Get phishing testing done through companies offering the service. These offer the testing and feedback both employee and leaders need to know it’s working.
Resources
Phishing
Web Browsing Securely
Social Engineering
Government Related Resources
CISA
US Cert
https://www.us-cert.gov/resources/businessDHS
https://www.dhs.gov/be-cyber-smart/common-scams
https://www.dhs.gov/be-cyber-smart/cyber-lessons#section-multifactor-authentication