In our world where the virtual landscape keeps on evolving at an unprecedented rate, ever-increasing cybersecurity risks are more than ever real. These risks pose a significant threat to your organization, its reputation, and, ultimately, its survival.
Our focus for this month of July 2023 is on Cybersecurity Awareness Training, which acts as a crucial defence in protecting your organization, its assets, and your clients.
Chapter 3 of The Global Risks Report 2022 revolves around digital dependencies and cyber vulnerabilities across the world. The main highlights correspond to the disturbing findings hereafter: an increase of 435% in ransomware and 95% of cybersecurity issues are tracked down to human error.
95 % de tous les problèmes relatifs à la cybersécurité peuvent être attribués à une erreur humaine1
What is Cybersecurity Awareness Training?
Cybersecurity Awareness Training is a corporate-wide initiative to educate employees about the different kinds of cybersecurity threats that impact users’ accounts, devices, information technology systems and networks, and how to identify and avoid them.2
A Cybersecurity Awareness Training helps employees understand what cyber threats look like, how they operate and how to respond when they encounter such cyber threats.
Why is Cybersecurity Awareness Training Essential?
The digital world brings about a multitude of risks, ranging from security breaches and data leaks to full-scale cyberattacks. As a business organization, safeguarding the sensitive data you hold is not only a top priority but also a critical responsibility. The primary line of defence for your organization is not complex cybersecurity systems but rather a well informed, cautious, and vigilant professional team. Thanks to the implementation of Cybersecurity Awareness Training, you can generate a human firewall that shields your organization from a significant portion of cyber threats.
What Topics Should Be Covered in a Cybersecurity Awareness Course?
A wide range of Cybersecurity Awareness Courses are offered to help all kinds of companies strengthen their cybersecurity cultures. The Baseline cyber security controls for small and medium organizations require basic security training, including a focus on the following topics:
- The use of effective password policies
- Identification of malicious emails and links
- Use of approved software
- Appropriate usage of the Internet
- Safe use of social media.
Understanding the Cyber Threat Landscape within the Virtual World
Before delving further into training specifics, it is sine qua non to grasp the cyber threat landscape and how it directly impacts your organization. The most common types of cyber threats include:
- Phishing: This occurs when cybercriminals attempt to deceive recipients into providing sensitive data through seemingly legitimate emails and websites.
- Ransomware: This malicious software denies access to a computer system or data until a ransom is paid.
- Social Engineering: This involves manipulating individuals into divulging personal and confidential information.
- Insider Threats: These intentional or accidental threats come from people working within the organization, such as employees, former employees, contractors, or business associates. They can be classified as either malicious or negligent in nature.
Customized Cybersecurity Awareness Training
When designing your Cybersecurity Awareness Training Program, it is noteworthy to consider your organization’s specific needs. Customize the content of that training to cover important areas such as password management, email messaging practices and Internet surfing, mobile device usage, social media risks, and recognizing and reporting potential cyber threats. Make use of real examples and case studies to illustrate the dangers and impacts of poor cybersecurity behaviour. In these training programs, it is recommended to perform a phishing simulation which will be covered in the next section of this Newsletter
.
58% of organizations report that their employees ignore cybersecurity policy and guidelines3
There are many organizations that offer Cybersecurity Awareness Training Program that will manage the deployments of courses and simulation exercises. There are a few of these organizations that are based in Canada. Among them is CIRA (Canadian Internet Registration Authority), a not-for-profit organization that offers such a service to Small and Medium Enterprises (SMEs). Some of you may know CIRA as the group that manages the .ca domain name on behalf of all Canadians and work to build a more trusted Internet for Canadians.
Phishing Simulations
Creating a proactive approach towards potential cyber threats is key. One of the most effective methods is by running periodic phishing simulation tests. This prevention process helps train your staff to recognize and promptly report phishing attempts. There are several free tools available:
- Gophish: An open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily set up and execute phishing simulations and cybersecurity awareness training.
- Phishing Frenzy: An application that streamlines the phishing process while managing the results.
Where to Find Online Cybersecurity Awareness Resources?
Other online content provides an excellent platform to educate your staff about the basics of cybersecurity. Such courses often make available interactive and engaging content, rendering learning more effective. Among others, some free resources are namely:
- ISC2 offers a Cybersecurity Awareness Training Course that is free to enroll.
- Cybersecurity Awareness training Amazon internal awareness Quiz offer externally available in English and French.
- Jigsaw, a Google company (Jigsaw | Phishing Quiz) offers a multilingual Quiz on phishing.
- Rogers Cybersecure Catalyst part of Toronto Metropolitan University offers a free awareness training course for Small and Medium-Sized Businesses (SMBs), training aimed at corporate executives and IT personnel.
- The Center for Development of Security Excellence Cybersecurity Awareness provides a series, of course, targeted to the US military and the US military industrial infrastructure.
- Cybrary (https://www.cybrary.it/ ): offers a range of cybersecurity courses, including a Cybersecurity Awareness Course. These courses are designed to help businesses understand and combat potential risks associated with the cyber threat landscape.
- SANS Cyber Aces (https://www.cyberaces.org/ ): offers free online courses about the core conceptual ideas on which cybersecurity is grounded. It is an excellent platform for increasing awareness and learning about the basics.
- Get Cyber Safe is a national public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.
Regular Training and Updates
Cyber threats are not stagnant, they are ever-evolving. As such, your Cybersecurity Awareness Training must reflect such evolving changes. Ensure that your team is updated regularly about emerging cyber threats and cybersecurity practices. Such practices could involve periodic emails, workshops, or refresher courses
Promoting a Cybersecurity Culture
Beyond Cybersecurity Awareness Training Programs, promoting a culture of cybersecurity within your organization is paramount. This includes encouraging staff to take ownership of their cybersecurity both at work and home. This also involves nurturing transparency and reporting of potential cyber threats, and celebrating a culture of cybersecurity consciousness. The aim is to foster a cybersecurity-first mindset where every individual considers themselves as part of the organization’s cybersecurity solution.
Assessment and Reinforcement
Measuring the effectiveness of your Cybersecurity Awareness Training and its impact is crucial for the well-being of your company. Use assessments to gauge staff understanding and identify areas for improvement. Follow up with reinforcement activities to concretely apply the cybersecurity practices learnt during the training sessions, and create lasting changes which positively influence the behaviour of your personnel.
Remember that the cost of Cybersecurity Awareness Training is just a tiny fraction compared to the potential damage that could be triggered by a cybersecurity breach. Actually, investing in the cybersecurity knowledge of your team, and fostering a culture of cybersecurity awareness is the best investment you can make for safeguarding your company against surging cyber threats.
[1] According to the far-sighted findings of The Global Risks Report 2022, 17th Edition, published by the World Economic Forum, 95% of all global cybersecurity issues can be traced to human error.
[2] https://www.cyberpilot.io/awareness-training
[3] Rapport Netwrix 2020 sur les cybermenaces