Cybersecurity training is essential in modern businesses, as it’s the most cost-effective way to minimize the risk of a data breach. In addition to educating your employees on the seriousness of cybercrime, a cybersecurity awareness program is also important for building awareness by simulating real-life security threats. This benefit is the reason we combine products like WorkWise™ and OnePhish™ into a multi-pronged security training platform that’s easy to implement.
Schedule a free consultation with our cybersecurity experts. Do you need to be DFARS 252.204-7012, 7019, 7020 or 7021 compliant? Are you worried about CMMC CertificationIf so, avoid the risk of losing contracts by implementing all 110 requirements of NIST 800-171.Call us today at 763-546-8354 or schedule a free consultation with a cybersecurity expert.
A security awareness training program provides students with the information they need to protect information assets from loss or damage. These students may include any stakeholders who are authorized to perform functions for an organization, such as employees, contractors, and temporary workers.
While all organizations can benefit from providing this training, some are legally required to do so. These include businesses in heavily regulated industries, especially, Government, healthcare and finance. For example, the payment card industry (PCI) already has a framework of practices that include data privacy measures, and the Sarbanes-Oxley Act also specifies reporting requirements for financial organizations. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the requirements for protecting Personal Health Information (PHI), which applies to all organizations that handle this type of information. Other organizations involved in data protection such as the National Institute of Standards and Technology (NIST) and the International Standards Organizations (ISO) also provide general guidelines on cybersecurity for all organizations.
The increasing interconnectivity of today’s work environments makes organizations more vulnerable to cyber threats. Security awareness training helps members deal with constantly changing threats, which is especially important, given that people are usually an organization’s greatest security vulnerability. The best hackers know that an organization’s own members typically pose the softest attack surface for launching an attack.
The 2020 State of Privacy and Security Awareness Report (SPSAR) found that 28 percent of employees aren’t confident in their ability to recognize a phishing email. Employees need a cybersecurity awareness program to identify these IT security threats and decide what to do about them. Organizations also need to provide them with written policies that clearly state the practices that are considered unacceptably risky.
Another key finding of the 2020 SPSAR is that many employees are uninformed about the risk factors of data security and privacy. Even fewer are familiar with the best practices in these areas. Information security is everyone’s responsibility, as personal behavior that seems harmless can pose a major risk to an organization. A cybersecurity awareness program helps get everyone in an organization on the same page, resulting in greater risk remediation.
The most important concepts to include in a security awareness program depend on the culture and most pertinent risks for each organization. This program should be tailored for an individual organization to ensure the information is as relevant as possible and will be retained by the employees. WorkWise™ and OnePhish™ are two of the most popular security awareness programs Beryllium offers.
WorkWise™ is an online training program that focuses on the importance of cyber security awareness, including best practices and the impact of actions at the individual level. It teaches that human error is the biggest risk in cyber security, even more than technology. Industry experts endorse this content, which includes best practices and practical advice. WorkWise™ takes 1.5 hours to complete.
WorkWise™ is a completely cloud-based solution that doesn’t require end-users to install or maintain additional software. Participants can access this material with a web browser by signing onto the platform from any internet-connected device, including a smartphone, desktop, laptop, or tablet. Supported browsers include the following:
The training uses automatic bookmarks that make it easy to start and stop a learning session. Learners can sign on to the platform from a different device or browser without disrupting the learning process. They can also track their progress through reporting features available within the training module, from “Not Started” to “Completed.” Administrators can also run summary reports with a high-level view and those that target specific actions.
Completing WorkWise™ requires learners to do more than simply read through the material. They must also receive a passing score on a final exam. Those that don’t pass have the opportunity to retake the final exam.
Phishing scams pose a considerable cybersecurity risk to organizations when employees are untrained and unsuspecting with respect to malware. OnePhish™ is an online phishing simulator that allows organizations to conduct cyber attacks on their own employees for the purpose of evaluating their susceptibility to social engineering tactics. This solution is completely cloud-based, so there’s no additional software to install or maintain.
OnePhish™ uses intuitive menus that allow non-experts to coordinate a phishing simulation, including more targeted attacks such as spear phishing. It also includes a robust library of premade phishing templates that are fully customizable. Users can manage all aspects of the simulated attack from a flexible template editor. OnePhish™ users can schedule multiple simulations at the same time to ensure employees remain vigilant against phishing schemes from cybercriminals. These additional simulations don't incur any extra fees.
The summary reports available in OnePhish™ include high-level views and reports on specific actions. The large number of reporting options available means that users have all the information they need to mitigate the risk of phishing in a usable format. Standard reports in OnePhish™ include the following:
Users can also filter these reports based on specified criteria and export them to other systems.
OnePhish™ resides in a secure data center since some of the information that the users supply may contain sensitive data. This phishing awareness program doesn't store or maintain this information and only tracks the actions of the users.
How Often Should an Organization Conduct Security Training?
Workers should receive security training at specific periods during their employment, including the following:
The training for each of these occasions may cover different aspects of security, along with real-world examples such as phishing and W2 scams. Planning ahead will allow you to develop the right training for each event.
Employees who have just joined an organization need an overview of how that organization handles security and why they need to take it seriously. This material includes the people, processes, and technology that are most relevant to security for a particular role, especially key principles and tools. Employees should receive one-on-one training on security during onboarding through an interactive presentation that keeps them engaged. A test should follow the presentation to ensure employees understand and are able to apply the new information.
Organizations should also provide a refresher course after a security incident occurs, especially if it resulted in the compromise of sensitive information. Assume for this example that an employee falls for a phishing email or ransomware. This event provides an opportunity to show how to prevent it from happening in the future, rather than laying blame.
This process should begin with a consultation with legal counsel to ensure communications with employees are appropriate for the circumstances. The initial communication should include information about the security breach that allows them to avoid falling victim to this or similar schemes, especially if the attacker is posing as a corporate executive on social media. Next, you need to determine what went wrong, typically with a focus on information, the employees lacked that would have helped them avoid the situation. Finally, you need to hold a meeting for the entire organization to review best practices for this type of incident.
Employees need to receive courses on security at regular intervals to ensure they retain vital information they’ve previously received. They also need updates on new threats based on the discovery of existing vulnerabilities and technological advances. It’s important to keep communications open so employees can quickly receive answers to their immediate concerns.
Like many aspects of security, training isn’t a one-time activity. It also needs to be part of your company culture to ensure it receives the priority it deserves. Employee onboarding sets the tone for how seriously your organization takes security. The post-incident and ongoing training sessions help keep security top-of-mind as employees acquire additional skills and fill new roles. It’s also important to modify ongoing computer-based training as needed to account for the organizational and technological changes that will inevitably occur over time. This approach ensures that your security posture remains mature, despite the continuing evolution of your security threat landscape.
Schedule a free consultation with our cyber security experts. Are you worried about CMMC Certification? If so, avoid the risk of losing contracts by implementing all 110 requirements of NIST 800-171. Call us today at 763-546-8354 or schedule a free consultation with a cybersecurity expert.