Cybersecurity awareness training

- In the previous chapter, we discussed different methods of social engineering. From phishing to shoulder surfing, attackers use many different methods to influence you. In this chapter, we'll discuss what tools we can use to defend ourselves against these attacks. You can have the best in terms of physical and technical security solutions, but if you don't bother training your employees on security best practices, a social engineer can bypass all the hacking and simply walk through your front door. The solution to this is to make sure that you are regularly training employees on ways to spot a social engineering attack. According to Social Engineer Jayson Street, "The most effective way to make training stick is to make it relatable." The idea here isn't to make each employee an expert in social engineering, it's to get them to know enough to think twice and identify what can be a potential attack. This can be the difference between a breach and a non-event. Let's say you're the head of security for an organization that is super secure. It's equipped with man traps, multiple guards walking the halls 24-7, video cameras at every corner, and every door requires two forms of ID to get through. The company has spared no expense on security, and everything is top-of-the-line. But you get a phone call at 2:00 pm from one of your security staff. A breach has occurred and top secret files were stolen. You begin your incident response procedure, scratching your head and wondering how in the world you got breached. After reviewing some video footage, you identify that the breach occurred with the help of an employee. When interviewing that employee, they simply state that they were escorting another employee to retrieve something from the vault. When you ask them why they did that, the employee stares back blankly at you and says, "Well, they forgot their badge at home." Training can take multiple different forms. Cybersecurity awareness training videos are very popular for obvious reasons. The information can be viewed at any time, no conference rooms need to be booked, and no food needs to be supplied. Another option would be to carry out interactive lectures, which tends to be more effective. You can also share pamphlets or handouts with information on them. Whatever method you choose, make sure to consider your audience. You can create an in-house training program that you refresh every quarter or twice a year. This gives you better control over the content. It also allows you to cater the training to your industry and what you actually see on a day-to-day basis. The downfall is that you have the sole responsibility of keeping the training up to date. Depending on the size of your team and the amount of work you have, this may not be practical. Another option would be to outsource this role completely. There are a lot of companies that specialize in security awareness, like KnowBe4. If you have the budget but lack the time, maybe this option would be better for you. Training is important, but there are other ways to defend yourself against social engineering attacks like protecting your passwords. I'll show you how in the next video.