Cybersecurity Awareness Training: 11 Most Wanted
August 07, 2020
Cybersecurity Awareness Training is no longer a do-it-yourself type of proposal. The new compliance, privacy, regulatory, and threat landscapes have evolved in ways that blur the lines between different types of training. And the stakes are high: HIPAA non-compliance fines can span up to $1.5M, PCI non-compliance fines are said to span up to $100,000/month, and one analysis of the impact of phishing on large companies places the annual cost at over $3.7M.
The good news? It's easy to take initial steps towards de-risking your small business, by implementing ready-made online training on a wide variety of cybersecurity topics (shameless plug: Havoc Shield has all of these available, online, instantly). Here's a sampling of some of the most popular training modules that you might consider for your small business.
11 Most Wanted Cybersecurity Training Sessions
Cybersecurity Awareness Training
This is a foundational course that provides a high-level overview of a broad range of cybersecurity factors including phishing, safe online/web practices, and best practices for technology applicable to just about every type of employee. This training should be your launching off point for delving into more specific/specialized training topics, and is typically deployed companywide.
Malware & Viruses
Avoiding malware and viruses is partially a matter of a strong technological cybersecurity posture. However, it also relies on strong human judgement and pattern recognition when employees encounter a potentially unsafe download or attachment. This training covers the modern tactics and techniques most frequently used to proliferate the spread of malware and viruses, and how to stay safe from them.
We've covered ransomware extensively on this blog, especially in our Zooming in on Ransomware article. There is little doubt that this year will bring the largest economic ransomware impact ever. This is possibly the fastest-accelarating attack strategy that involves an existential threat to small businesses. You'll want your employees to have a high degree of awareness of the types of online behavior that are risk factors for becoming victim to a ransomware attack.
The weakest link in many small business cybersecurity practices is the ability of attackers to use social engineering to fool employees into taking certain actions on their behalf. Well-meaning eager-to-please employees are easy targets for a long running style of attack that involves deception over the telephone. Your employees should know the nature of this attack strategy so that (should they encounter it) they know to pause, slow down, and consider the totality of circumstances surrounding a phone call before taking any particular privileged action.
This cybersecurity awareness training topic has become substantially more complex in recent years. Attackers are becoming increasingly deceptive in the way they procure look-a-like domain names to pose as legitimate members of a vendor or supplier that you rely on. If you have DNS filtering on your endpoints, you are a step ahead on combatting this type of attack, but you should also augment your approach with a phishing training module. We especially recommend pairing your training session with phishing simulations (possibly even prior to training as an unannounced exercise).
The payment card industry has been the target of some of the longest-running financial cyberattacks. And for obvious reasons. Wherever financial transactions occur online, especially if the transactions involve a credit card entered on an online form, there is substantial need for strong cybersecurity posture. Part of that cybersecurity posture is being sure that your team has an understanding of their obligations with regard to any occasion in which they handle or otherwise manage payment information. This cybersecurity awareness training session has been refined countless times over the years as payment card industry attacks have evolved in new and deceiving ways.
Few employees have a passion for spending time configuring their home wi-fi router. Hackers know that. Increasingly mobile employees connect to your company's infrastructure from a wider variety of wi-fi access points. Some very simple steps can help your employees identify unsafe behaviors related to connecting to wi-fi access points from their home, from their favorite coffee shop, from a hotel room, or elsewhere.
The healthcare industry -- much like the payment card industry -- has been a long-running attractive target for cybercriminals. The threats associated with healthcare information abound, in many cases crossing over into cyber crimes relating to the disclosure of private medical information. If your company operates in the healthcare industry, or if you have customers that even coincidentally use your solutions in a manner that involves the handling of healthcare information, this training is vital for your organization.
The recent unprecidented shift to work-from-home and hybrid office/home work has taken its toll on our physical security practices. No longer can you be certain that company assets are closely guarded within the framework of your office's physical security perimeter. However, with this training in-hand, your team will dramatically increase their chances of making safe physical security decisions in the moments that matter the most.
Many scams originate via email (e.g., phishing attacks). This particular training, though, is especially strong in the subject of email attachments. A nightmare scenario for a small business is to have a well-meaning employee naively open an unsafe attachment. The attachment could potentially be a virus, malware, ransomware, or all manner of other unsafe content. With a combined strategy that involves technological barriers and training, your company can minimize the likelihood of being impacted by email scams involving unsafe attachments.
Many consider GDPR training to be more closely associated with privacy than security, but the training crosses over with impact on both areas. Some small businesses that initially believe they are not subject to GDPR later realize that they have one or more EU-based customers, and suddenly have additional privacy and security obligations that were not previously considered. GDPR training is an essential part of bringing your organization into compliance.
Cybersecurity Awareness Training Wrap-Up
Do not attempt to create training on this variety of topics on your own. It is cost-effective and simple to roll out pre-existing training on all of the above topics. Customers of Havoc Shield have instant ability to roll out any or all of the above training modules, including all of the necessary notifications to team members, tracking and auditing of completions, management of grace periods, and audit logs that memorialize the training activity of each employee. We're standing by to help, if you have training needs in any of these areas!
Interested in more articles about cybersecurity training? Continue here:
Any additional suggestions for article topics about cybersecurity training? Drop us a note in the comments section below!