The video released Thursday on social media channels of both Dubai Police and Emirates NBD bank uses Shaggy’s year 2000 hit “It wasn’t me” tune but with changed lyrics to warn users about banking fraud through social engineering techniques.

As Information security awareness professionals at CIATEC, we loved the video that got all the elements of a successful information security awareness material. It is a job well done conveying the message of keeping personal banking information safe using a 20 years well known rap song. This type of awareness material has proven to have a high penetration rate among audience.

Enjoy the video, and always remember to #SecureYourAccount.

Many organizations struggle to convey information security awareness material to users and customers. If that sound like your organization, contact us today to start your information security awareness program.

The post “It Wasn’t Me” – Dubai Getting Creative on Banking Fraud Awareness appeared first on CIATEC.

The first step in building a security awareness program is to establish baseline by doing some assessment quizes, phishing campaign and some other methods to check employees awareness level and start building the awareness program accordingly.

The following security awareness assessment quiz is a beginner-level, 10 questions quiz that can determine, for a certain extent, whether an employee is a security asset or a vulnerability that needs to be remediated. However, it is worth mentioning that there is no way to cover all information security domains in such a short quiz.

Similar information security trainings and phishing simulations, along with comprehensive information security awareness material are all part of CIATEC’s information security awareness program. You can check program packages here.

Ready? Let’s go

Your passwords should be easy to remember and hard to guess, which of the following is an example of strong password?

Image by Gerd Altmann from Pixabay

Passw0rd

29Feb1980

MyPetName

$ayN02#ackers

Correct! Wrong!

A password should be at least 8 characters long and includes special characters, numbers, a mix of uppercase and lowercase letters and doesn't not contain a dictionary word or phrase. This will make it hard to guess by hacking scripts.

Personal Identifiable Information (PII) is used to verify your identity and distinguish one person from another. Which of the following is an example of PII?

Image by TheDigitalWay from Pixabay

ID Number

Date of Birth

Home Address

All of the answers are correct

Correct! Wrong!

Personal identifiable information are "Personal" and should only be shared on need-to-know basis. Keep all your personal identifiable information (PII) to yourself and do NOT share it with any untrusted party.

True or False? A phishing attack can harm your personal computer only, but not your company’s network.

Image by Tumisu from Pixabay

True

False

Correct! Wrong!

A phishing attack may download a worm or other form of malware that can easily spread over the network and cause harm to all computers, servers and network peripherals.

Information security is the responsibility of:

Everyone in the company

IT Security Department

Security Guard

Top Management

Correct! Wrong!

Information security is everyone's responsibility.

True or False? It is OK to use the same password for all your online accounts as long as you keep it a secret.

Image by Gerd Altmann from Pixabay

True

False

Correct! Wrong!

Don't put all your eggs in one basket. You don't want all your accounts to be comprised just because one account is hacked. Use a separate password for each account. To remember your passwords, you can fix a part of the password and make the second part variable and linked some how to the service used.

Spear Phishing is:

Character vector created by freepik

An attack on your company’s email server

A phishing attempt targeting you personally

A random attempt to hack any point of weakness

A massive spam email attack on all employees

Correct! Wrong!

Spear phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party. Spear phishing works better than phishing because it uses information that it can find about you from email databases, friends’ lists, and the like. You can learn about the different types of phishing here

Hackers can crack your passwords by repeatedly trying to guess it. This password cracking method is called:

Photo by Soumil Kumar from Pexels

The “G” attack

Brute-Force attack

Phishing attack

None of the answers is correct

Correct! Wrong!

A brute-force attack works by repeatedly trying to guess your password until it is cracked. That is why you should always use long and complex passwords that will take ages to guess.

True or False: Physical security is NOT related to information security.

Image by PublicDomainPictures from Pixabay

True

False

Correct! Wrong!

Physical security controls are at the heart of any information security program. At the end of the day, information assets are stored on physical media such as hard disks, flash drives or simply papers.

The FIRST objective of a "Security Aware Employee" is to be able to:

Photo by Miguel Á. Padriñán from Pexels

Avoid a security threat

Manage a security threat

Report a security threat

Recognize a security threat

Correct! Wrong!

The first step in the information security awareness ladder is to make sure that the average employee is able to identify threats and then report it to the right party. Threat avoidance and management are not the main responsibility of an average employee.

Tailgating is a form of social engineering that allows hackers to:

Watch company’s main gate 24/7

Get unauthorized access to restricted areas

Watch employees as they leave the gate

Following an employee after leaving work

Correct! Wrong!

In information security, tailgating is a social engineering technique used by hackers to deceive organization's officials through direct speech or actions in order to gain access into restricted areas. An example of tailgating is when one person tags along with an authorized employee to access a building or pass a certain checkpoint.

Information Security Awareness Assessment Quiz for Employees

Your score is low. Security awareness is urgently needed.

We highly recommend that you get involved in an information security awareness program that will help you recognize cyber security threat when you see one. The good news is that we are here to help. Learn more

There is a room for improvement.

Your score indicates that you have a sense of security when it comes to cyber threats, but there room for some improvement. We can help you with that. Learn more
Share your results and challenge your friends.

You have a good sense of security, you are an asset!

Your score indicates that you have a very good sense of security when it comes to cyber threats in the subject domains. But what about your colleagues? Do they all have the same security awareness level?
A well implemented security awareness program will harden the human layer of security of security.Learn more
Share your results and challenge your friends.

Share your Results:

Facebook Twitter

  Play Again!

Interested in our information security awareness services?

The post Information Security Awareness Assessment Quiz for Employees appeared first on CIATEC.

Lack of cyber security awareness training and accountability tops the list of causes of information security breaches. According to Gartner, spending on information security products and services reached a value of $114 billion US dollars in 2018, with an increase of 12.4 percent from 2017. On the other hand, the average total cost of a data breach in 2017 was $3.62 million according to IBM and Ponemon Institute. And 2019 forecasts are not any better. When you dig deeper in the studies, you realize that a high percentage of data breaches surprisingly took place in organizations of high IT security budget. And while some attacks could be traced back to disgruntled workers, a great deal of other attacks are simply a result of actions done by naive and non-harmful employees that simply weren’t well informed.

Over the past years, IT became the main enabler of almost every business. And security has always been a major concern. Implementing a security awareness program has become a must for an organization, regardless of it’s size, industry, or location.

• Main causes of Cyber Security Breaches
• Importance of Cyber Security Awareness and Training
• Cyber Security Awareness Topics
• Cyber Security Awareness Channels

Top Reasons of Cyber Security Breaches

1- Uninformed Employees

Uninformed, naive and non-harmful employees lacking information security awareness and training tops the list of causes. Our experience taught us that technology alone cannot completely secure IT environments, there will always be the human factor involved, whether within IT department side or at end users side. Unfortunately, human brain cannot be patched same as a computer! It can only be nourished by knowledge, training and awareness material.

It only takes one single uninformed employee who takes the bait of a phishing email to compromise organization’s cyber security.

Hint: Deploy Information Security Awareness Program that goes around the year and keep it up-to-date with the latest threat trends, accompanied with phishing simulation solution.

2- Human Errors

Human errors of regular IT users are always a threat. However, the bigger threat are the errors done by IT administrators! Lack of knowledge, sometimes lack of focus leads to configuration errors that leaves some doors open for hackers.

Hint: Adapt a framework or a standard that organizes change, event, problem and incident management, such as ISO 27001, ISO 20000 or ITIL.

3- Malware

Successful malware attacks such as ransomware, viruses, worms, and trojans are always a threat to cyber security and a reason behind security breaches.

Hint: Train your staff on how to deal with malware attacks and apply endpoint security best practices.

4- Stolen Devices

Laptops and mobile devices that are sometimes stolen during commuting or traveling pose a significant risk that should be handled by risk management.

Hint: Raising awareness and applying mobile devices encryption.

5- Disgruntled workers

Dissatisfied employees and third-party contractors with bad intentions.

Hint: Deploy proper employee termination, segregation of duties, and vendor management processes.

6- Lack of Funds

Low cyber security budget is a problem on its own for some organizations. While other organizations fall in the trap of “budget maldistribution”, where most of the budget goes for sophisticated security software and hardware appliances while employees information security awareness and training are neglected; Big Mistake!

Hint: If there is no way to increase cyber security budget, existing budget should at least be distributed properly.

What will Security Awareness and Training add?

Cyber security awareness and training provides the following benefits:

1-  Hardening the Last Layer of Defense

Employees are the last layer of defense, and in some case they are the first layer, depending on the nature of the attack. Yet, they are the weakest link in the cyber security chain, this has become a universal truth. A well implemented and maintained cyber security awareness program will insure hardening this link and empowering a stronger network.

2- Compliance Requirement

All major information security standards and frameworks such as ISO/IEC 27001 requires an information security awareness program to be in place.

3- Adapt with the Continuously Changing Threats

The complexity of threats and attacks is increasing every day. Cyber security units needs to keep up and more importantly, cyber security awareness units needs to keep all users informed about the latest threats and cyber attacks trends.

4- Increase Engagement

Does your organization have an information security handbook containing all your information security policies? Is it updated and distributed to users on regular basis? If so, how many of them do actually read it, understand it and become familiar with its content?

With awareness things are different. Running cyber security awareness campaigns all over the year and on various channels will create a culture of security within the organization and engage employees in information security practices.

Cyber Security Awareness Topics

Importance of cyber security awareness topics varies from one organization to another. Each organization has its own priorities. Yet, it is always recommended to work holistically on covering all topics when implementing a cyber security awareness program. The major topics that should be covered in an information security awareness program:

1- Physical Security

Physical security is a sub-domain of information security that goes beyond IT to address issues related to entrance points, locked doors, drawers, cabinets, desks, as well as desktops, laptops and mobile devices security. Users should be aware and able to deal with physical security threats of all kinds.

2- Data Security

Cyber security is all about protecting information assets, right? Educating users on how to handle data security should be a major topic in any cyber security awareness program.

3- Print Security

Whether in hard copies or in soft copies, information needs to be secured. Print security is one of the many topics address in information security awareness program.

In addition to making users aware of concepts of secure printing, there are plenty of built-in and third-party printing solution that can be of great use in implementing secure printing policies.

4- Network and Wireless Security

Given the insecure nature of wireless networks, enterprises counts on employees awareness to better harden this area. An organization owned laptop or other mobile device, has at least 10 wireless networks SSID stored. SSID’s of office, home, airport, hotel, coffee shop…etc. Sniffing can occur on any wireless network jeopardizing the organization information assets. Hence, wireless network security awareness.

On the other hand, with sophisticated wired network security solutions, organizations might reach a significant level of security. Yet, awareness is always needed to harden the weakest link.

5- Data Destruction

Security doesn’t stop when you stop using a certain device. If a device still got your data, security policies will still apply, even if the device is not used any more. And if the device is to be disposed, it must be disposed securely. Cyber security awareness programs should cover topics on how to get rid of old devices in a secure manner.

6- Password Security

Password security is one of the most challenging domains in cyber security awareness. A lot of resistance is found here, users hate to be forced to remember new passwords and have a difficulty creating new passwords that meet complexity requirements.

Luckily, there is a solution: CIATEC’s information security awareness program helps users get over this.

7- Phishing and Email Security

Phishing attacks are getting serious. 9 out of 10 phishing attacks are now ransomware, and pseudo ransomware is a new trend. Pseudo ransomware attacks are here to make users pay a ransome for data that is not even encrypted!

Training on how to avoid phishing scams and what to do in the event of an attack is a high priority in cyber security awareness program. Phishing awareness and training cycle goes through four steps: Asses, Educate, Phish, Get results, and REPEAT. Phishing awareness, like any other cyber security awareness component, is a continuous cycle.

For more info about phishing awareness: ciatec.com/phishing

8- Malware

Users in any business industry, size, or even home users should have the ability to identify a malware attack when they see one. It is also important that users identify the malware type (virus, trojan, worm, adware, spyware, ransomware…). But what’s more important is to know how to act in the event of malware infection. A good cyber security awareness program should provide this know how.

9- Mobile Devices Security

Mobile devices, whether personal or corporate owned, holds information assets that must be protected. Mobile devices security is a serious topic that should be addressed thoroughly in a corporate cyber security awareness program.

10- Browser Security

Training users on how to check URLs and ssl encrypted site (i.e.,https), keeping browsers up-to-date, minimal plugin usage, and scan any downloaded files are basic browser security awareness material.

Cyber Security is everyone’s responsibility.

Cyber Security Awareness Channels

Communicating the information is as important as the information itself. What fits one organization, may not necessarily fit another. Communicating cyber security awareness material to the right audience and using the right channels is what an awareness program is all about. Here is a list of the most commonly used cyber security awareness channels.

Educational Videos

Videos are one of the most effective learning material. CIATEC provides cyber security awareness videos hosted on CIATEC’s servers or on client’s portal. Like all cyber security awareness material, videos are continuously updated to keep up with the latest cyber security awareness trends as well as latest animation trends.

Billboard or Roll-up Banners

A roll-up banner in a meeting room, in the lobby, or any other public space will help raising cyber security awareness without an effort.

Screen Posters

Same as roll-up banners, displaying cyber security awareness material on screens if available in public places will help raising cyber security awareness by targeting all staff.

Email Posters and Newsletters

Email posters and newsletter is another channel, that can become handy when trying to address specific topics in cyber security awareness program. Especially, when presented as an element of a bigger campaign.

Gaming material

This has also proved to be one of the most effective techniques to pass the awareness message in atmosphere of fun and entertainment. Whether a simple cross-words puzzle or matching gaming, or much more sophisticated information security gaming material, it all helps to easily relay the information to users.

Educational Magazine

Educational magazines, whether as e-magazine, email newsletter or a paperback. When published and distributed on regular basis it will keep users informed of the latest security trends and how to avoid breaches.

Information Security Courses, Workshops, and Quizzes

Old fashion class room training courses, and online courses are always a good channel to reach out to employees. In training, it is advised to group employees based on trades or departments. This way the trainer can address specific security topic that may be associated with the audience trade.

Training should also be followed by a quiz to measure cyber security awareness and training effectiveness.

Phishing Simulations

Proven to be one of the most effective ways to identify points of weakness against phishing attacks. Phishing simulations awareness campaigns, as part of overall cyber security awareness program, use hundreds of templates and provides accurate reports identifying:

This way, information security team can identify and educate employees accordingly. Contact us here to start a phishing awareness campaign.

Dedicated Information Security Portal and Mobile App

A dedicated information security web portal will serve as a reference for all users in all information security matters within the organization and will help keeping users well informed. It may contain the below elements:

A dedicated cyber security awareness mobile app is even better. It will allow information security units to reach users on the go.

Hint: By combining our web and mobile enablement skills along with security awareness services, CIATEC can build your information security web portal and mobile app in no time!

Conclusion

Cyber security awareness is no longer an option. It is a significant layer of security that every IT-enabled organization must have.

CIATEC‘s cyber security awareness program is designed to help organizations of various sizes and industries to minimize the risk of data breaches. Contact us today to start building your own program.

The post Successful Cyber Security Awareness Program Elements appeared first on CIATEC.