Why do companies need phishing training and awareness solution for their employees? – In today’s world, 85% of IT security breaches are attributed to successful phishing and social engineering attacks targeting the weakest link in the cyber security chain (aka, employees)!
And this year 9 out of 10 phishing attempts are ransomware attacks that encrypts your data and won’t release it unless a ransom is paid.
And no matter how big the investment in high-tech security solutions is, the number of breaches from phishing and complicated social engineering attacks continue to rise bypassing all network security defenses and often making its way into users mailboxes. Luckily, Phishmark is here to reduce this risk, especially when implemented as part of a comprehensive information security awareness program.

What is Phishmark?

PhishMark is an affordable phishing simulation framework that allows information security staff to schedule and launch phishing simulation campaigns utilizing a variety of ready-made email templates. Campaign results will identify, in-real time, the users who took the bait, and provide awareness material on the spot by redirecting them into a pre-designed educational landing page. Statistical reports will provide top management with an overview of the current status and the progress of users in identifying and reporting phishing attacks and adapting safe habits.

Phishing Training for Employees – Life Cycle

Once-a-year security awareness and training session is one way of doing things, yet, it is not enough! You need an on-going solution that meets the trends and can point out the weakest link so you can harden it.
CIATEC’s PhishMark is the solution you need to empower “the human firewall“!

Phishmark is a phishing training and awareness solution for employees that goes around the year running simulations to cover every angle a hacker might use to get into a company’s network through phishing and social engineering attacks. We follow the below steps:

1. Baseline: The first step is to establish baseline by running an initial campaign.
2. Train: Provide awareness material based on the results of the first campaign.
3. Phish: Run new phishing campaign.
4. Analyze: Analyze the results and measure the progress.

It is important to note that Phishmark is proven to provide better results when integrated with Ciatec’s information security awareness program.

PhishMark – Phishing Training Main Features

Dashboard

PhishMark will show a dashboard for all campaigns as well as separate dashboard for every single campaign. The dashboard will show:

1. Number of phishing simulation emails “or baits” successfully delivered.
2. Number of employees that opened the simulation phishing email.
3. Percentage of employees that actually took the bait, i.e.; clicked the link.
4. Number of users who actually submitted data to the pretend hacker.
5. And finally, the information security specialist running the simulation will be able to count the number of employees that actually reported the threat.

Email Templates

Administrator will be able to create his own email templates that fits his organization. Or use ready-made email templates covering many domains and season, including: Banking, social media, eCommerce and many more.

Grouping Users

The solution allows creation of target groups. Useful for targeting every department with a separate phishing campaign.

Landing Pages

Employees who fall victims for phishing campaigns will be redirected to a previously designed landing page similar to the below. Administrator is free to use ready-made phishing awareness landing pages provided by PhishMark, or upload his/her own.

Questions?

Ask us on ask@ciatec.com or contact us today to start using PhishMark to Phish and Mark employees that need further training and awareness on phishing and social engineering.

The post Meet PhishMark: Phishing Training & Awareness Solution from CIATEC appeared first on CIATEC.

Lack of cyber security awareness training and accountability tops the list of causes of information security breaches. According to Gartner, spending on information security products and services reached a value of $114 billion US dollars in 2018, with an increase of 12.4 percent from 2017. On the other hand, the average total cost of a data breach in 2017 was $3.62 million according to IBM and Ponemon Institute. And 2019 forecasts are not any better. When you dig deeper in the studies, you realize that a high percentage of data breaches surprisingly took place in organizations of high IT security budget. And while some attacks could be traced back to disgruntled workers, a great deal of other attacks are simply a result of actions done by naive and non-harmful employees that simply weren’t well informed.

Over the past years, IT became the main enabler of almost every business. And security has always been a major concern. Implementing a security awareness program has become a must for an organization, regardless of it’s size, industry, or location.

• Main causes of Cyber Security Breaches
• Importance of Cyber Security Awareness and Training
• Cyber Security Awareness Topics
• Cyber Security Awareness Channels

Top Reasons of Cyber Security Breaches

1- Uninformed Employees

Uninformed, naive and non-harmful employees lacking information security awareness and training tops the list of causes. Our experience taught us that technology alone cannot completely secure IT environments, there will always be the human factor involved, whether within IT department side or at end users side. Unfortunately, human brain cannot be patched same as a computer! It can only be nourished by knowledge, training and awareness material.

It only takes one single uninformed employee who takes the bait of a phishing email to compromise organization’s cyber security.

Hint: Deploy Information Security Awareness Program that goes around the year and keep it up-to-date with the latest threat trends, accompanied with phishing simulation solution.

2- Human Errors

Human errors of regular IT users are always a threat. However, the bigger threat are the errors done by IT administrators! Lack of knowledge, sometimes lack of focus leads to configuration errors that leaves some doors open for hackers.

Hint: Adapt a framework or a standard that organizes change, event, problem and incident management, such as ISO 27001, ISO 20000 or ITIL.

3- Malware

Successful malware attacks such as ransomware, viruses, worms, and trojans are always a threat to cyber security and a reason behind security breaches.

Hint: Train your staff on how to deal with malware attacks and apply endpoint security best practices.

4- Stolen Devices

Laptops and mobile devices that are sometimes stolen during commuting or traveling pose a significant risk that should be handled by risk management.

Hint: Raising awareness and applying mobile devices encryption.

5- Disgruntled workers

Dissatisfied employees and third-party contractors with bad intentions.

Hint: Deploy proper employee termination, segregation of duties, and vendor management processes.

6- Lack of Funds

Low cyber security budget is a problem on its own for some organizations. While other organizations fall in the trap of “budget maldistribution”, where most of the budget goes for sophisticated security software and hardware appliances while employees information security awareness and training are neglected; Big Mistake!

Hint: If there is no way to increase cyber security budget, existing budget should at least be distributed properly.

What will Security Awareness and Training add?

Cyber security awareness and training provides the following benefits:

1-  Hardening the Last Layer of Defense

Employees are the last layer of defense, and in some case they are the first layer, depending on the nature of the attack. Yet, they are the weakest link in the cyber security chain, this has become a universal truth. A well implemented and maintained cyber security awareness program will insure hardening this link and empowering a stronger network.

2- Compliance Requirement

All major information security standards and frameworks such as ISO/IEC 27001 requires an information security awareness program to be in place.

3- Adapt with the Continuously Changing Threats

The complexity of threats and attacks is increasing every day. Cyber security units needs to keep up and more importantly, cyber security awareness units needs to keep all users informed about the latest threats and cyber attacks trends.

4- Increase Engagement

Does your organization have an information security handbook containing all your information security policies? Is it updated and distributed to users on regular basis? If so, how many of them do actually read it, understand it and become familiar with its content?

With awareness things are different. Running cyber security awareness campaigns all over the year and on various channels will create a culture of security within the organization and engage employees in information security practices.

Cyber Security Awareness Topics

Importance of cyber security awareness topics varies from one organization to another. Each organization has its own priorities. Yet, it is always recommended to work holistically on covering all topics when implementing a cyber security awareness program. The major topics that should be covered in an information security awareness program:

1- Physical Security

Physical security is a sub-domain of information security that goes beyond IT to address issues related to entrance points, locked doors, drawers, cabinets, desks, as well as desktops, laptops and mobile devices security. Users should be aware and able to deal with physical security threats of all kinds.

2- Data Security

Cyber security is all about protecting information assets, right? Educating users on how to handle data security should be a major topic in any cyber security awareness program.

3- Print Security

Whether in hard copies or in soft copies, information needs to be secured. Print security is one of the many topics address in information security awareness program.

In addition to making users aware of concepts of secure printing, there are plenty of built-in and third-party printing solution that can be of great use in implementing secure printing policies.

4- Network and Wireless Security

Given the insecure nature of wireless networks, enterprises counts on employees awareness to better harden this area. An organization owned laptop or other mobile device, has at least 10 wireless networks SSID stored. SSID’s of office, home, airport, hotel, coffee shop…etc. Sniffing can occur on any wireless network jeopardizing the organization information assets. Hence, wireless network security awareness.

On the other hand, with sophisticated wired network security solutions, organizations might reach a significant level of security. Yet, awareness is always needed to harden the weakest link.

5- Data Destruction

Security doesn’t stop when you stop using a certain device. If a device still got your data, security policies will still apply, even if the device is not used any more. And if the device is to be disposed, it must be disposed securely. Cyber security awareness programs should cover topics on how to get rid of old devices in a secure manner.

6- Password Security

Password security is one of the most challenging domains in cyber security awareness. A lot of resistance is found here, users hate to be forced to remember new passwords and have a difficulty creating new passwords that meet complexity requirements.

Luckily, there is a solution: CIATEC’s information security awareness program helps users get over this.

7- Phishing and Email Security

Phishing attacks are getting serious. 9 out of 10 phishing attacks are now ransomware, and pseudo ransomware is a new trend. Pseudo ransomware attacks are here to make users pay a ransome for data that is not even encrypted!

Training on how to avoid phishing scams and what to do in the event of an attack is a high priority in cyber security awareness program. Phishing awareness and training cycle goes through four steps: Asses, Educate, Phish, Get results, and REPEAT. Phishing awareness, like any other cyber security awareness component, is a continuous cycle.

For more info about phishing awareness: ciatec.com/phishing

8- Malware

Users in any business industry, size, or even home users should have the ability to identify a malware attack when they see one. It is also important that users identify the malware type (virus, trojan, worm, adware, spyware, ransomware…). But what’s more important is to know how to act in the event of malware infection. A good cyber security awareness program should provide this know how.

9- Mobile Devices Security

Mobile devices, whether personal or corporate owned, holds information assets that must be protected. Mobile devices security is a serious topic that should be addressed thoroughly in a corporate cyber security awareness program.

10- Browser Security

Training users on how to check URLs and ssl encrypted site (i.e.,https), keeping browsers up-to-date, minimal plugin usage, and scan any downloaded files are basic browser security awareness material.

Cyber Security is everyone’s responsibility.

Cyber Security Awareness Channels

Communicating the information is as important as the information itself. What fits one organization, may not necessarily fit another. Communicating cyber security awareness material to the right audience and using the right channels is what an awareness program is all about. Here is a list of the most commonly used cyber security awareness channels.

Educational Videos

Videos are one of the most effective learning material. CIATEC provides cyber security awareness videos hosted on CIATEC’s servers or on client’s portal. Like all cyber security awareness material, videos are continuously updated to keep up with the latest cyber security awareness trends as well as latest animation trends.

Billboard or Roll-up Banners

A roll-up banner in a meeting room, in the lobby, or any other public space will help raising cyber security awareness without an effort.

Screen Posters

Same as roll-up banners, displaying cyber security awareness material on screens if available in public places will help raising cyber security awareness by targeting all staff.

Email Posters and Newsletters

Email posters and newsletter is another channel, that can become handy when trying to address specific topics in cyber security awareness program. Especially, when presented as an element of a bigger campaign.

Gaming material

This has also proved to be one of the most effective techniques to pass the awareness message in atmosphere of fun and entertainment. Whether a simple cross-words puzzle or matching gaming, or much more sophisticated information security gaming material, it all helps to easily relay the information to users.

Educational Magazine

Educational magazines, whether as e-magazine, email newsletter or a paperback. When published and distributed on regular basis it will keep users informed of the latest security trends and how to avoid breaches.

Information Security Courses, Workshops, and Quizzes

Old fashion class room training courses, and online courses are always a good channel to reach out to employees. In training, it is advised to group employees based on trades or departments. This way the trainer can address specific security topic that may be associated with the audience trade.

Training should also be followed by a quiz to measure cyber security awareness and training effectiveness.

Phishing Simulations

Proven to be one of the most effective ways to identify points of weakness against phishing attacks. Phishing simulations awareness campaigns, as part of overall cyber security awareness program, use hundreds of templates and provides accurate reports identifying:

This way, information security team can identify and educate employees accordingly. Contact us here to start a phishing awareness campaign.

Dedicated Information Security Portal and Mobile App

A dedicated information security web portal will serve as a reference for all users in all information security matters within the organization and will help keeping users well informed. It may contain the below elements:

A dedicated cyber security awareness mobile app is even better. It will allow information security units to reach users on the go.

Hint: By combining our web and mobile enablement skills along with security awareness services, CIATEC can build your information security web portal and mobile app in no time!

Conclusion

Cyber security awareness is no longer an option. It is a significant layer of security that every IT-enabled organization must have.

CIATEC‘s cyber security awareness program is designed to help organizations of various sizes and industries to minimize the risk of data breaches. Contact us today to start building your own program.

The post Successful Cyber Security Awareness Program Elements appeared first on CIATEC.