In the cyber universe, there are few threats more prevalent, or more publicized, than phishing attacks. The first half of 2020 alone saw almost 150,000 reported attacks, and phishing was responsible for several of the year’s major breaches. Given that, it’s no surprise that phishing prevention usually plays a big role in organizational security awareness training. Anti-phishing courses and phishing simulation certainly play a crucial part, and it’s never been more important to ensure that users know how to recognize and respond to a potential phishing attack. However, the ubiquity of phishing threats and the amount of media coverage they get can overshadow other looming threats we should be looking out for, and that our information security programs should be covering.
In order for our security awareness programs to be as successful as possible, they need to mitigate every threat–not just the ones with top billing. Although phishing attacks are extremely common, there are other threats quickly catching up. The change in priorities and environment brought on by the shift to remote work last year highlighted several areas of weakness that may not be getting enough attention, including password security, network protection, safe web browsing, and general remote work best practices. So, while users may be incredibly adept at spotting phishes, they could be jeopardizing organizational security in a number of other areas without even knowing it.
Password security
Passwords and authentication are an easily overlooked area of security training simply because they’re so “simple.” Administrators commonly make the crucial mistake of assuming that their employees already understand how password security works. Unfortunately, the number of breaches over the past few years enabled by weak credentials would indicate otherwise. Infamously, the massive Equifax breach, which exposed the personal data of 143 million users, was partially caused by a username/password combo of “admin/admin.” The shift to work-from-home and the increased use of cloud services has also initiated credential-related hacking attempts; if there were ever a time to hone in on password security, it’s right now.
Network protection
Back when everyone still worked from an office, locked-down office networks and an on-site IT team could be counted on to bolster the organizational firewall. Home networks, on the other hand, throw an extra wild card into the mix. While employees may have been instructed how to set things up properly (assuming there were enough time and resources to do so), continued upkeep and proper usage aren’t a given. Many of the habits that ensure secure networks, such as installing updates, need to be repeated often; regular network security training is an effective way to keep best practices top of mind and encourage formation of those habits.
Web browsing
The web has always posed a significant risk to security, from malicious ads infected with malware to fake web pages used to harvest credit card information. Add to that a home/work environment with less oversight and fewer organizational controls, and browsing the web may be even more of a risk than it was before. Even if users theoretically understand the basics of web security and what warning signs to watch out for, the distraction of remote work could cause an inadvertent slipup. Beyond that, the threat landscape in this area is constantly shifting and becoming more sophisticated, putting even the most knowledgeable users at risk.
Remote work security
Again, remote work introduces a plethora of new security threats that simply weren’t an issue before. The fact that work is suddenly intermingled with kids, remote schooling, even visitors to the house means that employees need to work harder than they would at the office to maintain a secure, separated work environment. Devices are more likely to get lost, damaged, or stolen, sensitive documents can get picked up or misplaced, and conversations may be overheard by people who shouldn’t be hearing them. In general, organizational privacy is a lot more difficult to maintain. If employees haven’t been trained on how to protect their data and devices at home, they need to be, before a major breach occurs.
Achieving security awareness in all these areas might seem like a difficult task, especially if it means pivoting from a phishing-centric program to a more holistic one. Thankfully, it doesn’t need to be. General security awareness courses are specifically designed to train users across all aspects of security, while being mindful of employees’ time constraints and attention spans. If you haven’t considered general security awareness training, there has never been a better time.
About the author
Larry Cates is the President and CEO of Global Learning Systems, a leading provider of enterprise security awareness and compliance training solutions to Fortune 1000 clients. Working directly with senior-level executives and security officers, Mr. Cates advises and consults on the design and implementation of client-tailored continuous learning and behavior management programs to address key security concerns and prevent security breaches related to inappropriate user actions.. Mr. Cates and the GLS team are actively developing new solutions and capabilities that promote an organizational security culture through user assessments, security metrics and goals tracking, as well as game-based learning, behavioral analytics tools and just-in-time targeted user training.