But in one small company where everyone knew everyone, this scenario did not raise any red flags.
But something was very, very wrong.
Those new payment details belonged to a criminal gang. And the email didn’t come from the CFO. This was the final step in a clever phishing scam known as CEO fraud, and it cost the company thousands.
The crooks had gained access to the CFO’s email account, intercepted a message, and changed information to redirect a payment.
As is usually the case with cybercrime, it was simply a human error that opened the door to the crooks.
No one knew to look for the warning signs that something wasn’t right. And there was no policy that required everyone to confirm payment requests in person when details have to be changed.
This was an example of business email compromise and financial fraud. But every day the criminals are after more than just your money. Your business data is just as valuable to them, and they’ll go to great efforts to get hold of it.
Small and medium-sized organizations are the most likely targets for all kinds of cyber attacks—not just phishing scams like this one. That’s because cyber criminals know that these companies are likely to have weaker security measures in place and may not have cybersecurity awareness training for their entire team.
The crooks know that your people are the weakest link in your security chain. Not because they’d do anything malicious, but because they’re only human. Without cybersecurity awareness training, they simply don’t know the risks to look out for or what they can do to keep your organization safe. In fact, about 75% of the breaches analyzed in the 2023 Verizon Data Breach Investigations Report involved a human element (things like falling for phishing or business email compromise, etc.).
That’s why good cybersecurity awareness training—for everyone in your organization—is vital.
Here’s where to start.
Find your baseline
Your cybersecurity awareness training sessions don’t need to take a long time. But they need to be prepped properly.
Start by working out what your people’s awareness levels currently are and where you’re exposed to security threats. It’s an important part of the process and may open your eyes to some surprisingly risky behavior.
You need to find the baseline level of staff cybersecurity knowledge—some people may be starting from zero. And if you’re aware that your own knowledge has gaps, this is the point to seek some professional help.
Examine the way everyone works to understand which risky behaviors are a threat to your organization. There are countless kinds of cyber attacks to protect against, so you need to be systematic in your approach. Look at:
• Emails, communications, and file sharing
• Log-in behavior
• Attitudes to policies around data protection and information handling
• General awareness of cyber threats
• …and more
Every organization is different, so you should create your own priorities according to your needs.
Observe their behavior rather than simply assuming that policies are being followed. That will give you the best idea of where your vulnerabilities lie, which can then give shape to your training sessions.
Assess the risks and prioritize your cybersecurity awareness training needs
When you’ve taken the time to observe and understand your people’s current security behaviors, you’ll need to look at the most pressing risks you face.
There are security threats on many fronts. Prioritize training on the most immediate weaknesses, dealing with any obvious knowledge gaps first.
Risk assess your current systems, your network, and your digital assets (contact our team to learn more about a risk assessment). Look also at who has access to what information and why.
Re-assess as you go
If you’re dealing with sensitive data of any kind, take this opportunity to look at your wider policies alongside your cybersecurity awareness training plan. For example, if you don’t currently have identity and access management protocols, it may be time to add this to your security program. This means that only people who need access to sensitive information are able to access it at all—everyone else is locked out. More on policies later.
These assessments will help you to create a training program that is tailored to the right people and pitched at the right level according to their roles and responsibilities.
For example, a warehouse fulfillment team may have access to private customer address information. That requires a different security awareness than an HR manager with access to sensitive staff health records.
Create your cybersecurity awareness training plan
Once you’ve got to grips with the needs of your different employees and the wider organization, match them with the resources available to you to create a training plan.
Lay out your objectives—the skills and knowledge you need to develop—as well as the attitudes and behaviors that you need to see at work.
Then break each objective down into topics or modules. For example, there may be a module on phishing emails, and one on data classification (where your data is grouped according to how sensitive it is—staff sickness records, customer financial information, sales process documents).
Sessions can be online or in-house and, where possible, training should be interactive and hands-on to help people retain information. Reading a guide or completing a workbook alone is unlikely to help someone understand and retain what they’ve learned.
But while the cybersecurity awareness training should be as enjoyable as possible, the subject is a serious one.
So always reinforce the fact that the consequences of any data falling into criminal hands can be disastrous for your organization, and explain why you need their support. We all make mistakes. Ensure your team knows you will understand, they won’t be punished, and that the sooner you can find and stop a potential incident, the less damage it will do to your organization.
Everyone should understand exactly why training is being introduced, the range of threats faced by the organization, the desired outcomes, and the benefits of strong cybersecurity.
You may plan to carry out some or all of the training yourself, but more likely you’ll bring in outside expertise. This will save you a lot of time and reassure you that everything is being covered and that training materials are up to date. The training provider should work with you beforehand to cover everything you identified in your risk assessment and to suggest any additions.
Remember that cybersecurity awareness training should include everyone in the organization, so it should become part of your employee onboarding package, as well as part of the transition process when people change roles.
If you have an IT-managed services provider (like us!) they may offer this type of training (we do) and will already have some familiarity with your systems.
If you don’t have an IT expert on hand, get in touch with us—we can help.
Put it to the test
When you’ve invested time and money into training, you want to be sure that it’s doing its job.
Periodic written tests and quizzes are good, but a really effective way of finding out if your people can put their cybersecurity awareness training to use it with a simulated phishing attack. We can help you do this, or you can do it yourself.
A simple phishing simulation might just involve sending everyone an email with the aim of tricking them into taking action. It could invite them to click a link for a gift card as thanks for their hard work or ask them to reconfirm their login details.
You can see who takes the bait and who uses their training to spot the scam and take the required action.
Other methods of training and testing include interactive phishing training with online applications, and even testing that takes the form of a game to make it more engaging and interactive.
Think of it like a fire drill. The key is not to warn your team a test is coming. You don’t want them to be on guard. For those who don’t pass the test, further training may be necessary.
Create new policies
If you don’t already have a cybersecurity policy that sets out your expectations, it’s time to create one.
Your policy should be detailed, but easy to understand. Describe the security controls you have in place and the threats they address. Include who is responsible for maintaining them, how incidents should be reported, and the people to contact if they have any concerns. Ensure you create a supportive culture where employees are praised for quickly reporting suspicious activity or admitting they accidentally fell victim to a phishing campaign or clicked a malicious link. Fast reporting means fast containment, and this can dramatically reduce the financial and reputational damage from a security incident.
Highlight your expectation that your people should use your security measures, follow protocols, and use best practices at all times.
Include a remote access policy, acceptable internet use policy, and information about how updates are managed.
You may also consider a section on personal devices being used for work purposes and how they should remain secured to protect company data.
Most people on your team will take protecting the company and its data seriously. Good cybersecurity awareness training will help ensure that everyone recognizes the damage a cybersecurity incident can cause and helps train your team to be a first line of defense against cyberattacks.
Cybersecurity awareness training is never a set-and-forget thing. New scams and security issues arrive all the time, so keeping your people aware of the things they should be looking out for is crucial.
Plan for monthly, quarterly, or six-monthly refresher sessions for everyone (your frequency can depend on the data security and regulatory requirements for your organization and industry), from your apprentices to the people at the very top. This will ensure everyone has the most up-to-date cybersecurity knowledge while also, once again, reinforcing the ongoing seriousness of the threat.
Between sessions, keep everyone updated on the latest cybersecurity news. Share news stories of big data breaches, new malware and scams, and even insights on the security measures you use. You can set up news alerts or take a weekly scan through tech news sites—it’s extremely worthwhile.
Creating your cybersecurity awareness training plan is something that takes time and a fair amount of effort. But, done right, it plugs one of the biggest security holes in any business—human error.
A good IT support expert can help make the whole process run smoothly from first thoughts to routine refresher training.
If you’d like to know more about how we can handle cybersecurity awareness training or Managed IT Support services for your employees, get in touch.