1. Knowledge Base
  2. Cybersecurity
  3. Lex Mundi Core Standards and Recommended Practices

User Awareness / behavior change

Ensuring your users are aware of phishing threats and social engineering schemes designed to bypass security can save your firm millions.

A nightmare scenario with costs in the millions

DLA Piper: "A full day without phones. Six days without email. Nearly two weeks without complete access to older email and other documents. According to insurance brokers, the total direct and indirect costs associated with the attack on DLA Piper could be in the millions. "

https://blog.barkly.com/dla-piper-petya-ransomware-attack 

Why awareness training is so important

"Some of the most-significant threats to any security program are social engineering and phishing, which are designed to bypass even the best technology based controls. Social engineering is when a hacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.28 Phishing is a form of social engineering where the attackers use e-mail or malicious websites to solicit personal information by posing as a trustworthy organization.29 The most effective, and often only, defense is end-user awareness."

Scott M. Angelo, What Does It Take to Survive a Breach in Today’s HighRisk World? When Your Prevention Fails (and It’s Going to Fail), What Do You Do? Journal of Technology  Law & Policy, Volume XIV – Spring 2014  https://tlp.law.pitt.edu/ojs/index.php/tlp/article/download/145/156 

Awareness training vendors

From Gartner, "Magic Quadrant for Security Awareness Computer-Based Training", Published: 26 October 2017 ID: G00319169

Analyst(s): Joanna G. Huisman

Market Trends

As products within this market mature, each vendor seeks to differentiate its products and services in a variety of ways. In recent years, many vendors sought to distinguish themselves by adding anti-phishing behavior management capabilities to their product sets. This has now become less of a differentiator, because the vast majority of vendors have now incorporated that functionality or have very well-established partnerships with anti-phishing behavior management vendors. As outlined below, content is now king.

Vendor differentiators in 2016 and 2017 include:

  • Variety of content formats, lengths and styles: Content is the most prominent differentiator now. Many clients and vendors recognize that their security training cannot be effective if approached with a "one size fits all" mentality. As such, they are developing content of different lengths, such as short-burst one- to two-minute microlearning lessons, and in different styles — for instance, ranging from extremely corporate-friendly and "safe" to more edgy styles using humor. This allows audiences to potentially receive the same information in multiple forms, thereby increasing the possibility for information absorption. Customization of content also addresses the needs of particular roles or audiences. For instance, training for call center employees should be different from the training aimed at executives (see "Segment Your Audience for Effective Security Awareness Communications" ).
  • Gamification: Some vendors include a focus on gamification. This is broader than just including games as learning tools. In this context, "gamification" includes the establishment of multidepartment leaderboards so that departments are ranked against each other in various ways. Some vendors that provide gamification as an option are also thinking differently about reward and recognition options for those users that exhibit heightened security behaviors.
  • Multilanguage support: Most long-standing vendors offer support for all major language groups. However, many vendors are now distinguishing themselves by offering out-of-the-box language support for 20 or more languages, and some offer more than 50 languages, including cultural variants/dialects of languages. However, Gartner recommends that organizations verify the accuracy of languages with their own in-country personnel before deploying pretranslated materials.
  • Large supplemental content libraries: In recognizing that security and risk management leaders are not full-time content writers, graphic designers or marketing experts, many security awareness CBT vendors offer large libraries of predesigned content to serve as additional/supplemental campaign artifacts or for ad hoc communications. These can include materials for newsletters, intranet postings, emails, security alerts, security information for families and so on.
  • Integration partnerships and possibilities: Some vendors are also exploring interesting partnerships with core security technology vendors, such as employee monitoring vendors, endpoint detection and response (EDR) vendors, endpoint protection platform (EPP) vendors, secure email gateway (SEG) vendors, data security (DS) vendors and others. The goal of such partnerships is to be able to leverage any real-time data generated or collected by core technologies, as well as log data to provide just-in-time learning based on observed unsecure behavior exhibited by an employee. Additionally, when unsecure or risky behavior is logged, the behavior could trigger autoenrollment into a contextually relevant training module. This is a natural evolution of the anti-phishing behavior management market. The aim is to create observed and individualized behavior-based training that is specifically relevant to the learner. This is an emerging area that Gartner will continue to track.
  • Competitive pricing: Price is currently the biggest disruptor in the market. As a result, most of the vendors in this space offer some free CBT or internal marketing materials. Vendor PhishMe introduced PhishMe Free, aimed at small and midsize businesses (SMBs), with 12 no-cost anti-phishing campaigns per year coupled with free CBT content; while KnowBe4 has published competitive prices on its website for up to 5,000 users. A number of vendors have adjusted pricing downward in an attempt to differentiate on price and to seek a large share of the SMB market that will not tolerate traditional pricing for products in this market.

Source: https://www.gartner.com/doc/reprints?id=1-4IWCWMH&ct=171020&st=sb

Cyber security - posters (letter-sized)

One of the vendors, VinciWorks, has made the attached set of posters available in a .pdf.

They cover:

  • Forms of phishing
  • Password protected
  • Do's and don'ts
  • Cyber Attack Types & Motives
  • Social Engineering

Email - Social Engineering Red Flags (from KnowBe4)

For more https://www.knowbe4.com/what-is-social-engineering/ 

KnowBe4 Recommends "you print these out, they are great at-desk reminders!"

Phishing simulation - user testing and awareness


research from the Ponemon Institute. Telecom provider Verizon reported, in its 2015 Data Breach Report, that 23 percent of recipients of phishing emails open them. To make matters worse, 11 percent open the mails and click on the malicious attachments.

 InfoSec Institute's president Jack Koziol says that employee awareness retention rates are almost doubled 12 months after a simulation program is implemented, at 40% instead of 20%.

Simulated phishing attack training yields up to a 37 percent return>Phishing simulation training is “one of the premiere examples of what security training should look like” but that “comprehensive, ongoing simulation-based security training is rare,” a senior director of technology analysis at the Computing Technology Industry Association told CSO Online.

Source: https://www.forbes.com/sites/lisabrownlee/2015/10/07/security-simulated-phishing-attacks-yield-37-percent-return-on-investment/#131e1f772241 

Some tips and tricks for individuals to use:Tips and tricks for individuals - public wifi

Public Wifi:

A few best practices tips to help you keep your [public wifi] internet connection secure (or at least make you aware or remind you when it is not):

1. Monitor your saved Wi-Fi networks closely, and manage them regularly;

2. Delete (“Forget”) unnecessary or infrequently used networks;

3. Do not grant Auto Connect permissions to a public Wi-Fi network, and regularly check the networks in your history to confirm that Auto Connect is not enabled; and

4. Enable the Wi-Fi notifications feature that informs you when Wi-Fi is available or connected.

Source: With thanks to Bass Berry and Sims https://www.bassberry.com/news/privacy-perils-i-spy-your-wi-fi/ 

Training videos

Cybersecurity tips (social engineering explained): https://vimeo.com/208530896 

Cybersecurity Tips 2 from Training @ Scentsy>Vimeo.

From Safety in Canada - Public Safety Canada and portfolio partners' official YouTube channel.

 3:08 What is Phishing?

 3:16 How to Know if a Website is Secure

 3:31 How to Create a Strong Password

 1:46 How cyber safe are you in the digital age?

 2:32 Easy Ways to Stay Safe on Public Wi-Fi

 2:37 Easy Ways to Stay Safe on Your Mobile

 3:14 Easy Ways to Stay Safe on Social Networks

Note: Some videos available en français: https://www.youtube.com/user/SecuriteauCanada/videos 

Various free resources - The Security Awareness Co

"Anything you download from here is absolutely free, and you will never have to enter any sort of payment information! But please make sure that you take a look at the licensing rules.

Instructions for Downloading:

We’ve set up this giveaway archive to work like any online store with a shopping cart. The only difference is everything here is FREE! You pay nothing for your downloads.

We want you to be able to easily choose which materials you’d like to download, and to have the option to download them all at the same time with ease when you are done browsing.

  1. When you find a freebie you’d like to download, click the “Free – Add to Basket” button on the right-hand side of the screen. This will put that particular freebie into your “shopping cart.”

Here are the resources:

Why user awareness is so important - From "Some Interesting Security Awareness Computer-Based Training Numbers" by Stu Sjouwerman

The Gartner Managing Vice President who covers the security awareness computer-based training market and manages this MQ is called Andrew Walls. He revealed some interesting numbers 

Source (and for more: https://blog.knowbe4.com/some-interesting-security-awareness-computer-based-training-numbers)

Business Email Comprise (BEC) and how to prevent it

According to an alert published earlier this year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. 

Regardless of the method attackers use to perform a BEC scam, these seven security measures can help to mitigate the risks. 

  1. Update your security awareness training content to include the BEC scenario. This should be a part of new hire training, but you should conduct ad-hoc training for this scenario now.
  2. Build BEC into your contingency plans, just as you have built ransomware and destructive malware into your incident response/business continuity planning.
  3. Work with your wire transfer application vendors to build in manual controls as well as multiple person authorizations to approve significant wire transfers.
  4. Monitor for exposed credentials. This is crucial for your finance department email, but it’s important for all user accounts. Multifactor authentication will also increase the difficulty for attackers to perform account takeovers.
  5. Conduct> of your executives’ digital footprints. You can start with using Google Alerts to track new web content related to them.

Source: Bad Guys Are Now Taking Over Email Inboxes Without Phishing Attacks Stu Sjouwerman https://blog.knowbe4.com/heads-up-bad-guys-are-now-taking-over-email-inboxes-without-phishing-attacks 

From a list by Juan Manuel Harán 22 May 2018 https://www.welivesecurity.com/2018/05/22/14-free-online-courses-computer-security/

Information Security: Context and Introduction

This six-week course will introduce you to the world of, and context around, information security. You will receive a brief introduction on topics such as cryptography and security management, both in networks and devices. In addition, you will learn about a number of concepts related to the world of information security.

  • Taught by: University of London
  • Language: English
  • Platform: Coursera

Network Security

This free online course, which is offered on Udacity by the Georgia Institute of Technology, aims to provide an introduction into network and computer security. It takes place over sixteen weeks and, after completing the course, the participants will have acquired basic skills in security research.

The course begins with an introduction into cryptography and security systems, before delving deeper into a wide range of security topics. The topics covered include network security, authentication, security protocol design and analysis, security modeling, trusted computing, program security, threat detection, detection and mitigation of DDoS, architecture and operation of security systems, security policies, web security, and others.

  • Taught by: Georgia Tech
  • Language: English
  • Platform: Udacity

Introduction to Cyber Security

Supported by the UK Government’s National Cyber Security Programme, the Open University of the United Kingdom offers this free online introductory course on cybersecurity.

This course aims to give users an opportunity to understand key issues related to online security, so that they can use technology more safely, both at home and at work.

It will delve into topics such as network security, cryptography, threat identification and risk management, types of threats, the use of passwords, two-factor authentication, threat detection, virtual private networks, and others.

  • Taught by: Open University
  • Language: English
  • Platform: Future Learn

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

In this course, you will learn what a cyberattack is and explore some of the most common threats faced by small and medium enterprises. The topics include the main threats posed and methods used by cybercriminals, the consequences of cyberattacks for small and medium enterprises, and preventive strategies and tools to protect your organization.

  • Taught by: Deakin University
  • Language: English
  • Platform: Future Learn

Introduction to Cyber Security

Supported by the UK Government’s National Cyber Security Programme, the Open University of the United Kingdom offers this free online introductory course on cybersecurity.

This course aims to give users an opportunity to understand key issues related to online security, so that they can use technology more safely, both at home and at work.

It will delve into topics such as network security, cryptography, threat identification and risk management, types of threats, the use of passwords, two-factor authentication, threat detection, virtual private networks, and others.

  • Taught by: Open University
  • Language: English
  • Platform: Future Learn

Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks

In this course, you will learn what a cyberattack is and explore some of the most common threats faced by small and medium enterprises. The topics include the main threats posed and methods used by cybercriminals, the consequences of cyberattacks for small and medium enterprises, and preventive strategies and tools to protect your organization.

  • Taught by: Deakin University
  • Language: English
  • Platform: Future Learn

Cybersecurity Fundamentals

As suggested by its name, this course seeks to introduce students to the pillars of cybersecurity so that they can learn how to detect threats, protect systems and networks, anticipate potential attacks, and learn about the fundamentals of cryptography, among other topics. It takes place over eight weeks and is aimed at users with advanced knowledge of the subject matter.

  • Taught by: Rochester Institute of Technology
  • Language: English
  • Platform: EdX

Cybersecurity: understanding attacks in order to deploy countermeasures (Spanish / Portuguese)

King Juan Carlos University in Madrid offers this free online course about computer security that will introduce the participants into the world of cybersecurity.

During this six-week program, the students will learn about attacks at the network level, systems and services, malware and Advanced Persistent Threats (APTs), cryptography and network-level countermeasures, present-day challenges, and future trends.

(Please note this is offered in Spanish and Portuguese only)