The central goal of security education is to modify an employee’s behavior so he or she doesn’t fall for social engineering -- the art of manipulating, influencing or deceiving somebody to take an action that isn’t in either his or his organization’s best interests. The most common examples of social engineering are phishing and spear-phishing attacks, which use phone, email, postal services or direct contact to try to trick people into doing something harmful.
“Interactive computer-based training is a central component of a comprehensive security education and behavior management program,” according to Gartner. “It is a mechanism for the delivery of a learning experience through computing devices, such as laptop computers, tablets, smartphones and Internet of Things (IoT) devices. The focus and structure of the content delivered by CBT vary, as do the duration of individual CBT modules and the type of computing endpoints supported. Understanding the diversity of people in the organization is as important to security and risk management leaders as an understanding of how security fits into an organization's larger goals.”
The aim of most social engineering schemes is to get somebody to click on a hyperlink or open an attachment sent in an email that will then give the bad guys access to the user’s computer. Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game changer. Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.
Human beings can become an organization’s last layer of defense only when security awareness training demonstrates to them how susceptible they are to social engineering, which is considered to be the single greatest security risk in the coming decade, much more than electronic hacking. The FBI has reported a 2,370 percent increase in exposed losses between January 2015 and December 2016 from social engineering schemes such as CEO fraud, also known as Business Email Compromise (BEC). A total of more than $5 billion has been stolen from businesses through cyber theft from October 2013 through December 2016, with an average loss per incident of $100,000 and are projected to top $9 billion in 2018.
If you're interested in a discussion on how to implement a program that will let you train, test and support your employees, contact us today! We would be happy to learn more about your unique situation and help you improve your organization's security.