Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Effort vs. Knowledge: The Truth Behind Security Awareness Training

Assuming the data security learning curve of your average employee is lower because a majority of today’s workforce is made up of digital natives isn’t farfetched. Unfortunately, that’s not the case.  

Human error is still to blame for a majority of security events, as cyber crooks continue to launch social engineering campaigns to compromise businesses.

At the end of the day, employees make mistakes; from clicking on malicious email attachments from strangers to leaving their laptops in a taxi cab. As businesses evolve through the various stages of digital transformation, attackers always have the opportunity to maximize their efforts through costly blunders.

The security organization’s answer to combat this tired problem comes in the form of security awareness programs. Although there’s been a long debate in the community hinting at the ineffectiveness of this approach, there’s no denying that it can only help. Naysayers believe that resources are going to waste with such programs, but the proof is in the pudding.

Studies indicate that running continuous training programs reduces phishing proneness, which ultimately serves as a positive impact on organizational cyber risk. Simply put, creating a security awareness program is affective and recommended, but there are areas you should focus on to ensure you get the most bang for your buck.

Although digital natives place far too much trust in their devices, they aren’t oblivious to the risks associated with online activity. You may ask yourself, “If that’s the case, then why are so many mistakes still being made in the workplace that lead to breaches?” That’s a matter of effort, not knowledge, says Charles Hamilton, principal consultant at Trustwave.

“Each employee can make a difference on their own by modifying their browsing habits,” says Hamilton. “A work computer should be used for work, not to access questionable sites and watch videos on Facebook. We’re always just one click away from allowing an attacker to gain access to our system.”

To reach this ideal state of user awareness, there are three primary areas highlighted below that Hamilton advises security professionals to focus on to get the most bang for their buck out of their security awareness programs.

1. Familiarize Employees with Policies

Ask any employee if they’re familiar with the organization’s security policies, and you’ll likely get either an eye roll or a blank stare with a nod. Nine times out of 10, the answer is “no.” Corporate policies are intended to protect employees and the business, but the truth is they’re perceived as censorship by employees. It’s important to educate staff members properly on these policies in a way that provides insight on why they’re in place, Hamilton says.

“Similar to how we learn other things in life, if you get creative and make this exercise fun, it will stick with the employee,” Hamilton says. “If something’s entertaining, you tend to pay more attention, and you’ll certainly be more inclined to do it.”

2. Provide Thorough Training

While it’s important to be creative and shy away from mind-numbingly boring passages featured in emails blasted out to employees, there’s a level of comprehensiveness your training should embody. The truth is, a majority of security awareness training only features cursory material. Take phishing exercises, for example. Rather than training employees not to click on suspicious links (which is important), take things one step further by teaching them to identify a phishing pattern. Hamilton suggests using a three-strike approach to score suspicious behavior in this example:

Strike 1: A random email hits the employees inbox asking them to perform administrative tasks on a website they’ve never visited (or heard of) before.

Strike 2: The third-party website asks for their credentials instead of using the SSO authentication the company typically requests.

Strike 3: The website then offers to download its “secure” client instead of using the web portal. 

This approach would allow employees to rate the email and take action according to the number of strikes it receives, Hamilton says. In this case, even if the email address appears to be legitimate, the employee can still successfully identify the phishing attack using the scoring approach.

3.Create Versatile Cyber Threat Awareness

Many employees are already aware of phishing threats, but are they familiar with other attack tactics? The truth is they’re likely not. While many security awareness programs tend to focus their exercises on simulated phishing attacks, threat actors can also take advantage of their clumsy social networking, weak passwords, disabled security controls, or lack of remote security.

This doesn’t mean that the security organization needs to create a “cyber threat awareness” dashboard for employees to understand the cyber risk profile of the business, but security awareness training programs should be versatile, Hamilton suggests.

“It’s not about getting too specific with the tactics being used by attackers, but employees need to be aware of what’s out there from an attack standpoint and the vectors associated with them.”

But, security teams won’t be able to share this valuable information with employees if they don’t access it themselves.

“Having threat intelligence, EDR, anti-virus, IDS/IPS is all part of an ecosystem that will help you identify threats, but if you have that information you need to leverage the data,” says Hamilton.

Access the data, analyze the information, and understand what meaningful attack and threat vector knowledge you can instill in your employees.

The modern-day employee’s online behavior is driven by instant gratification. This causes a significant hurdle when the same routine makes its way into the business’s network. By focusing on the areas outlined above in your security awareness training, you’ll be one step closer to reducing cyber risk in the company.

Providing comprehensive training in an entertaining format that covers the threat vectors within your business will make a big difference in your battle against digital adversaries. A mix of good monitoring, adequate threat detection, and user awareness is a recipe for success in today’s cyber threat climate.

Find out how Trustwave can help your organization by empowering employees to practice secure computing and training developers to build resilient code.

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Mining Operations: Critical Cybersecurity Threats & Trends Revealed

Cybersecurity professionals often point out that threat actors do not differentiate when choosing a victim. To an attacker, a hospital is as useful a target as a law firm or even a mining operation....

Read More

Phishing: The Grade A Threat to the Education Sector

Phishing is the most common method for an attacker to gain an initial foothold in an educational organization, according to the just released Trustwave SpiderLabs report 2024 Education Threat...

Read More

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More