Increased Cyber Awareness Training is Essential for Best of Breed Companies
October is cybersecurity awareness month, and so many companies are aware of the grave implications with recent malware attacks and the numerous threat types coming at employees. There’s been a shift since the pandemic and in some ways cybersecurity awareness is on the rise at management level and, of course, in IT departments. Plus, remote working is in place and each day more companies move systems to the cloud.
With management buy-in, IT departments have been empowered to start moving forward with stronger cybersecurity policies and new approaches to cyber awareness training for employees. The new normal for IT is home computers, smartphones, and external Wi-Fi networks, that are creating opportunities for hackers.
Enhanced cyber awareness training for employees is essential and provides an amazing return-on-investment (ROI), as most breaches fall on the users. In fact, the majority of corporate data breaches involve stolen login credentials. IBM’s Cost of Data Breach Report for 2021 found that compromised credentials accounted for 20% of data breaches, costing companies $4.37 million per incident.
Read on to find out how best of breed companies are implementing cyber awareness training in 2022 and what’s required from employees. IT departments are now offering increased cyber awareness training to employees on passwords and phishing exploits, but also restricting access to internal resources within a business and adding more encryption devices for users. IT is also moving past default settings for servers and network.
Frequent Cyber Awareness Training
There are many reasons why cyber awareness training is increasing, but the move to remote work and C-suite awareness of this fact has moved the needle. Today’s best practices include onboard cybersecurity training with all remote workers and office workers. Plus, quarterly updates on threat vectors from IT staff and annual updates are part of the cybersecurity playbook in 2022.
Onboarding training is crucial. This is a great time to make a strong impression with new employees when it comes to password security, phishing exploits, and opportunities for malware via outside Wi-Fi networks. Employees must be educated that security relies on them and it’s 24/7 endeavor, be it a strange email attachment or spoofed company communication. (At ArcherPoint, we use the KnowBe4 platform to educate employees). This early opportunity for cyber awareness training is paramount, and it can be a place to reinforce how IT policies – and the business landscape – have changed.
The fact also applies that a lack of cybersecurity education cuts across age and experience.
IT security policies are evolving, and education and training are essential for employees to understand the new normal, such as adding a security key to enforce multi-factor authentication so an employee can access a document in a diner, for instance. More and more, the message from leading IT departments isn’t “big brother is watching you”, but “we’re adding a new layer of protection”.
From IT perspective, the messaging of confidentiality, integrity, and availability are key concepts that employees need to understand innately and the best way to reinforce this is with continuous cyber awareness training.
Reexamining User Permissions and Roles
For years, IT was securing computers and devices within the four walls of an office, and user permissions were not scrutinized for increased security. Now, user permissions are under the microscope due to remote working and bring your own device policies. The future is here, and IT departments are asking what is your essential role at the company? What kind of network and software permissions do you actually need to perform your tasks?
The C-Suite is backing IT departments for extra layers of protection and convincing management has been easier with the top-line numbers and the Zero Trust framework. A Zero Trust framework is the security buzzword for 2022, but the term puts a name on a very real threat.
The Zero Trust framework offers a comprehensive security approach with three broad principles: verify explicitly, use least privileged access, and assume breach. With a distributed work landscape, Zero Trust accepts that users are connecting from home offices, handheld devices on the retail floor, or a public Wi-Fi network.
Accordingly, IT departments are finding this raised awareness at the executive level helpful in evaluating permissions and roles for the entire organization. Microsoft is a great example. Earlier this year, Microsoft announced that they would be implementing a new Granular Delegated Administrative Privileges (GDAP) policy that would dictate that ERP partners are given least-privileged and time-bound access to customers’ production and sandbox environments. The previous policy, called Delegated Administrative Privileges (DAP), provided partners almost unrestricted access to their customer’s servers, user permissions, and work environments.
IT Teams Dive into Default Settings
The Microsoft policy is prime example of what security communities and best of breed companies are doing when it comes internal security. Besides limiting users and recognizing an employee’s essential role at company, IT teams are evaluating internal default settings for servers, software, operations, networks, and anything connected to the business. Many companies are moving past the default setting and implementing more secure policies.
For example, Microsoft Outlook comes with default virus security controls and one that is “turned down” – not enabled by default – is dynamic delivery. Dynamic delivery allows an email system to scan attachments in a thorough way without slowing down the delivery of emails. Microsoft introduced the Safe Attachments feature as part of its Advanced Threat Protection (ATP) offering in 2015. The slight inconvenience is to the user who will have to wait a minute or two until the attachment is completely scanned before making changes to it.
Now, we’ve come full circle on the new era of cyber awareness training. The training should create a level of awareness. Businesses are under attack, but are trying to use every tool in their kit to keep their company data safe.
Keep Coming Back to ArcherPoint for More Cybersecurity Best Practices
ArcherPoint offers a wide range of blog topics on cybersecurity and this month we’ll be doing a deep dive on Cyber insurance and emerging security topics in 2022. For more information on cyber insurance or how to qualify, reach out to our Managed IT Services department.