SIW on Addressing Concerns, Four Ways to Improve Effectiveness of Employee Security Training
Hikvision Teaches How to Identify Security Concerns by Outlining Examples of Phishing
SecurityInfoWatch.com (SIW) outlines ways to address security concerns and improve employee cybersecurity training by addressing the top four challenges in this article, “The 4 most common mistakes in employee security awareness training.”
According to the article, at least 35 percent of security breaches begin with employees.
“Security awareness training has existed for decades—yet in all that time, it seems as if it hasn’t reached the level of effectiveness we hoped for. Sure, today there is more of a focus on the need and various compliance demands to create effective programs. But the figures representing the blatant failure of our field are frightening. Anywhere from 35-80 percent of security breaches start with employee involvement, usually with the employees being completely unaware of it,” from the article.
The top four ways to improve security training concerns are:
- Training should be an ongoing activity that is part of the company culture and takes place year-round. Concerns arise with “singular training events” that discuss security irregularly, or with training relegated to video without any engagement with employees from the CISO.
- It’s critical to teach employees how to identify fraud with real world examples, not just teach them what fraud is. The article recommends teaching security tips as procedural knowledge, which it defines as “actionable knowhow: how to write a symmetric encryption algorithm, how to decide if a file is malware, and should I take my work home at this specific time—understanding security tradeoffs and potential compromises.”
- Tapping into the natural cycle of learning that happens routinely and outside of formal training is key. Getting employee feedback after security audits and incorporating exercises that provide immediate “accurate feedback” improve likelihood of positive changes to learned behavior in employees.
- Trainings must be repetitive, present varying challenges, and be ongoing to help employees learn to choose solutions that prevent security concerns and reduce cyber threats.
Click here to read more.
Hikvision Teaches How to Identify Security Concerns by Outlining Examples of Phishing
Hikvision teaches partners and employees how to identify security concerns in email by outlining examples of phishing in this blog. In it, Hikvision’s cybersecurity director, Chuck Davis, said: “Phishing attacks have long been an effective way for attackers to trick people into divulging sensitive information or infecting a system with malware. Malware can give an attacker remote access to protected systems and networks, encrypt a user’s data and charge a ransom to decrypt the data, or use that system as part of an attack against other systems.” Davis provided real-life phishing examples with screenshots in the article.
In part two of “Examples of Phishing,” Davis outlined an example of masking a URL, an advanced version of that called clickjacking, and International Domain Name (IDN) Homograph Attack.
Two steps to reduce the risk of phishing attack from the article:
- Look carefully at email headers. Check the "From" and "To" fields for anything suspicious. While we already stated that these can be spoofed, they can also be a good first indicator of a suspicious email. Here is how to check the full email headers in Gmail: https://support.google.com/mail/answer/29436?hl=en
- Hover over links and be sure to read the entire URL: When you hover over a link, notice if the website link is different than the listed URL. Also inspect the entire URL from the first forward slash, back to the left, to see where that link is actually going.
For more ways to address security concerns, check out the Hikvision blog about a special kind of phishing attack called spear phishing.