Expert Guide on Social Media Cyber Security Awareness

Cyber security awareness is about making active internet users aware of the potential cyber threats, What can be the possible undesirable outcomes of getting trapped in such threats, and how to defend themselves against such threats.

In 2020-2021, cyber-attacks and data breaches increased by huge graphs, resulting in the great loss of data and the image of the companies. The focus on cyber security awareness in companies helps to promote great knowledge of possible cyber threats and how to defend against them with pre-attack and post-attacks methods.

Cyber Security Awareness For Employees

The goal behind such an awareness program for employees is to make them self-aware and make them actively participate in their security both at work and at home. Comprehensive awareness training regarding the cyber security threats to the employees can improve the company’s security posture and secure the Enterprise network which usually is the main target of the threat actors.
This will help employees to have better knowledge and a great understanding of how to detect the attacks, identify the risks as a result of those attacks and use the best possible ways to avoid such risks.

Common Security threats to Company Employees

1. Phishing | Spam emails: Anyone can be the victim of phishing attacks and spam emails, It Doesn’t matter how much you are aware of this digital era. Humans are the primary target for attackers to exploit and cause harm to enterprises with information leaks. Attackers specialized in social engineering are aware of how humans think. Verizon’s 2021 Data Breach Investigations Report revealed that more than 35% of data breaches involved phishing.
   Email spamming is a very common issue for Organisation’s security. As we all know, email has become one of the crucial communications tools for businesses today, it is the same medium used by threat actors to spread their attack vectors which include phishing, ransomware, malware, etc.

2. PUP/Riskware installation Unknowingly:  Employees may download some utility software from sources that are not trusted. This Software is not allowed in Enterprises as it can cause some harm, or at times change the system configuration and settings that are mandated by Enterprises. Also, when downloading these from non-trusted sources, they can contain malware embedded which can later cause serious security issues.
   Examples of such utility software can be adware or additional web browser toolbars, and they are often downloaded simultaneously with a program that the user wants.

3. Using weak credentials for company’s related accounts:  Employees using company-given mail or services sometimes use weak or default credentials to remember the password for any time login without struggling to remember the same. Through some great OSINT, attackers can prepare their one-shot password list to hit and trial on the employee’s account and get access to the company’s internal information.
4. Using weak credentials for company’s related accounts:  Employees using company-given mail or services sometimes use weak or default credentials to remember the password for any time login without struggling to remember the same. Through some great OSINT, attackers can prepare their one-shot password list to hit and trial on the employee’s account and get access to the company’s internal information.

Cyber Security Awareness Training for Employees

Threat actors are continuously evolving and discovering new methods to exploit and steal valuable information/data from businesses. It is no surprise social engineering attacks like phishing, Email spamming, ransomware, etc. are so successful because Social engineering is the most effective part of exploiting human behavior.
Educating the employees and training them to tackle such threats as frequently as possible can reduce the risk of cybersecurity incidents, which include data breaches, system compromises, etc. This also means the organization treats the client’s data and its security with utmost importance, which is a must in today’s ever-evolving digital landscape, adding to the promising image of the Organisation.

Such training must include the following programs/courses to train the employees:

1. Phishing and Social Engineering: Adding to the discussion earlier, Phishing was part of most of the ransomware incidents that happened in 2021. Not just through emails, but through ads, social media, text messages, etc. Aware the employees of the phishing attack vectors, how to identify such attempts, and the remediations. Social engineering can be avoided by being mindful of risks.

2. Strong passwords and Rotation policy: Instructing the employees to use strong passwords and avoid any common passwords, the reasons being many people prefer convenience over security and so they use easy passwords or passwords somewhat similar to previous ones. Create Rotation policies to make the employees change passwords regularly to avoid password-based attacks. Aware the users of best password policies, not storing them in plaintext/plain sight, and also the use of password managers for complex password storage and even generation.
3. Multi-Factor Authentication(MFA): MFA helps to authenticate if the entered credentials are by the original user or not by using other factors of authentication which can be OTPs, Finger-Prints, Session codes, etc.
   2MFA/MFA acts as a shield even if the password is leaked unknowingly, enabling MFA on all possible logins will be the best thing to do to be protected against most credential theft.
4. Ransomware: With no silver bullet to defend the ransomware threats, employees can still reduce the risk by getting taught about how to spot a potential ransomware attack. Even after being attacked by ransomware, employees should know the post-steps to proactively take action and stop it from spreading. The simplest things to keep in mind are not executing files from unknown sources, and not downloading software from non-trusted websites.

5. Personal Devices care: Employee’s gadgets can also be the gateway into the organization’s network. This marks the importance of taking care of personal devices. Also, using it properly may include not accessing unknown sites, and updating to the latest security patches. They should have a different device or account for personal and corporate usage.

Should you consider doing security awareness training often?

Yes! Cybersecurity trends keep on changing and new attack vectors are discovered too often which makes it important to be educated about these trends on a regular basis. Conducting such training or maybe a small session will help keep the employees up to date with the latest trends and so prepare remediations accordingly. Such mandatory sessions/training should be conducted monthly/quarterly/annually.