Skip to main content
Alpha IT Solutions | 02 8071 4180 | Unit 2, 141 Hartley Road, Smeaton Grange, NSW, 2567

Category: Cybersecurity

How Often Do You Need to Train Employees on Cybersecurity Awareness?

You’ve completed your annual phishing training. This includes teaching employees how to spot phishing emails. You’re feeling good about it. That is until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link.

You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough.

People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by.

So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security.

Why Is Cybersecurity Awareness Training Each 4-Months Recommended?

So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security.

Employees took phishing identification tests at several different time increments:

  • 4-months
  • 6-months
  • 8-months
  • 10-months
  • 12-months

The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after 6-months, their scores started to get worse. Scores continued to decline the more months that passed after their initial training.

To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy.

Tips on What & How to Train Employees to Develop a Cybersecure Culture

The gold standard for security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data. As well as avoid phishing scams, and keep passwords secured.

This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.

The report states the following,

“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”

Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training. It’s better to mix up the delivery methods.

Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan:

  • Self-service videos that get emailed once per month
  • Team-based roundtable discussions
  • Security “Tip of the Week” in company newsletters or messaging channels
  • Training session given by an IT professional
  • Simulated phishing tests
  • Cybersecurity posters
  • Celebrate Cybersecurity Awareness Month in October

When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training.

Phishing by Email, Text & Social Media

Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams.

Credential & Password Security

Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools.

Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager.

Mobile Device Security

Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere. Most companies will not even consider using software these days if it doesn’t have a great mobile app.

Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated.

Data Security

Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.

Train employees on proper data handling and security procedures. This reduces the risk you’ll fall victim to a data leak or breach that can end up in a costly compliance penalty.

Need Help Keeping Your Team Trained on Cybersecurity?

Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program. One that helps your team change their behaviors to improve cyber hygiene.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

You Need to Watch Out for Reply-Chain Phishing Attacks

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

A cybercriminal may want to steal employee login credentials. Or wish to launch a ransomware attack for a payout. Or possibly plant spyware to steal sensitive info. Sending a phishing email can do them all

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the move to remote teams. Many employees are now working from home. They don’t have the same network protections they had when working at the office.

Why has phishing continued to work so well after all these years? Aren’t people finally learning what phishing looks like?

It’s true that people are generally more aware of phishing emails and how to spot them than a decade ago. But it’s also true that these emails are becoming harder to spot as scammers evolve their tactics.

One of the newest tactics is particularly hard to detect. It is the reply-chain phishing attack.

What is a Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is copied to one or more people, one replies, and that reply sits at the bottom of the new message. Then another person chimes in on the conversation, replying to the same email.

Soon, you have a chain of email replies on a particular topic. It lists each reply one under the other so everyone can follow the conversation.

You don’t expect a phishing email tucked inside that ongoing email conversation. Most people are expecting phishing to come in as a new message, not a message included in an ongoing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.

How Does a Hacker Gain Access to the Reply Chain?

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain.

The hacker can email from an email address that the other recipients recognize and trust. They also gain the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

For example, they may see that everyone has been weighing in on a new product idea for a product called Superbug. So, they send a reply that says, “I’ve drafted up some thoughts on the new Superbug product, here’s a link to see them.”

The link will go to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.

The reply won’t seem like a phishing email at all. It will be convincing because:

  • It comes from an email address of a colleague. This address has already been participating in the email conversation.
  • It may sound natural and reference items in the discussion.
  • It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins. Both are contributors to how common BEC is becoming.

In 2021, 77% of organizations saw business email compromise attacks. This is up from 65% the year before.

Credential theft has become the main cause of data breaches globally. So, there is a pretty good chance of a compromise of one of your company’s email accounts at some point.

The reply-chain phishing attack is one of the ways that hackers turn that BEC into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

  • Use a Business Password Manager:

This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won’t need to remember them anymore.

  • Put Multi-Factor Controls on Email Accounts:

Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise.

  • Teach Employees to be Aware:

Awareness is a big part of catching anything that might be slightly “off” in an email reply. Many attackers do make mistakes.

How Strong Are Your Email Account Protections?

Do you have enough protection in place on your business email accounts to prevent a breach? Let us know if you’d like some help! We have email security solutions that can keep you better protected.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Where We Service

Alpha IT Solutions is an Australian based and family operated business, we support the Sydney or metropolitan area of New South Wales. We look forward to discussing your computer support, maintenance, and service needs.