How to Transform Employee Worst Practices Into Enterprise Best Practices

Preventing your worst data breach nightmare with New School Security Awareness Training

Executive Summary

The press can’t get enough of corporate data breaches. They delight in showcasing thelatest horror story about a business that lost massive amounts of private records or millions in revenue to the latest hack. You could be next. Despite all the funds you may have spent on state-of-the-art security software, the
bad guys are just one gullible user click away from staging an all-out invasion. To make matters worse, that user might well be you! Recent surveys show that executives can be some of the biggest culprits when it comes to clicking on phishing links and opening malicious email attachments.

Yet by far the most eective strategy in combatting these attacks is also one of the most poorly implemented – security awareness training. The long list of “worst practices” for user education is almost endless – break room briengs while people eat lunch and catch up on email; short instructional videos that provide no more than supercial understanding; and the time-honored practice of hoping for the best and doing nothing.

Find out what the true best practices are for security awareness training – those that establish a human rewall to eectively block hackers and criminals, and keep you out of the headlines.

This whitepaper provides clear direction on how to go about improving your organization’s security posture by “inoculating” employees who fall for social engineering attacks. Such incidents are far from uncommon. According to a recent study by Osterman Research, email is the most prevalent channel of inltration into the enterprise.

Key Points

• A summary of the main email-based attack vectors into organizations such as phishing, spear-phishing, executive “whaling”, and “CEO fraud”.

• What organizations are doing about it and why this isn’t enough.

• What is wrong with most current security awareness training programs. This includes a list of “worst practices” along with why they don’t work.

• The proven best practices for security awareness training that reinforce existing defenses by erecting a human rewall.

• How to combine security awareness training with simulated phishing attacks to keep employees on their toes with security top of mind.

• How to devise a valid KPI for the eectiveness of that training to showcase its return on investment.

Understanding the Threat

According to a recent study by Osterman Research, email is the top attack vector into organizations. Web-based attacks used to predominate which is why their prevention appears to receive more funding. Yet email attacks were never far away from rst place and are now once again in the lead. Osterman places email in the lead with malware infections impacting 67% of organizations, with web-based attacks in second place at 63%.

In third place is a category of attack of uncertain origin. Those attacks may well have come via email but the source has never been detected. 23% of organizations marked this category over the past year, and the true number is probably much higher.

Why can’t these companies identify some of the avenues of security compromise? Cybercriminals are becoming more eective. Verizon numbers indicate that 80,000 security incidents were reported by 70 organizations contributing to the survey and over 2,000 breaches occurred in one year.