NZ Incident Response Bulletin - November 2024

The November edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being?“Cybersecurity Training for the Workforce”.

Cybersecurity Training for the Workforce

Cybersecurity is a critical concern for New Zealand organisations due to the ever-increasing degree of business interruption, cost, and serious harm posed by successful cyber-attacks and data breaches. According to the latest Verizon Data Breach Investigations Report, 68% of all breaches are linked to attacks involving human error, highlighting the crucial role that employees play in securing company systems and information.

Malicious actors are continually targeting human vulnerabilities as they often find it easier to manipulate a user into compromising security, such as clicking a malicious link or mishandling data, rather than exploiting a technical vulnerability. Employees may unintentionally cause incidents through weak passwords, data mishandling, or the use of public-site passwords. A robust security program must therefore address these human vulnerabilities, considering varied risks across roles like executives or IT administrators.

The Center for Internet Security (CIS) uses data from the Verizon Data Breach Investigations Report to shape the CIS controls and best practices for workforce training. These controls emphasise employee education and awareness as essential layers of defence against cyber threats. For example, CIS Control 14, which addresses security awareness and skills training, integrates real-world data breach statistics to ensure that training programs cover the most pressing vulnerabilities and attack vectors.

Core Cybersecurity Training Requirements

Ensuring that all staff members understand cybersecurity policies and procedures is fundamental to a strong security posture. However, effective training programs not only focus on theoretical knowledge but also emphasise practical applications tailored to real-world scenarios.

The first step (14.1) in achieving an effective cybersecurity programme is to ‘Establish and Maintain a Security Awareness Program’. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Organisations should conduct training at hire and, at a minimum, annually. Organisations should then review and update the content annually, or when significant enterprise changes occur.

Based on real world attack patterns, CIS suggests organisations structure their staff training and awareness initiatives to include the following:

CIS 14.2 to 14.8 Key Training Components

14.2 Recognizing Social Engineering Attacks: Train workforce members to identify and avoid social engineering threats like phishing, business email compromise (BEC), pretexting, and tailgating.

14.3 Authentication Best Practices: Educate employees on secure authentication practices, covering topics like multi-factor authentication (MFA), secure password creation, and effective credential management.

14.4 Data Handling Best Practices: Instruct employees on properly storing, transferring, archiving, and destroying sensitive data. Include clear screen and desk policies, like locking screens when away, erasing whiteboards, and securing data assets.

14.5 Causes of Unintentional Data Exposure: Make employees aware of common causes of unintentional data leaks, such as misdirected data, lost devices, or publishing to the wrong audience.

14.6 Recognizing and Reporting Security Incidents: Train employees to identify and report potential security incidents promptly.

14.7 Identifying and Reporting Missing Security Updates: Teach employees to check for missing patches or software updates and report any issues with automated security processes.

14.8 Dangers of Insecure Networks: Educate employees on the risks of using insecure networks, including remote work guidance on securing home network configurations for safe data transmission.

Implementing an effective cybersecurity training program

Establishing and maintaining a security awareness program is essential to ensure that employees are security conscious and skilled in reducing cybersecurity risks to the enterprise. An impactful program should include frequent, relevant messages about security best practices tied to real-world events, such as password breaches or seasonal phishing scams.

To support New Zealand organisations in lifting overall workforce cybersecurity knowledge we have developed a learning management system (LMS)? that provides training in all key cybersecurity knowledge areas outlined in the CIS controls.

We recommend organisations kick off their cybersecurity training programme with an instructor-led session. This session can lay a solid foundation for future online learning by explaining the importance of cybersecurity and the high stakes involved, backed by real-world examples and data such as the Verizon breach statistics.

This introductory session should then be followed with the LMS series of online courses designed for flexibility and engagement. The training content is divided into seven short, impactful four-minute videos that cover different aspects of cybersecurity, such as threat identification, data protection practices, and reporting mechanisms. After each video, a five-question quiz is included to reinforce learning and ensure comprehension.

To motivate employees and track progress, we provide a certificate of completion for those who successfully finish the course. Keeping a company record of these certificates can help your organisation maintain compliance and recognise employees' commitment to keeping the organisation secure.

By structuring training this way, companies can effectively communicate the significance of cybersecurity, create a culture of security awareness, and empower employees to be the first line of defence against cyber threats.

Visit cyber.thinkific.com to learn more about the LMS, sample some of the training, and if you wish to proceed, sign up to start your training program.

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin