Scott's Human Cyber Security Insights for August 18, 2024

Welcome, Cyber Champions! ??? ??

Are you ready for another edition of Human Cyber Security Insights? In today's issue, I'll be discussing:

?? Why security mangers need to talk to their top executives

?? The startling statistics on breaches including cloud-stored data

?? The biggest cyber attacks of the year

?? Join our next live panel session: Keeping your employees engaged with microlearning

?? MSP Cyber Roundtable Podcast recording: 3 ways phishing simulations prevent cyber awareness failures

?? Rottenphish: Does your phishing test program even make sense from an employee perspective?

?? Choose your own security awareness adventure in a Click Armor self tour

1) Tip of the Week: Have an open discussion with your top executives

Have you ever thought about what you trust the "top person" in your organization to be doing that supports your objectives? Do they know how important their support is to you being successful?

We hear about the gap between executives' perception of their security risk posture, and what their team's assessment of the situation is. That won't change if you don't have conversations about alignment of your goals and resources.

The top executives are trusting you to efficiently and effectively communicate with them, so they can make decisions on what areas to invest in.

Speak up, and help your leaders fill in that gap.

[And, of course, it's a two-way street. Leaders need to be eliciting strategic information and feedback from their team, and building trust within those communication channels.]

Trusted communications between leaders and their teams is as important as how employees exercise trust in daily communications with co-workers and strangers. If you do one thing today, let it be booking a 1-on-1 with an executive to have an open discussion on how you can both support each other.

2) Cyber in the News: 31% of breaches involved data solely stored in the cloud

According to the most recent IBM Cost of a Data Breach report, 31% of breaches involved data solely stored in the cloud.

It also highlights employee training as being one of the top 3 key factors in helping reduce data breach costs. This points to a growing need for employees to be trained on how to do proper cloud-based authentication, and to manage access controls, while being able to recognize advanced social engineering and phishing risks. This article from IBM Canada has a Canadian perspective. But the broader report has excellent insights for businesses in all countries.

Give it a read:

3) Click Armor Blog: The biggest cyber attacks of 2024 so far

Now that we've crossed over the halfway point of 2024, now is a great time to reflect on the biggest breach trends of the year. It's been busy: IT shutdowns, malware galore, and the Mother of All Breaches (Can you believe that was this year?).

Read through our latest blog and see what trends you notice, which trends you're most vulnerable to, and what you can do before the year ends to make your organization better protected:

4) LIVE PANEL: Keeping your employees engaged with microlearning

If you've ever taken an hour-long, online compliance training course, you'll know why they aren't the best way for employees to learn.

In our next live CSAF panel session on August 21st at 1pm EDT, we'll explore some of the best practices and pitfalls of microlearning within security awareness and human risk management programs. You can sign up and join the live audience Q&A HERE.

5) MSP Cyber Roundtable Podcast recording

This week, Ryan H. and I joined Matthew Fisch, CISSP from FortMesa to explore the benefits and challenges of phishing simulations, particularly from a Managed Service Provider (MSP) point of view. It started with a great, casual chat. Then Matthew spent some time covering CompTIA security training programs available to MSPs and other IT professionals. During the remainder of the session we dove into the world of phishing simulations, how they can benefit MSPs, and the subtle aspects of phishing tests that can make the difference between end user security awareness success and failure.

You can view the recording HERE.

6) Rottenphish: Does your phishing test program even make sense from an employee perspective?

Have you ever looked at your phishing test program, and its execution, from an employee's point of view, to make sure it makes sense?

This individual on Reddit says a co-worker reported a phishing email, was told by the the security team that it wasn't phishing, proceeded to open it, and then was immediately enrolled in the anti-phishing classes.

The co-worker took the correct precautions, by reporting a suspicious email, but then was tricked into opening it anyways.

How likely is it that this employee will ever report an actual phishing attack in future?... In fact, they'll probably never want to consult with the security team again.

This goes to the whole issue of making sure employees of organizations that run live phishing tests understand why and how these tests are conducted. Regardless of the debate around whether phishing tests are ethical, I believe that employees do need to be informed some time in advance that phishing tests are being run on an ongoing basis.

They need to understand that these tests are not (or at least they shouldn't be) just a bureaucratic, compliance exercises.

This includes making sure employees know what the correct actions are to take when they suspect they have received a phishing message (not just a test). And, of course, the Service Desk must have consistent responses when employees inquire about a message.

Then the employee would be expected to treat every suspicious message the same, whether it is a test or not.

Remember your team should be there to support and educate your employees, not trick them into failing or taking more training.

7) Choose your own security awareness adventure in a Click Armor self tour

Why not learn about the drivers for security awareness, and the benefits of gamified security awareness training by experiencing our new self tour?

Start your journey to learn more about our innovative approach to achieving the next level in security training by immersing yourself with our choose your own adventure self tour HERE.

You can also try our publicly available "Can I be phished?" challenge that lets you experience how immersive phishing simulations work HERE.

About Click Armor?...

Click Armor, The Employee Cyber Confidence Builder?, helps teams engage their employees in cyber security awareness and other, role-based security training content.

We have a full range of off-the-shelf, easy to deploy foundational courses, assessments, and microlearning modules that are all gamified with interactivity and visually dynamic content that motivates staff to focus and improve their skills.

Click Armor helps make sure employees are ready for live tests and real-world attacks through our unique, immersive exercises that are all designed to build employee enagement and readiness.

Make sure you are using the right tools to build a cyber confident culture, with a strong, positive and inclusive security training program.

If you'd like to see a quick demonstration of how Click Armor can be a key part of your human risk management program, check out this narrated video HERE.

Visit the Click Armor website at: https://www.clickarmor.ca