Scott's Human Cyber Security Insights for March 17, 2024

Hello Data Defenders! Ready for another edition of Human Cyber Security Insights? Today's newsletter contains lots of valuable information including:

?? Why you should increase your training frequency

?? How credential stuffing caused a breach at Roku

?? Our next CSAF on automation in your security awareness program

?? The value of effective physical and cyber security audits

?? The importance of communicating phishing test expectations to employees

#1) Tip of the Week: Increase employee practice frequency and decrease session durations

Imagine attending one “self-defense” lesson and then being expected to walk through dark alleys all year. Unrealistic, right? So, how can we give employees one-off, yearly training and then expect them to spot cyberthreats whenever they appear??

A one-time security awareness training session is not enough for an effective security awareness program; instead, employees need regular training, in a safe and supportive environment to ensure that they understand how to keep information and systems safe online at all times throughout the year.?Ideally, your employees should practice security weekly, even if it's only for 2 or 3 minutes each time.

It might seem unlikely that employees will want to engage with such a frequent program. This may be true for ordinary, static training content.

But it can be implemented with good adoption through regular, interactive, gamified challenges, and with motivational features such as anonymized leaderboards. By making lessons shorter, but more fun, you can engage them more frequently. Employees are more likely to engage and remember what attacks will look like when they can face them occasionally in a known-safe environment; certainly more than they would with annual, big-bang training sessions.

With regular, frequent touch-points, it's easier to then introduce more timely and helpful updates to reflect current events, or to highlight risks within tasks that your employees are doing, so they can learn and apply new tips in their daily lives. ?

Want to implement more frequent, shorter, interactive training sessions? Let's chat!

2) Cyber Security News Story - Credential stuffing causes over 15,000 Roku accounts to be hacked

If your employees need proof that having the same password for everything is extremely dangerous, let it be this Roku breach. Over 15,000 accounts were hacked using usernames and passwords from other breaches.

By accessing these stolen Roku account credentials, not only did the attackers make fraudulent purchases, they also began selling the stolen accounts for $0.50 a piece. Time to send out password safety reminders!

3) The Live Cyber Security Awareness Forum - How much automation is appropriate for your security awareness program?

Our bi-weekly Live CSAF sessions are free, and are jam-packed with value for security managers and anyone interested in security from an employee awareness and training perspective.

If you have a passion for security awareness, you won't want to miss the next Live CSAF session on Wednesday, March 20, 2024 at 1pm EDT. This discussion will focus on the topic of "How much automation is appropriate for your security awareness program?". You can sign up HERE .

You can also join the CSAF community to get notifications for future panel discussions and other resources HERE .

4) Click Armor YouTube Shorts - The value of effective physical and cyber security audits

Audits of physical security are valuable, but they don't need to be time-consuming initiatives that are months long.

In this clip from our last CSAF, Tracie Baldwin, CPP explains the value and practicality of doing physical security audits, as well as why it's important to make it easy for employees to report physical exposures they observe.

Watch the clip on LinkedIn:

5) Rottenphish: The importance of communicating success metrics to employees

This employee passed his phishing tests...Or so he thought.

He forwarded the email to IT, screenshotted the email and sent it to their team, and still failed the test. What gives?

It's possible that his security team considers opening a suspicious email a fail, not just clicking on a link. Or maybe the organization's security software actually detonated the link unexpectedly. (FYI - Some email security tools lack the ability to turn off examination of links in messages.)

Imagine taking a math test, and writing all the correct answers. However, there was some fine print at the bottom of the page that said, "You should not complete any of the questions; just hand in the blank test." ...And then your teacher tells you, "Sorry, you failed."

You may feel like you're teaching employees a lesson, but you're really just provoking them, and sewing distrust; if not, "driving them mental".

If you're going to send out phishing tests, communicate the expected response to your team members well ahead of time. The goal is not to trick people, it's to improve the security culture and resilience of the team.

If you expect employees to report any suspicious emails immediately, then tell them beforehand. I guarantee you'll see more passes when employees know what passing actually is.

Start remediating your known security vulnerabilities with Click Armor...

Click Armor? is the interactive security awareness platform that enables fast and easy remediation of cyber security awareness issues. It engages employees, unlike anything you've seen before to learn, retain knowledge and improve skills.

Remediation requires engagement. If employees aren't engaged, they won't learn, and will remain vulnerable.

After 15 years of teaching security awareness, including running large scale "phishing tests" on my customers' employees, and seeing how people will use any excuse to "disengage" with awareness training, I decided to create Click Armor.

The Click Armor platform is?purpose-built?to make gamified training and remediation more effective, faster and easier.?It uses interactive exercises and simulations to build a more resilient workforce through a more positive user experience.

Imagine how your security culture could be improved if YOU (or one of your team's top executives) could be the central character in your interactive security awareness training experience?

Find out how you can get more employees through compliance training faster, strengthen your organization's security culture,?and help your employees more effectively?avoid phishing and social engineering attacks that target human vulnerabilities.

If you'd like to see a quick demonstration of Click Armor, check out this narrated video HERE .

Visit the Click Armor website at: https://www.clickarmor.ca

Stay tuned for future issues of?Human Cyber Security Insights, with news and tips for protecting your business against unexpected losses from cyberattacks.