Scott's Human Cyber Security Insights for March 25, 2024
Scott Wright, CISA
Speaker | Podcaster | Co-Founder/CEO at Click Armor | Helping build confidence and resilience through engaging, interactive training
Hi Cyber Warriors! Welcome to the last Human Cyber Security Insights newsletter of Q1 2024. In today's edition we cover:
?? Identifying the vulnerabilities of virtual offices
?? The Nissan breach affecting over 100,000 people
?? How much automation is appropriate for your cyber security awareness program? (RECORDING)
?? What are the challenges with automated security awareness reporting?
?? How do you decide on when "everyone" needs "remedial security training"?
1) Tip of the Week: Identifying the vulnerabilities of virtual offices
As virtual reality becomes more accessible, some businesses are using it to their advantage through virtual workplaces like Todayly. Virtual offices allow remote employees to feel more connected and can potentially increase productivity. However, virtual reality creates a new world that needs new policies.
Since VR is just emerging, the legalities and protective structure aren't well known. You can't be sure what is going to happen to any data or information shared on the platform or who may be party to those "conversations". Before allowing your employees to interact in virtual worlds or offices, review the privacy policies of your chosen platform. Even if everything seems okay, proceed with caution. Start by discussing issues, and even drafting virtual office policies that highlight the level of information that can and can't be shared in conversations in the virtual world, to clarify which conversations should be held in-person.
Additionally, in virtual worlds employees interact as virtual characters. But, how do you know if a character is who they say they are? Before opening a virtual office, ensure your employees have the proper training to identify social engineering attacks and choose code words to validate identities.
Although virtual offices seem like a fun way for your team to connect, know that it also creates more opportunity for data breaches and social engineering (and maybe even other risks such as harassment). Before opening the VR office, consider if your team is ready to handle these new vulnerabilities and issues.
2) Cyber Security News Story - Nissan data breach affects 100,000 individuals
Nissan is contacting over 100,000 customers, dealers, and employees that have been affected by a data breach that was first identified in December. The automotive company says that 10% of the breach records involved government cards like Medicare and driver's licenses and the other 90% was personal information like DOB and loan applications.
Nissan is doing the right thing (at least after the breach), giving anyone affected free identity theft and credit card monitoring services as well as reimbursements for any IDs that will need replacement.
3) The Live Cyber Security Awareness Forum - How much automation is appropriate for your security awareness program? (RECORDING)
Automation can save valuable time. But it can also rapidly propagate errors, and can remove the benefits of personal, hands-on engagement by security managers. In a security awareness program, automating can improve outcomes for the daily tasks where personal involvement is less valuable, like sending out notifications or reminders.
In our latest CSAF, we discussed how much automation should be used in your security awareness program. Watch the recording:
Our bi-weekly Live CSAF sessions are free, and are jam-packed with value for security managers and anyone interested in security from an employee awareness and training perspective.
If you have a passion for security awareness, you won't want to miss the next Live CSAF session.
The next CSAF panel session will be on Wednesday, April 3, 2024 at 1pm EST, and will focus on the topic of "What value do Red Team exercises provide to security awareness programs?". You can sign up HERE.
You can also join the CSAF community to get notifications for future panel discussions and other resources HERE.
领英推荐
4) Click Armor YouTube Shorts - How much automation is appropriate for your security awareness program?
As a quick example of the value from last week's Live CSAF session, Fletus Poston III provided important insights on the challenges of relying on automated reporting.
5) Rottenphish: How do you make the decision that "everyone" needs "remedial security training"?
I might need some help with the reasoning on this one, or maybe we don't have the full context for it... Or maybe it's just a very questionable rationale for who needs remedial training. But this is an interesting situation...
13% of employees failed a phishing test = 100% of employees need to do mandatory security training?
I don't have the full context here, but I guess it's possible that "nobody" had yet taken mandatory training on security risks. So, it might make sense to implement that, but not necessarily because 13% of employees failed a phishing test.
But let's assume everyone had already taken security training.
This employee says 13% of the employees failed a phishing test, so the company put everyone into security training. Although 13% is a big failure rate, it doesn't really warrant the other 87% having to take remedial training.
Ideally, the organization should try to figure out why the 13% clicked on the link, to see if there is a common denominator. Are they all on the accounting team and, as a result, they are currently overwhelmed with tax season? Are they all younger and new to the organization? Do they all have trouble identifying suspicious domains? Was the test fairly implemented?...
And... Did their past training properly educate employees on how to actually spot potential phishing messages?
Finding the pattern that connects the 13% allows you to determine an appropriate response, rather than shooting in the dark and forcing everyone else to complete the training.
Start remediating your known security vulnerabilities with Click Armor...
Click Armor? is the interactive security awareness platform that enables fast and easy remediation of cyber security awareness issues. It engages employees, unlike anything you've seen before to learn, retain knowledge and improve skills.
Remediation requires engagement. If employees aren't engaged, they won't learn, and will remain vulnerable.
After 15 years of teaching security awareness, including running large scale "phishing tests" on my customers' employees, and seeing how people will use any excuse to "disengage" with awareness training, I decided to create Click Armor.
The Click Armor platform is?purpose-built?to make gamified training and remediation more effective, faster and easier.?It uses interactive exercises and simulations to build a more resilient workforce through a more positive user experience.
Imagine how your security culture could be improved if YOU (or one of your team's top executives) could be the central character in your interactive security awareness training experience?
Find out how you can get more employees through compliance training faster, strengthen your organization's security culture,?and help your employees more effectively?avoid phishing and social engineering attacks that target human vulnerabilities.
If you'd like to see a quick demonstration of Click Armor, check out this narrated video HERE.
Visit the Click Armor website at: https://www.clickarmor.ca
Stay tuned for future issues of?Human Cyber Security Insights, with news and tips for protecting your business against unexpected losses from cyberattacks.