Scott's Human Cyber Security Insights for November 25, 2024
Scott Wright, CISA
Speaker | Podcaster | Co-Founder/CEO at Click Armor | Helping build confidence through engaging, interactive cybersecurity training
Welcome back, Cyber Champions! ??
Q4 is always a hustle for us at Click Armor, but I am back this week for more insights and news in the cybersecurity world. Here's what I'll cover today:
? Save yourself time and effort by ditching weekly tests
? The cyber security havoc of Taylor Swift's eras tour
? Why I'm deleting my Twitter/X account
? CSAF recording: Prioritizing security awareness training needs among a sea of other corporate training
? Helping vs. just testing your employees
1) Tip of the Week: Save yourself time and effort by ditching weekly tests
As we gear up for the end of the year, cybersecurity managers are likely already planning their 2025 programs. I've talked to some businesses that complete live phishing tests every week – that means 52 tests that either:
For case #1 above, the time commitment is completely unnecessary, and unproductive and takes away from the availability of security managers to connect with their team members and conduct regular audits.
For case #2 above, a regular barrage of "irrelevant" messages is launched across the organization's network, using resources and in the words of one of my consulting colleagues:
"...they are scaring the employees to death, and causing them to send every unexpected email to the help desk, in case it is a test. This is really hurting productivity and the level of trust within the organization."
Neither of these options is desirable, and testing employees on this frequency is really unnecessary, for many reasons.
Here's my two pieces of advice:
Sound like a lot to implement before the new year? Let us help!
2) Cyber in the News: Taylor Swift Eras Tours scams totalling over $70,000 in the GTA
Dozens of people have reported scams related to online tickets to Taylor Swift's Eras Tour in Toronto. Over $70,000 has been reportedly lost just by fans planning to attend the Toronto concerts.
Now is a great time to share tips with your team on how to spot real versus fake online tickets – and what immediate steps should be taken if a scam happens to them. Read the details in this CBC article. ??
3) Is it time to delete your Twitter account? Here's what you need to know
With all degraded qualiity of content now appearing on Twitter, including abusive activities and disinformation on many levels, it's time to reconsider if you really want to allow this platform to benefit from using information about your actions and posts.
Tom Eston has taken the drastic step of leaving the platform, deleting all of his posts and follows. He shared an important message and tips on how to erase your presence on Twitter in last week's episode of the Shared Security Podcast : The many security issues that prove it's time to leave Twitter.
There can be a few issues when you delete your account, including leaving your old "handle" open to be used by others, potentially for malicious purposes.
Regardless I'm following Tom's lead. Will you?
4) CSAF PANEL SESSION RECORDING: Prioritizing security awareness training needs among a sea of other corporate training
Security awareness training is sometimes viewed by management as "just another one of many corporate training programs."
While it's nice to be able to treat all corporate training efficiently, with similar workflows, security awareness has some important aspects that sometimes get lost when communicating with leadership.
In our latest CSAF live panel session, we discuss how to better represent and communicate your security awareness program needs to management so you can have a better supported program. See the full recording on our YouTube. ??
5) Security managers need to help employees, not just test them
Are phishing tests helpful at all if you don't act on them?
This Reddit user shared that they failed their company phishing tests three times in their first month – but never received a follow up email. So, what did they do? They changed their password.
This puts into question what employees are learning about spotting and reporting a phishing attack, a skill they have clearly demonstrated they need help with.
Although changing a password is great practice, it may not save them from inputting their credit card info into a fake site or downloading a malicious PDF after opening a real phishing email.
So, how were the security managers using these phishing tests, if at all? Were they just running them to show their cyber insurance company that they have run them?
What's the point?
There's a huge opportunity to help their employees learn what they need to know based on failed tests - not just test them.
If you need help running effective and efficient security awareness training and assessments, please let me know.
About Click Armor?...
Click Armor, The Employee Cyber Confidence Builder?, helps teams engage their employees in cyber security awareness and other, role-based security training content.
We have a full range of off-the-shelf, easy to deploy foundational courses, assessments, and microlearning modules that are all gamified with interactivity and visually dynamic content that motivates staff to focus and improve their skills.
Click Armor helps make sure employees are ready for live tests and real-world attacks through our unique, immersive exercises that are all designed to build employee enagement and readiness.
Why Click Armor is the best choice for ensuring employee participation and proficiency in your security awareness and human risk management programs.
We've created a new "self-assessment" that lets you explore the questions of:
Try our self assessment HERE.
Make sure you are using the right tools to build a cyber confident culture, with a strong, positive and inclusive security training program.
If you'd like to see a quick demonstration of how Click Armor can be a key part of your human risk management program, check out this narrated video HERE.
Visit the Click Armor website at: https://www.clickarmor.ca