Today, attacks on IT infrastructure and cloud networks have become even more prevalent. As more employees work from home and use their devices for business, the visibility of security teams has been reduced. Therefore, there are more blind spots and dark corners where attacks can go undetected.

According to the Canada Revenue Agency, as of July 2021, there have been 40,341 scams reported, 28,517 victims, and $105 million lost. Scams and frauds are becoming more efficient, as the financial damage from 2021 has already caught up with the 2020 financial toll of online scams in Canada.

Many wonder, throughout the constant barrage of phishing emails and social engineering attacks, if there is an end to it. Is it possible to navigate this minefield of hackers, malware, ransomware, scammers, and outright fraud?

To combat these growing threats, experts will often recommend more Security Awareness Training to establish an initial line of defence. This blog will look at the purpose of user awareness training, how to evaluate your employees, and why it’s essential for everyone to have a security-first mindset.

The most challenging aspect of information security is your users – the one thing you cannot fully control.

Amateurs hack systems. Professionals hack people. — Bruce Schneier

Although many companies try to secure their environments, we still see many security issues resulting from poor password practices and a lack of general security awareness. In this area, some will argue, “But don’t they already know that?”  It’s true that many have a general understanding of security, but it only takes one who doesn’t to compromise an entire organization.

Google has registered 2,145,013 phishing sites as of Jan 17, 2021. This is up from 1,690,000 on Jan 19, 2020 (up 27% over 12 months). — Tessian

Do you know if your employees can spot common tell-tale signs of phishing emails? Would your employees download an attachment from an unknown sender? There are many ways to test your employees.

One method is to conduct phishing simulations. In this, your goal is to identify people who fall for the simulation so that you can better educate them about what they should look out for next time. You can also have a phishing banner appear, warning them with the details about the ramifications of an actual incident.

Usually, the initial round of this strategy is relatively successful at catching poor safety practices. A phishing simulation usually catches 20-40% of average, non-technical users. That means up to 40% of users can create a bad outcome for the organization.

Once training starts,  these numbers fall to about 10-15% in the first six months and 2-10% after a year. However, there are several reasons to continue the program after this point-even when phishing simulations no longer catch many users.

1. Staff turnover: ensuring new employees are getting the training they need.
2. Developing threats: having a regular training cadence ensures up-to-date knowledge.
3. Security first (most important): keeping safety at the forefront of the entire company’s consciousness.

Why is this the most important? Consistent exposure to how attacks happen and how an attacker might choose their target helps develop an instinct. This sense allows a user to determine that something is amiss about a situation. It helps give employees a gut feeling about daily tasks without thinking about them.

A security-first mindset also helps stave off complacency. After all, an attacker can catch even the most knowledgeable user in a moment of weakness.

While users get caught because of a knowledge gap, the more likely scenario is that they were busy and just reacted to an email and clicked without thinking. It is far too easy to do. Small reminders to all staff are an effective tool for keeping your team vigilant and safe.

This truth rings true, especially for executive-level users. Even though their time is precious, their elevated access to information makes them a prime target for attackers and corporate spies. There should be no exception to the training regimen, not even for CEOs and Presidents.

IT Weapons can help you take a step forward into the new world of data security with a wide variety of security solutions and services to suit your needs.