<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=699785206826853&amp;ev=PageView&amp;noscript=1">

 

Cyber Awareness

Training Framework

 

Protect Your Organization from Insider Threats 

 

The thought of a data breach brings a headache to executives at every company. Facing lawsuits, harsh fines, and creating distrust with their customers is something that is painful for the entire company. Organizations employ cyber awareness challenges and security training programs internally and analyze the data to identify and fix weak points in their network, Informations systems, and mitigate their overall risk of a cyber attack. This saves the company lots of money in the long run and also reduces the overall risk of having to deal with the aftermath of a messy data breach.

          Background

In recent years, data has shown that non-malicious (unintentional) insider threats pose the largest cyber risk to organizations. What does this mean? Current employees unknowingly give away sensitive data or access to confidential files through phishing attacks, maladvertising, and third-party data breaches (Dropbox, EverNote, etc.). Security experts across the industry agree that cybersecurity awareness courses for employees is the most efficient and easiest to deploy.

 

 

What is the “Non-Malicious Insider Threat”?

Department of Defense information assurance operating system 

Every IT security manager in north america knows the largest vulnerability in their network information system is their employees. Employees have an increased exposure to risk through social media and social networking. These interactions provide scary amounts of identifying information for the user. Each online interaction and web page visit present the risk of a malicious cyber attack. All of these social interactions make employees particularly vulnerable to social engineering attacks. These risks are especially true for interactions that require a credit card. Most employees are just focused on doing their day-to-day tasks at work and are not likely to make the link between what they do on their computer and the security of the organization. Many efforts are made to train, such as annual training, but these training requirements are often expensive and futile if not done right.

The answer to this issue is through a cyberawareness challenge resource center and employee education. Sectors such as healthcare, education, and finance, awareness courses require employees to comply with numerous regulations and laws. This training and teaching is a primary component of the Cybersecurity Awareness framework.

 

Email facilitates phishing and puts accounts at risk

  • Phishing-related compromises were responsible for $750 million in losses between October 2013 and August 2015 according to Krebs on Security.
  • The 2015 Verizon Data Breach Report reveals that phishing emails have an open rate of 23% with 11% of the opens clicking on attachments.

 

Websites can be a platform for drive-by downloads and infection

  • If a website were to be hacked, the hackers can add drive-by downloads for malware
  • The 2016 Webroot Threat Brief states that suspicious URLs are not always easy to spot, and impersonators are frequently successful.

 

The increase of mobile phones provides new means for social engineering

  • Vishing is phishing through voice, such as phone calls.  They can impersonate other organizations and extract valuable information.
  • Historically, 67% of people asked give personal information via phone, such as social security numbers.

Department of defense employee challenge version print certificate 

 

How a single employee can lead to a shutdown of normal business operations

North America faces a large number of threats. In early 2016, the Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 to cyber criminals to recapture access to their data and systems after becoming infected with malicious ransomware.

Ransomware spreads via hacked websites or malicious email attachments. The ransomware blocks access to files on the network with an encryption algorithm impossible to break. Ransomware attacks may even ask for credit card payments. The hospital spent almost an entire week without the use of their computer information systems,operating systems, and had to revert to using paper forms.


Who Should Be Held Responsible?

For example, say a spear-phishing attack occurs at your company. Employees receive an email from the IT Administrator asking everyone to update the business login because of a recent security breach. Within the email was a link to a malicious site that infects computers with malware. Only minutes after the email was sent out, the organization’s network is down from a malware attack, and you face the risk of losing all the company data. Spear-phishing attacks are particularly detailed when using information derived from employee social media and social networking accounts.  The identifying information derived from employee's personal accounts can be leveraged to extract classified information of an organization. With information like this out in the open, and with the lack of a proper training course, the employees are exposed to significant risk. 


Who Is To Blame?

Employees who are not cyber-aware and educated on the topic cannot be expected to keep up with the rapidly developing tactics of cyber criminals around the world. On the other hand, IT managers do not have the ability to watch every web page and email communication that each employee makes. In this case, it is the lack of cyber security awareness that indirectly allowed hackers into the security systems network. 

 

Learn More

 

Cyber Security Awareness Training and the Law

startcontinue cyber awareness challenge certificate

Employee awareness and education is neccesary to comply with several regulations. The Department of Defense resource center utilizes the NIST regualtions to comply with cyberawareness training and course completion.

 

A few relevant laws and regulations regarding the application of awareness training include:

  • Payment Industry: Payment Card Industry Data Security Standard (PCI DSS) §12.6
  •  Public Companies: Sarbanes-Oxley (SOX) §404(a).(a).(1)
  • Federal Agencies: Federal Information Security Management Act (FISMA) §3544.(b).(4).(A),(B)
  • Healthcare: Health Insurance Portability & Accountability Act (HIPAA) §164.308.(a).(5).(i)

*It is important to note that many States have additional cybersecurity course completion requirements within their privacy laws*

 

Security Awareness Training Regulations

 

Cyberawareness training is a commonly identified route to protecting Business, and governement like the Department of Defense. By educating users, they substantially reduce the total amount of cyber-related incidents.

 

 Learn More

 

Cyberawareness Challenge Program Evaluation & Certification

Organizations can use the Cyber Awareness Training* (CAT) Framework as a tool to evaluate what level is best for their cyber policies.

 Awareness Training Levels

Level 1: Training only takes place after a security incident occurs. At this level, organizations have little to no cyber awareness and the training program put into place may not get a lot of support internally. 

Level 2: At this level, the organization receives periodic training such as quarterly newsletters, posters, infographics, or semi-annual/annual training seminars. The training program can be updated periodically as well, to stay updated with industry trends and weak organizational points. 

Level 3: Training is mandatory for everyone in the organization and the analytics are tracked (test scores, course completions, phishing scores, etc.). The training process can be updated to changes in technology and industry.

Level 4: In level 4, organizations have flexible training plans which are mandatory for each employee. Metrics and data are tracked in this training program for each employee. Security professionals gather feedback from users and look at the data to continuously update their program for the best results.

 

A successful cyberawareness training (CAT) program should follow a continuous five step loop:

 

  1. Plan and set measurable goals and objectives
  2. Establish a baseline
  3. Develop data-driven training plans
  4. Analyze, track, and measure data
  5. Verify, improve and repeat sequence

 

cyber challenge version operating system certificate of completion of course

 

By following these five steps, an organization can achieve success and be in compliance with many Federal, State and Department of Defense regulations using the CAT Framework level 3 or 4  training program.

 

1.) Plan and Set Measurable Goals and objectives

The first step is significant for executives and IT managers, so they are on the same page when evaluating goals and objectives. The goal should be attainable and measurable. Make sure to set a timeline for your goals to ensure that you will complete them on time. When developing your goals, lay out a clear strategy of how you will achieve them. 


Lay out which topics you want to cover in the security education and training program. Depending on the industry, questions will differ based on current regulations, common cybersecurity issues, Course completion, and user error.

startcontinue cyber awareness challenge security system print the certificate

 

Action

Define acheivable, measurable goals and objectives for your organization

Define the curriculum of topics and  learning objectives, for your organization. Define how goals will be measured and the timeline which all of these new changes will be implemented.

Result

Cyber Training Policy

 

Cyber Training Plan 

 

 

2.) Establish a Baseline

Gather an initial data set before implementing your new action plan. This data will be used to measure the effectiveness of your goals and objectives.

 

Department of Defense employees information assurance challenge version 

 

Example

Goal: Reduce security-related incidents by 75% over the next quarter. 


Action: Figure out the number of security-related incidents that you had last quarter and calculate the value you need to achieve for the next quarter.

Make your employees aware of your efforts after you take your baseline data for the best results. They will be more likely to be mindful of the fact that security-related incidents are being monitored more closely, which is the entire purpose, to raise awareness!

 

Action

Collect a baseline data set to establish where your organization stands as of the start of your training program.  

Result

Cyber Training Report

 

 

 

3.) Implement Data-Driven Training Program

During the implementation stage, deliver the training with guidance to your organization. Let them know what you are trying to accomplish and check in with employees.

Are they finding the material useful? Is the material applicable? Training can take place online, during employee onboarding, or in person through a class. 

 

print the certificate challenge version and operating system

 

Action

Explain/Implement training

 

Run training program

 

Result

Increase in Cyber Awareness

 

Training participation log,

Course completion reports, individual’s quiz scores, Certifications, etc.

 

 

4.) Analyze, Track, and Measure Data

Regularly monitor and measure your data. Gather various metrics to compare your data. Data relating to the goals you created in step 1 will be the most useful. Participation should always be measured. Employees should be segmented into relevant groups. For example, management and Staff, or Retail and HQ, ...etc. Content measured around how that is engaging it is to your stakeholders. The type of content delivered to employees is critical to understand what is effective and painless. Content like Infographics, 30-second video animations, 5-minute SCORM videos, Text messages, and the like play a significant role in effective security awareness training and inforemation assurance. And finally ask employees for feedback and their thoughts on the program.

Are there ways the program can be improved? Is this a valuable use of their time?

 

complete the course and print the certificate of cyber awareness challenge

 

Action

Gather Data and metrics from training courses

 

Interview Employees 

 

Result

measurable results from employees

 

First-person feedback to enhance/improve training, frequency, engagement, and type of content that works.

 

 

5.) Verify, Improve, and Repeat Step 1

In the last stage of the lifecycle, review the information systems, cyber awareness challeges, and the data  gathered during the Analyze, Track, and Measure phase. Use this information to make improvements/enhancements to your current cyber training program.

Are employees struggling with a certain topic? How do employees handling controlled phishing? Do we need to increase the frequency? Should users print the certificate to show pride? Do they complete the course? Should they understand the organizations security systems?

These are all valuable questions you can ask yourself after you have your data. By verifying and improving, you can ensure that your cyber training program will continuously evolve and become stronger.

 

department of defense information assurance certificate

 

 

Action

Review Cyber Training Report, other results gathered throughout the lifecycle, top threats, infosec policy changes, and new technology introduced.

 

Identify changes to the current security training program.

Result

 

Updated  Training Policy

 

 

Updated  Training Plan

 

 

           Conclusion

IT professionals and executives should know that "people" are the largest risk to their cybersecurity systems. In particular, the "non-malicious insider threat' poses the largest risk to organizations. Organizations should startcontinue a cyber awareness challaenge and evaluate their current cybersecurity framework and find which level that they fit in. Next, begin developing measurable goals and a action plan. Your cyber framework should be updated regularly to keep up with the ever-changing trends of cybersecurity. Many industries have some form of regulation or mandatory employee security training. Securable offers a data-driven awareness challenge solution allowing IT managers and executives to analyze the results of their employees and make necessary adjustments over time to startcontinue cyber awareness challenges.  This data-driven approach is much more effective than traditional annual training and other training requirements.

 

 Let Securable Protect You

 

WATCH VIDEO:

Cyber Security Framework