Why would an MSP publish an article sharing ten best practices from the top cybersecurity training companies? Because we partner with most of the computer-based educational providers quoted in this article or help administer their cyber training services for clients. We have first-hand experience with their security awareness content and can vouch for its effectiveness in changing user behavior. Moreover, each organization gets high marks from Gartner Peer Insights. So, with that in mind, we’ve compiled the wisdom we’ve learned from working with our security training partners. Here are some of our favorites.
Cybersecurity Training Best Practice #1 from KnowBe4
As Erich Kron, Security Awareness Advocate for KnowBe4 advises, “Don’t just worry about technology; you need to worry about humans.”
According to Thales Group, “Human error is cited as the number one global threat to an organization’s cybersecurity.
Kron continues, “Nothing has changed in the last 30 years, and the primary target will always be employees.”
Assume your network is a fortress. However, technical protections are no match for con artists who know how to convince people to open the door.
Best Practice: Worry about humans.
Since the people factor is your weakest link, changing habits is job number one. Your MSP can procure KnowBe4 training modules on your behalf and administer the curriculum for the same fees as buying directly from KnowBe4.
Learn More: Integris Cybersecurity Awareness Training
Cybersecurity Training Best Practice #2 from Cofense
Cofense PhishMe conditions your employees to focus on today’s most relevant threats. And phishing takes this inauspicious prize.
Phishing is a social engineering tactic designed to trick recipients into providing confidential information or clicking on links that deposit malware on the user’s computer.
With Clario estimating that one in 99 emails is a phishing email, teaching your team to spot fraudulent messages alert is critical.
Best Practice: Teach everyone to identify phishing scams.
Scammers employ a wide range of delivery systems to trick users:
- Emails
- Text Messages
- Digital Display Advertisements (that look real but aren’t)
Cybersecurity Training Best Practice #3 from Sans Institute
Sans Institute recommends shifting your organization to Zero Trust Network Access (ZTNA).
ZTNA is a framework with three foundational principles:
- Never trust and always verify each person’s attempt to access the network.
- Implement least privilege access, so employees only utilize the most relevant resources for their job function.
- Assume a breach will happen; prepare for the worst-case scenario.
We employ the word “shifting” because training users to incorporate new behaviors across the hybrid cloud (traditional servers and hosted applications) is a process.
However, it’s worth the effort. Why? ZTNA is one of the most effective ways to compensate for weaknesses in perimeter defense tools (Advanced Threat Protection, Firewalls, XDR) and human nature.
Perimeter defense is like building higher, stronger walls around a mansion. Here’s the problem: protective measures are useless if your family makes innocent mistakes or a rebellious teenager goes rogue and opens the front door.
Best Practice: Require everyone to verify their identity for every login.
Learn More: 4 Minute Zero Trust Explainer Video
Cybersecurity Training Best Practice #4 from Phish Labs
Phish Labs has a social media monitoring solution incorporating open-source intelligence (OSINT) into its training curriculum.
According to Recorded Future, “OSINT is derived from data and information available to the general public. Although the so-called ‘surface web’ is an important component, it’s not limited to what you can find using Google.”
While honorable cybersecurity professionals employ OSINT to optimize protective measures, scammers abuse it.
Phish Labs identifies threats before they become your problem. For example, fake Facebook business accounts get flagged before users interact with these pages and unwittingly open doors to your network.
Best Practice: Limit information exchange on social media.
Protect your social media footprint by resisting the urge to add new and unvetted connections, oversharing personal details, and griping.
I logged onto Reddit a few weeks ago, where a network engineer at a public company was complaining about a software patch that was taking way too much time. Cyber thieves love this kind of insider information.
Learn More: Social Media Attacks Double in 2021
Cybersecurity Training Best Practice #5 from Ninjio
Ninjio brings Hollywood storytelling and engagement to cybersecurity training with a TV library of short videos organized by seasons and episodes.
Next-level animation and catchy titles like “Bad Robot,” “The Attack of the Apps,” and “Gone Catphishing” are perfect fare for busy professionals who want a fresh take on dry subject matter.
In Keeping Your Company Safe, Ninjio advises, “Establish incident reporting mechanisms and don’t penalize employees for being transparent. Companies should incentivize open communication from employees about potential cyberattacks, even in cases where those employees may be at fault.”
Encouraging openness is an intelligent strategy because most of us are guilty of risky cyber practices. According to IBM, human error is the leading cause of 95% of cybersecurity breaches.
Best Practice: Disclose your mistakes immediately. You’re not alone.
Cybersecurity Training Best Practice #6 from Terranova Security
Cybersecurity scams light up our smartphones with voice calls and text messages designed to extract personal information. In the spirit of phishing, fraudsters employ “vishing” and “smishing” techniques to catch us off-guard. Common tactics include:
- Automotive Warranty Expirations
- Tax Liens
- Real Estate Buy-Out Offers
- COVID Vaccine Follow-Ups
According to Terranova Security, “Employees can counter vishing and smishing attempts by never handing out personal information over the phone and never clicking on links included in unsolicited SMS messages.”
How prevalent is smishing? I received two smishing emails from someone pretending to be our CEO while writing this blog.
Best Practice: Disengage from random phone solicitations and delete suspicious text messages.
We recommend taking it a step further. Block offending phone numbers and text messages from your device. This action won’t block all new offenders, but it’s an incremental step in the right direction.
Learn More: How to Avoid Unwanted Calls on iPhone
Cybersecurity Training Best Practice #7 from Ziff Davis (Inspired eLearning)
“Be aware of in-person social engineering,” advises Inspired eLearning.
While phishing has become the most common form of social engineering, there are still many other forms that can be a danger to any organization. As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach.”
People taking advantage of people is the oldest tactic in the book. This “live” version of social engineering is nothing but good old-fashioned con-artistry.
Best Practice: Be wary of overly friendly strangers who immediately ask for a favor.
Social engineers exploit trust, fear, politeness, and helpfulness to manipulate victims.
For instance, the Reddit user we mentioned in section four opened himself up to a phone call from a threat actor posing as an altruistic network engineer willing to “lend a hand” with the patching project.
You also need to look out for strangers following a group of people into an office. In less than 30 seconds, professionally dressed scammers can breeze through your suite and leave with an executive’s $2,000 laptop.
And the laptop is the least of your worries. Its data or its window into other corporate assets may be worth millions.
Learn More: Tailgating
Cybersecurity Training Best Practice #8 from Barracuda PhishLine
Barracuda’s PhishLine combines email protection with cybersecurity training into a unified solution. This combination of mutually interdependent offerings underscores the benefit of taking a multi-layered approach.
Barracuda email protection, app, cloud security, network security, and data protection solutions are available separately. However, rolling more functions into one platform simplifies delivery and provides a single source of truth.
If Barracuda filters your email, they will have native insights to correlate with cybersecurity user activities during phishing simulations. They’ll probably experiment with tighter spam blocking settings if cyber training test scores reveal the client has employees who click on everything in sight.
Best Practice: Reduce cybersecurity vendor sprawl by consolidating complementary solutions.
Don’t worry; your MSP can manage this for you. They’ll also give Barracuda high marks for making their job easier.
Cybersecurity Training Best Practice #9 from Security Mentor
Working from home means implementing cybersecurity for your remote workforce. The analysts at Ladders predict that 25% of all professional jobs in North America will be remote by the end of 2022.
Best Practice: Secure your remote workforce.
Security Mentor believes there is room for improvement citing the following red flags:
- 56% of employees use a personal computer to work from home
- 25% don’t know the security protocols on their devices
- 20% said their IT department didn’t provide working from home tips
If you’re working from home and accessing the office network is more straightforward than accessing the network when you’re in the office, it’s time to engage your IT department or MSP. There’s a good chance you need fine-tuning.
Cybersecurity Training Best Practice #10 from Sophos (Phish Threat)
As per Sophos, “The lack of skilled resources to investigate and respond to incidents is one of the cybersecurity industry’s biggest problems today.”
They continue, “This problem is so widespread that according to ESG Research2, “34% say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.”
Best Practice: Get help creating an incident response plan.
Learn More: Integris Incident Response
Adopting More Cybersecurity Best Practices in Your Business
Cybersecurity best practices are easier to implement with the help of an experienced IT partner. We praised a wide range of experts, most of whom sell their services indirectly to businesses through MSPs.
Many of these companies will change hands in five to ten years.
Why? Cybersecurity training companies are SaaS-based (Software as a Service) which means they’re on the radar of larger SaaS entities for roll-ups.
Your MSP is one step ahead of imminent consolidation initiatives and can insulate you from the drama. They’ll select the best solutions, so you stay safe, regardless of name and ownership changes.
To learn more, explore Integris vCIO Services Today.