Security Awareness Training

2018-08-13T17:11:10Z

When I work with a client, that has no formal information security plan or framework, the first thing I recommend getting started on is an security awareness program. This is a fancy way of saying "training staff how to identify, reduce, and react to suspicious activity including physical and digital."

I've heard statistics "91% of successful attacks begin with attacking people - not technology" John Lacour / TedXCharleston"

Once an employee clicks on a malicious email, accepts a remote support call, clicks a link to open a malicious website, the boundaries of what the attacker has access and control to are immediately considered to be everything. Owned.

The other issue is that if an attacker can hijack an employees account, it's going to be much harder for detection controls to pickup that the network has been breached. For example, if an outside attacker attempted to bypass your firewall with an attack, or multiple failed logins, ideally that will be detected and alerted upon. But if the attacker is able to browse data under the disguise of a legitimate user, that detection will be much harder to detect.

A good security awareness training includes the what, how, and why.

What are the methods attackers will try?
How should users identify these attempts, and how should they respond?
Why is it important that they do this? What is at risk?

There are some great online training programs like PhishLabs. Onsite training is great, and has the benefit of being customized to your specific risks and culture.

If you're interested in getting started give us a call or shoot us an email to talk more about what a security awareness training session can do for you.

The post Security Awareness Training appeared first on Anthony Asher.