What Does Your Cybersecurity Training Need to Include?

As we stand on the threshold of a new year, it’s worth noting that the term “cybersecurity” didn’t even enter the common lexicon until the late 1980s. Before that, we just called it “computer security”—mostly involving locking the server room door and hoping nobody guessed the password was “admin.”

Fast forward to today, and the game has changed entirely. “Hoping for the best” is no longer a viable business plan. As you prep your resolutions, it’s time to hit the ground running with a cybersecurity posture that is as modern as the threats we face—a goal that will require training for your entire team.

Let’s go into what this training should cover, and how you can really reinforce the security message you’re trying to share.

Identity and “MFA Fatigue”

With zero trust now the gold standard of protection, identity is the new perimeter. However, hackers now weaponize our own notification habits against us. “Prompt Bombing”—where an attacker triggers dozens of MFA requests in a row, hoping the employee hits “Approve” just to stop the noise—is a real threat to stay cognizant of.

As for training, demonstrate the difference between spoofed notifications and the normal ones your team will likely encounter… all while reinforcing that confirming an authentication request that was not pushed is never a good idea.

Social Engineering with AI’s Help

Scams have (unfortunately) come a long way, especially with artificial intelligence readily available to help make them even more convincing. Your job is to ensure that your team is aware of the kind of sophistication that modern threats can feature.

Make sure your team is aware of all the shapes a threat can take—from phishing to vishing to smishing, as well as video deepfakes and the like—and know what will and will not be asked of them in any situation. Reinforce this message by sharing examples of the threats that they could face, asking them to differentiate between the two… if they can. This is precisely why you need to implement robust verification protocols for all communication methods.

Data Leakage

Generative AI has become a force in almost all aspects of the modern business landscape and economy. While it can be a highly effective tool for boosting productivity, it can also pose a significant risk to your data security and confidentiality.

Most often, the tools that people associate with AI—things like ChatGPT, for instance—are actively taking all data that users put into them and incorporating it into their data repositories. This means that any data you share with an AI becomes part of that AI. Now, let’s say a company shares some of its proprietary data in an effort to organize it better or come up with improved insights. That data is then public record, and could easily be duplicated on other people’s prompts.

Fortunately, this can be avoided. Give your team members sample documents and ask them to properly anonymize their contents before sharing them with AI. This will help them stay mindful of how careful they need to be when using these kinds of tools.

Shadow IT

How often do your team members turn to external tools, like unvetted software or personal cloud accounts, to accomplish the goals you’ve laid out for them? Not only is this a sign of miscommunication between team members and team leadership, but it also exposes your business to various threats and the risk of data theft.

To protect your business from the insidious threat of shadow IT, have your departments audit and map where the data they are responsible for is stored. It may be enough to get them on board with more centralized, approved tools.

Insider Threats

While the phrase “insider threat” usually brings about thoughts of an employee maliciously planning your downfall, it is far more commonly a symptom of negligence or disengagement. That said, there are key warning signs your team should know to look out for.

Encourage everyone to pay attention, and someone may just spot something critical to avoiding a larger issue… such as a coworker manipulating files in the middle of the night.

Vendor Vulnerability

Imagine if someone managed to breach you through no fault of your own. This is extremely possible, as vendors are also common targets of cyberattacks. From this vantage point, a hacker has a direct line to you.

As a result, you need to reinforce that there is no such thing as a completely trustworthy contact. Try an experiment: send a simulated phishing email that appears to come from one of your vendors, and keep track of who follows the proper steps to verify its legitimacy. Those that don’t… well, you know who needs training the most.

Cloud Overconfidence

It can be very tempting to hear “cloud” and automatically assume that any data stored there is inherently secure. This is very much not the case—while the provider maintains the infrastructure, any access permissions or similar security measures are managed by you and your team.

Take some time to teach your team that even the smallest settings—like whether a folder is set to “public” or “private”—can have significant security implications.

Reporting Standards

Here’s the thing: people make mistakes. We all know this to be true, but the workplace has a tendency to make us all forget it. Too often, a team member tries to hide their mistakes out of fear of reprisal, which can snowball into serious operational issues or security vulnerabilities. You need your team members to know that, first and foremost, they will not be punished for an accident. 

Second, you need them to know how to properly report any suspected issues to IT.

Once you’ve established these standards, you can quiz your team through simulated phishing attacks. In addition to tracking those who need more help, you can track and reward those who successfully identify and—critically—also report the issue.

Cybersecurity and Organization

With remote and on-premises work now combined across industries, team members need to be prepared to keep business documents and data secure wherever they are operating… going so far as to keep sensitive data out of sight and to remain aware of their surroundings as they work.

Every so often, wander around the office and see who is diligently keeping information protected and who needs to be more stringent in their behavior. Leave a note reminding them how even the little things (like locking a workstation when stepping away for a coffee refill) really do matter.

We’re Here to Help

Security is not something any business should leave to chance, which is why we’re committed to helping the clients we serve in AREASERVED optimize every aspect of their technology… including their security.

Find out more about how we can specifically help you and your business. Give us a call at PHONENUMBER so we can chat.

White Mountain IT

Related Posts

Knowing, and Planning For, Your Organization’s Compliance Burden

Despite what detractors say, regulations are in place for good reason. They typically protect individuals from organizational malfeasance. Many of these regulations are actual laws passed by a governing body and cover the entire spectrum of the issue, not just the data involved. The ones that have data protection regulations written into them mostly deal with the handling and protection of sensiti...

IT Should Be Everywhere, From the Server Room to the Boardroom

You’ve likely looked at your business’ technology bills and seen nothing but dollar signs leaving your bank account. For many, IT feels like a necessary evil or a cost center that only gets attention when something breaks. The hard truth is that many businesses fail to scale because their technology wasn't built for the growth they planned. At COMPANYNAME, we believe it’s time to stop reacting ...

Essential IT Security Policies Every Business Needs

A successful business is a secure business. You probably have a good lock on the front door, maybe an alarm system, and secure cabinets for important documents. You do all of this to protect your business' physical assets from threats. So why wouldn't you do the same for your digital assets? Just as you have physical security measures, your business also needs strong cybersecurity policies. They ...

The Dangers of Double and Triple Extortion

Ransomware has emerged as one of the most dangerous modern threats to businesses, and when you consider just what’s at stake with a ransomware infection, you’ll realize we’re not exaggerating. The worst variants of ransomware will attempt to extort you through any means necessary, and when you don’t give in so easily, they’ll pull out the big guns: double and triple extortion. Double-Extortion ...