How to Create a Strong Security Awareness Program

Due to the ever evolving and more intricate nature of hacking, spamming and activity of cyber criminals, it is now vital that all companies, groups and organizations have an effective security awareness program and to make sure all employees, staff and workers know how to recognize email threats.

Threat actors are now creating very sophisticated tactics to download malware, ransomware, and obtain login credentials and email is the attack style of choice. Companies are being targeted and it will only be a matter of time before a malicious email is delivered to an worker’s inbox. It is therefore crucial that employees are trained how to identify email threats and told how they should respond when a suspicious email lands in their inbox.

If security awareness training is not made available for staff then there will be a huge hole in your security defenses. To assist yo in getting back on the right track, we have listed some vital elements of an effective security awareness strategy.

Vital Important Elements of an Strong Security Awareness Program

Have C-Suite Involved

One of the most vital starting points is to see to it that the C-Suite is on board. With board involvement you are likely to be able to dedicate larger budgets for your security training program and it should be simpler to get your plan adapted and followed by all departments in your organization.

In practice, getting the backing of executives to support a security awareness program can tricky. One of the most effective ways to increase the chance of success is to clearly explain the importance of developing a security culture and to back this up with the financial advantages that come from having a strong security awareness program. Provide data on the extent that businesses are being hit, the volume of phishing and malicious emails being shared, and the money that other businesses have had to cover to address email-based attacks.

The Ponemon Institute has completed several major surveys and provides annual reports on the expense of cyberattacks and data breaches and is a good source for facts and figures. Security awareness training companies are also good sources of figures. Current data indicates the benefit of the program and what you require to ensure it is a success.

Get Other Departments On Board

The IT department should not be the only one responsible for developing a strong security awareness training program. Other departments can supply help and may be able to offer additional materials. Try to get the marketing department to support this, human resources, the compliance department, privacy officers. Those outside of the security team may have some valuable input not only in terms of content but also how to provide the training to get the best results.

Create a Continuous Security Awareness Strategy

A one-time classroom-based training session conducted once annually may have once been enough, but due to the rapidly changing threat landscape and the volume of phishing emails now being sent, an annual training session is no longer adequate.

Training should be conducted an ongoing process provided during the year, with up to date information included on present and emerging threats. Each employee is different, and while classroom-based training sessions work for some, they do not work for all employees. Create a training program using a variety of training methods including annual classroom-based training sessions, constant computer-based training sessions, and use posters, games, newsletters, and email alerts to keep security issues to the fore of workers’ minds.

Provide Incentives and Gamification

Reward individuals who have finished training, alerted the group to a new phishing threat, or have scored well in security awareness training and tests. Try to establish competition between departments by publishing details of departments that have performed very well and have the highest percentage of employees who have finished training, have reported the most phishing threats, scored the highest in tests, or have correctly identified the most phishing emails in a round of phishing simulations.

Security awareness training should ideally be interesting. If the training is fun, employees are more likely to want to participate and retain knowledge. Use gamification methods and choose security awareness training providers that offer interesting and engaging content.

Test Knowledge with Phishing Email Simulations

You can conduct training, but unless you test your employees’ security awareness you will not know how effective your training program has been and if your staff have been paying attention.

Before you begin your training program it is important to have a baseline against which you can gauge success. This can be achieved using security questionnaires and completing phishing simulation exercises.

Running phishing simulation exercises using real world examples of phishing emails following training has been completed will highlight which employees are security titans and which need further training. A failed phishing simulation exercise can be transformed into a training opportunity.

Comparing the before and after results will let you see the advantages of your program and could be used to help get more funding.

Train your staff constantly and review their understanding and in a relatively short space of time you can create a highly effective human firewall that complements your technological cyber security security measures. If a malicious email breaks through your spam filter, you can be happy that your employees will have the skills to recognize the threat.

Enterprise Web Filtering

An enterprise web filtering solution must provide a robust defense against web-borne threats along with being flexible in order to meet the requirements of the enterprise. However, flexibility without ease-of-use can result in the solution being useless. If enterprise web filtering software is difficult to configure, filtering parameters may either be set too high – obstructing workflows – or set too low, allowing a gateway for hackers.

At SpamTitan, we are conscious of the possible issues related to enterprise web filtering, and we have developed a range of flexible and easy-to-use enterprise Internet filtering solutions that can be set up and in minutes, that have no upfront costs, and that have low maintenance overheads – releasing IT resources to focus on other important problems. We also provide guidance on how to optimize filtering parameters.

In order to maximize the flexibility of our enterprise web filtering software, we deploy a three-tier filtering mechanism and whitelists to allow access to websites that may otherwise be restricted and to reduce the strain on CPU resources when the solution is reviewing encrypted websites. The three tiers consist of URIBL/SURBL filters, category filters and keyword filters:

  • URIBL/SURBL filters manages requests to visit websites against blacklists of websites known to be harboring malware or who mask their true identities behind proxy servers. They also review for any IP addresses associated with phishing attacks and block access if a match is discovered.
  • Our category filters sort more than six billion web pages into fifty-three different categories (abortion, adult entertainment, alternative beliefs, alcohol, etc.). Network Administrators can block access to any of the categories with the click of a mouse via the centralized management portal.
  • Keyword filters restrict access to websites containing specific words, using specific apps, or inviting installations with specific file extensions. This third tier of our enterprise web filtering software supplies a high level of granularity to prevent workflow obstruction or gateways for hackers.

All the filtering parameters are subject to user policies, which can be established and managed by individual user, user group or enterprise-wide. For ease of use, our enterprise Internet filtering solution can be integrated with Active Directory and LDAP, and allows for many different administrative roles to be created for network managers, policy managers, and reporting managers.

SpamTitan’s variety of flexible and simple-to-use enterprise Internet filtering solutions consist of WebTitan Gateway, WebTitan Cloud, and WebTitan Cloud for WiFi. Each can be deployed within minutes and each has automatic network configuration.

  • WebTitan Gateway is a virtual appliance that is downloaded behind the firewall and can be run as an ISO directly on existing hardware or a virtual infrastructure. It can be used on most operating systems, scalable to thousands of users and supports both HTTP and HTTPS web filtering.
  • WebTitan Cloud takes advantage of cloud-based technology to send an unmatched combination of coverage, accuracy and flexibility with imperceptible latency. Deployment only needs a quick redirection of the enterprise´s DNS to our servers.
  • WebTitan Cloud for WiFi has been specifically created to supports both static and dynamic IP addresses. It keeps wireless networks, single WiFi access points and nationwide networks of WiFi hotspots safe from web-borne threats with the same flexibility and ease of use.

All of our enterprise Internet filtering solutions provide actual-time oversight of network web activity and a suite of reporting options that can be set up to provide deep insight into activity by user, user group, URL or IP address and identify trends or policy violations. Network Administrators can also set up email alerts to notify of any attempts to circumnavigate the enterprise web filtering software.

If your interest in enterprise Internet filtering solutions is a result of you being a Managed Service Provider (MSP) or reseller, you will appreciate that flexibility and ease-of-use is of paramount importance when supplying an enterprise Internet filtering service to clients. The option of managing the solution yourself, or delegating responsibility to each of your clients, may also be of interest to you.

However, some of the biggest benefits of providing our WebTitan service to your clients are that all three WebTitan solutions are multi-tenanted enterprise Internet filtering solutions, they can be provided in white label format for re-branding, and we offer a range of hosting options – in our infrastructure, in your infrastructure, or in a private cloud for each client via AWS. Please speak with us for more information about our services for MSPs.

If you would like to discover more about our flexible enterprise web filtering software, do not hesitate to contact us and talk about your requirements with one of our Sales Technicians. The discussion will help decide the most appropriate enterprise Internet filtering solution for your circumstances, after which you will be asked to take advantage of a thirty day free trial.

During the trial period, you will be supported by our industry-leading Customer and Technical Support experts. They will provide advice about optimizing the filtering parameters, and take you through fine-tuning the enterprise web filtering software to achieve optimum effectiveness. Then, at the end of the free trial, if you choose to continue with our service, no further configuration will be rnecessary.

We are happy that you will find our enterprise web filtering software a strong defense against web-borne threats, flexible and easy-to-use. Contact us today to begin your free trial and you could be evaluating the merits of our enterprise Internet filtering solutions in your own environment quickly.

Network Security

In too many cases, news of data breaches comes with details of the failures in network security that allowed a hacker access to confidential data. Many of these failure are preventable with adequate precautions such as a spam email filter and mechanism for managing access to the Internet.

Almost as many breaches in network security can be blamed on poor employee training. Password sharing, unauthorized installations and poor online security practices can result in hackers gaining easy access to a network and extracting confidential data when they wish to.

It has been well reported that hackers will bypass groups with strong network security and turn their attention to fish that are simpler to catch. Make sure your group does not get caught in the net – set upappropriate web filters and educate your staff on the importance of network security.

Privacy Online

Despite the high profile given to Internet privacy on mainstream media, there still appears to be naivety among certain Internet users about keeping their personal details safe. Thousands of data breaches impacting millions of people are reported every year, yet one still comes across the same stories about Internet users having the same passwords for a range of different sites.

Whether a password is in place for a social media account, an online shopping site or an online banking portal, it should be a) unique, b) hard to guess, and c) changed often. To manage your Internet privacy, only ever give the minimum amount of information required and only if you have complete confidence in the website you are giving it to.

Social Media

Social media can be a key factor of a  group’s marketing operations – it can also be the gateway for many online threats. Internet users who choose not to use unique passwords for their online activities, share their passwords, or willingly provide confidential information without due consideration for the security implications can be risking the online security of an entire group.

Instead of an employee threaten the integrity of your group’s online security, it is in your best interests to implement an Internet filtering solution from TitanHQ. An Internet filtering solution – and proper training about the risks of communicating confidential data online – can address the risk of your organization´s online defenses being compromised by an staff member’s carelessness or naivety.

Email Spam & Phishing Campaigns

Phishing and email spam is thought to cost businesses over $1 billion each year, and hackers are becoming more complex in the campaigns they launch to try to steal confidential data or passwords from innocent Internet users.

Part of the reason why phishing and email spam still work is the language used within the communication. The message to “Act Now” because an account seems to have been impacted, or because a colleague seems to need urgent support, often causes people to act before they think.

Even experienced security consultants have been caught by phishing and email spam, and the advice provided to every Internet user is:

  • If you do not know whether an email request is legitimate, try to verify it by contacting the sender independently of the information given in the email.
  • Never handover confidential data or passwords requested in an email or on a web page you have arrived at after clicking on a link in an email.
  • Turn on spam filters on your email, keep your anti-virus software up-to-date and turn on two-step authentication on all your accounts whenever you can.
  • Always use different passwords for separate accounts, and amend them frequently to stop being a victim of keylogging malware downloads.
  • Remember that phishing and email spam is not restricted to email. Watch out for scams sent through social media channels.

Phishing in particular has become a popular attack vector for hackers. Although phishing goes back to the first days of AOL, there has been a tenfold increase in phishing campaigns over the past 10 years reported to the Anti-Phishing Working Group (APWG).

Phishing is an extension of spam mail and can focus on small groups of people (spear phishing) or target executive-level management (whale phishing) in order to gather data or obtain access to computer systems.

The best way to safeguard yourself from phishing and email spam is to use the advice provided above and – most importantly – enable a reputable spam filter to block possibly unsafe emails from being sent to your inbox.