Would you like some phishing with your coffee?

Our Thursday morning webinar on the 7th of May was about cybersecurity awareness. Thomas Wong, a Principal Security Consultant from Nixu Denmark, went through some dos and don'ts of setting up a cybersecurity awareness program. Stats about phishing and awareness program tips – an excellent way to spend a coffee break, right?

Cybersecurity awareness is a broad term that covers all kinds of training and employee instructions to prevent people from accidentally leaking company information, installing malware, inserting suspicious USB sticks, or paying fraudsters that impersonate the company CEO. Many of us have encountered boring lectures and multiple-choice questionnaires that make cybersecurity sound pretty dull and highly technical. These are examples of cybersecurity awareness training gone wrong. So how can you get it right?

Make it relevant

According to Thomas, one of the typical mistakes in spreading cybersecurity knowledge is telling everybody everything. This will result in information overload and sometimes too technical details. Depending on your job role, you may use your computer for different things and interact with different people than your coworkers in the other departments. That's why cybersecurity awareness training should always be relevant. If your personnel are handling confidential information, they should know about information leakage threats. If some employees receive a lot of emails from outside the organization, they should know at least about phishing, malware, and social engineering. The finance department should be aware of CEO frauds. Not everyone has to know the exact details of port scanning or analyzing malware samples, though.

If you want to get the message through, you should visualize the threats or otherwise concretely explain them. Explain why they should do something, not just what they should do. For example, you can tell that if employees post pictures of the new coffee machine or whatever office equipment to social media, that information can be used by social engineers. They can pretend to be a maintenance guy who will come and fix that machine. If you plainly state, "No pictures from the office," the advice does not stick.

It doesn’t have to look like training

Continuous learning is the key. Try to spread the knowledge sharing to small chunks throughout the year. Instead of lectures, you can use games, phishing simulations, escape rooms – it doesn't have to look like a regular training. If the awareness training is embedded in routine work, you can even measure how well your employees have learned without them knowing it. You can start small. At the end of the day, the most important thing is to do something about improving cybersecurity awareness in your organization.

Did you miss the webinar? Watch the recording!

Thomas also answered audience questions about measuring the success of a cybersecurity awareness program and told relatable examples of both useful and not-so-useful ways of spreading cybersecurity knowledge. If you missed the webinar, watch the recording from the video below.