Introduction: Why security awareness?

A secure organization must be built on a strong culture of security that starts with an aware end user. An effective organizational security awareness program requires that members of staff receive a foundational education in the material, with it being taught to them plainly and clearly. It involves the use of a variety of tools that will communicate and reinforce concepts while giving a measurable value, such as key performance indicators (KPIs), that periodically track and show the company’s progress in achieving its strategic and operational goals.

There are many ways to help employees acquire as much cybersecurity knowledge as possible. A combination of formal classroom training, online courses, directives and tip-of-the-day emails are normally used in organizations (especially larger ones) to involve the workforce.

Infosec’s options to boost cyber-awareness

Infosec (formerly InfoSec Institute) is a leading provider of information security education and workforce security awareness solutions for businesses of all sizes. It offers free tools (see Resource Center) to help boost the effectiveness of your security awareness program. And Infosec IQ by Infosec personalizes the awareness training experience based on employees’ roles and security aptitudes. This fully automated SaaS solution delivers training according to the program design and individual employee training performance, as well as their involvement in events blocked by protection software.

In addition to effective training tools, however, Infosec also provides another great security awareness option: podcasts that focus on specific topics and that can be accessed by employees (both end users and IT personnel involved in security) whenever they like. These sessions are clear, concise and to the point enough to be appealing to even the least technical personnel. Each week on Cyber Work (formerly Cyber Speak with Infosec), IT and security practitioners share their insights into new topics, including security awareness.

But which episodes are the best?

Infosec’s top security awareness podcast episodes

1. Transform your organization with a security champion

Are you looking for a boost in your security awareness project? Are you an IT professional interested and knowledgeable in security but who also has a passion to inspire others to defend information assets? Then you might be the right person to volunteer for a role as Security Champion, a figure that can “truly be beneficial for companies of any size looking for an innovative way to improve their cybersecurity posture,” according to Jeff Williams, co-founder of Contrast Security and co-founder and major contributor to OWASP.

In this podcast that explains why adopting such a program is important for information security dissemination, Jeff Williams not only covers the OWASP project and its famous Top 10 list, but it also explains who Security Champions are, what their role can be within an organization and how to prepare for and secure such a role. So if you’re interested in becoming a Security Champion, listen to this episode that shares just how to make that happen.

OWASP defines this role player as “go-to person[s] who assists in the triage of bugs and other security issues for their team.” And as Stephen Moramarco describes, security champions are “a new kind of hero” who can help with training and real-world simulations. Someone in this role will look at current security flows as well as develop practices essential when dealing with future incidents.

So, are you ready to jump-start an internal Security Champions Program? As Williams mentions, don’t wait for somebody else to create the program. “Stand up and say … I think we need to do better on security, and I would like to take the leading role making that happen.”

2. 10 proven security awareness tips from Osterman Research

Michael Osterman, President and Analyst at Osterman Research, appears in this episode to explain how to improve security awareness programs by increasing participation, customizing content to better engage employees and driving a true behavioral and cultural change.

According to recent research, in fact, just 45% of security professionals believe their users have adequate training to recognize phishing attempts. In many cases, even the teams that are actually running security awareness programs are not convinced of their efficacy.

Osterman shares some security awareness tips and strategies that organizations can implement immediately. He also elaborates on best practices to spot security threats, as there is still a large percentage of under-trained employees who lack a solid understanding of the consequences of ransomware and phishing. These are the threats that IT and security professionals have been most concerned about lately.

Osterman Research has found that the vast majority of organizations have suffered some type of security breach. 27.9% of the surveyed companies were victims of a successful phishing attack with malware infection; 25% had an endpoint infected with malware; 25% reported a sensitive data leak; 22.1% reported a ransomware attack that encrypted data at an endpoint. These numbers clearly show the importance of making security awareness education more compelling so that workers will not tune out.

Simply going through the motions of having a security awareness program is not enough to do that. The 10 tips point out what needs should be considered when designing an efficient training plan that will help to drive real behavioral changes and improve the existing corporate security culture.

A webinar version of the podcast is also available.

3. 5 best practices to harden your human firewall

This episode focuses on the importance of security awareness and of making sure the entire workforce is ready to face common cyberthreats. The guest, Forrester senior analyst Nick Hayes, shows how to engage staff in cybersecurity and how to create an effective human line of defense in any company by making the workforce aware of possible threats and how some of their actions could result in negative impacts.

As Hayes states in the webinar that details first-hand lessons from CISOs: “It requires a shift in security perceptions and habits to build a truly effective human firewall.” The on-demand webinar of this podcast episode helps build an educated, threat-aware workforce against cyberattacks.

The session first points out how important it is to address breach prevention, as a 2017 survey of companies with over a thousand employees shows. In fact, only 42% of them “believe” their company not to have been breached in the prior 12 months. And many breaches are not even that difficult to prevent! As Verizon’s 2017 DBIR reported, 90% of cyberattacks are conducted with the use of some phishing. A more aware workforce who can spot the common traps will result in a more secure IT environment.

If you are looking for ways to make sure your security awareness program is effective, this podcast can give you some tips on what should not be missed when creating it. A particularly interesting section covers metrics and how they can be expanded and used to gather essential intelligence, creating a more responsive and tailored program as well as helping you understand what can be considered “success.”

4. CIS top 20 security controls

Are you looking not only for security awareness tips but also for a more complete set of controls and practices to secure your organization? In this episode Tony Sager, Center for Internet Security® Senior Vice President and Chief Evangelist, discusses the CIS Top 20 Security Controls. These are “globally recognized best practices for securing your IT systems and data against the most pervasive attacks.” Moderator Camille DuPuis helps guide the discussion around to know just “how to make the CIS Controls a foundational part of your security program, and improve your enterprise defenses, operations, compliance and security awareness.”

The session starts with a few principles that everyone needs to always keep in mind, including the very simple concepts that “knowing about vulnerabilities doesn’t get them fixed” and that “the bad guy doesn’t perform magic.” It then explores the evolution of controls through time and specifies the basic, foundational and organizational controls.

Any technical defense measure, however, would be useless without managing the human side of information security, which is as important as the technical side. Awareness is the most cost-effective form of security control and is part of the organizational controls together with application security, incident response and management and penetration testing.

All users can become human-centric controls for an effective defense thanks to consistent security awareness training (SAT), which can educate every staff member in the workplace to understand the Information and Communication Technology (ICT) risks and make better security decisions. In essence, staff ought to be made fully aware of all administrative, technical and physical safeguards to control information systems (CIS), as well as aware of the entire security program upholding the security policies and procedures.

5. Defending against and recovering from ransomware

Since ransomware attacks continue to challenge all types of organizations, it’s important to know more about it. Ransomware campaigns are a moneymaking tool by cybercriminals that block access to data and request a ransom be paid to release them. At times, ransomware hides even worse aims; it can be used as a distraction to hide other attacks aimed at wiping the data of the victim completely. Therefore, it is paramount for security specialists to stay aware of ransomware attack vectors and for users to understand its risks and implications.

This podcast features expert tips by Bill Siegel, co-founder of ransomware-recovery company Coveware. The session covers recent ransomware infections, how companies can respond to such a threat and many other ransomware-related topics, including how systems are infected and how security awareness can help. Learn how ransomware works and understand why user awareness training is a great long-term investment as a  critical preventative measure to keep cybercriminals from gaining access to a company’s network resources. Security awareness training can prevent a ransomware situation by helping the personnel in the workplace identify the types and degrees of this malware.

Particularly interesting is the session on what to do when discovering an attack. That is a particularly critical moment in which a scared user can cause even more harm by acting impulsively. The podcast gives very practical tips of what should be immediately done, and, more importantly, what should not be done. It also looks to the future, with the fight against ransomware-as-a-service and how it might evolve and be fought in the years to come.

6. The $9 billion BEC threat you can’t ignore

Business email compromise (BEC), a type of phishing scheme where a cybercriminal impersonates an executive, continues to plague organizations worldwide. As threats continue to rise targeting businesses with sophisticated, legitimate-looking emails, there is a need for more security awareness training about BEC.

This podcast and webinar that hosts security leaders from Infosec (Jack Koziol, CEO) and DarkMatter (Roger Sels, VP Information Security) to share practical tips for BEC threat mitigation.

This episode begins by explaining why these attacks are so successful and what an organization can do to defend itself effectively. As BEC success rates keep on climbing and as revenue losses increase, ongoing security awareness training (perhaps involving the simulation of a typical BEC scam) is vital in keeping on top of these cyberthreats, especially “when you consider 6.4 billion fake emails are sent every day,” as reported by Osterman Research.

Security Awareness

Conclusion

As Stephen Moramarco mentions, providing security awareness training has it benefits and should be regarded as a required component of every organization workforce education plan.

Educating employees can create the essential human firewall to protect a company against the malicious hackers, cyberthieves and other threat actors out there today. And because the weakest link in security today is the human factor, that is where adherence to security awareness best practices comes in — as a fundamental component of any information security strategy and ecosystem.