Insights

Five essential cyber security topics you need to train your staff on in 2023

Written by Zero Trust | Jan 11, 2023 3:25:43 PM


2023 is set to be a big year for cyber security, full of new threats, challenges and possibilities.  
 

Global ransomware damages are forecasted to exceed £24 billion68% of business owners feel cyber security risks for them are increasing. Spending on information security and risk management is projected to reach £156 billion 

Want to keep up with these changes and stay secure? Then you need to invest in your training.

The vast majority of security incidents are caused by or related to human error. So ensuring your staff have the knowledge, understanding and behaviour to keep your organisation secure is paramount. 

It’s equally important they understand the biggest security threats of this year. Here are five essential cyber security awareness topics you need to train your staff on in 2023.

1. Malware 

What is malware?  

Malicious software, aka malware, takes a variety of different classes and forms. It’s used by cyber criminals, hackers and even nation-states to steal personal data, bypass access controls and disrupt computer operations.  

Malware can appear as active content, scripts, executable code and a range of other software variants. One of the most insidious and damaging forms of malware is ransomware, which is commonly deployed via email or targeted phishing attacks.

Why is malware such a threat?

Malware can cause extensive damage to an organisation's security and reputation. If an organisation's devices are infected by it, they can be left powerless.   

Malware can lock devices, rendering them unusable. It can be used to steal, delete or encrypt highly sensitive data. It can even be used to take control of your devices to access your systems and services or attack other organisations.   

Specific types of malware, like ransomware, work to encrypt your data to extort you. They demand eye-wateringly high ransoms for the safe return of private data, and when companies comply, they only make other criminals bolder in their requests.    

In addition to these literal financial costs, there are the associated costs of lost productivity and fines from the Information Commissioner’s Officer (ICO).  

Companies that are publicly victimised by cyber attacks, especially if the attacks compromise consumer data, risk serious reputational damage that will follow their business for a long time.
 

How can I train my staff against malware?  

Cyber security awareness is key when it comes to malware. Malware attacks are most commonly deployed via email or social engineering, where threat actors work to trick your employees into acting emotionally or instinctively without thinking.   

Therefore your employees must learn cyber security awareness, which includes the ability to recognise and flag common social engineering tactics. Phishing awareness training is an essential component of this.   

Employees with cyber security awareness will know the anatomy of a deceptive email. Suspicious links, incorrect sender information, uncharacteristic spelling errors and hyperbolic urgency are just a few of the signs.   

When trained properly, businesses can detect and mitigate the phishing attacks used to deploy malware and better understand how to respond when attacks happen. The organisation will save both time and money in ransomware payments, downtime and remediation. 

2. Data breaches  

What is a data breach?  

A data breach is an incident where confidential, protected or sensitive data is copied, transmitted, stolen, viewed or used by an unauthorised individual.   

These security violations are commonly perpetrated by threat actors and can also be referred to as ‘data leaks’ and ‘data spills’. 

Why are data breaches such a threat? 

Organisations suffer immensely from data breaches. The most prominent way is through financial repercussions.   

In the event of a breach, organisations need to compensate affected customers, set up expensive and time-consuming breach response efforts, and spend money investigating the incident and on internal remediation and recovery.     

Meanwhile, they lose money due to lost business and the potential impact of regulatory fines from the ICO.   

The ICO has the power to fine organisations £17.5 million, or 4% of global annual turnover, whichever is greater, for failing to protect consumer data.

Cyber security awareness training will help you train your staff to help prevent and prepare for potential data breaches.

How can I train my staff against data breaches?  

The first step of training your staff against data breaches is establishing rigorous security procedures that will drastically reduce the likelihood you face a breach. 

This means using security standards like multi-factor authentication (MFA), following procedures for storing passwords (like using a password manager) and placing user-specific restrictions on accessing specific files, downloads and databases.  

Once these procedures exist, cyber security awareness training will help you articulate the importance of these processes and why they must be followed by your staff.   

Staying resilient and disciplined is critical when it comes to security, and training will help your staff understand why certain behaviours must be maintained to reduce the likelihood you face a breach.

3. Business email compromise (BEC) 

What is BEC?  

Business email compromise (BEC) is a phishing attack where criminals trick a senior executive or budget holder into transferring funds or revealing sensitive information.   

This form of social engineering grew immensely in 2022 and is set to increase even more in 2023, with more companies utilising email in hybrid setups.

Why is BEC such a threat? 

BEC leverages two powerful things - work hierarchies and emotional impulses - to seriously compromise organisations. There are three main scams threat actors use: 

  1. The CEO scam:  an attacker sends an email posing as the CEO or another executive. The attacker claims to be handling confidential or urgent matters and requests a wire transfer to an account under his control.
  2. Invoice scam: this scam usually relies on an established relationship between a business and a supplier. An attacker poses as an employee of the supplier and sends a bogus invoice to the customer. The attacker requests funds to be wired for the invoice payment to their fraudulent account.
  3. W-2 scam: this scam involves an attacker sending an email, once again posing as the CEO or another executive seeking employees’ W-2 information.  

Not only are there serious financial and reputational consequences from BEC, but there is also the damage caused internally by broken trust and the realisation that the organisation's culture may have contributed. 

How can I train my staff against BEC? 

BEC requires a distinctive approach compared to most social engineering, as cyber criminals specifically leverage the culture and hierarchies of an organisation to exploit them.  

To defend against BEC, employees need to be taught in cyber security awareness training how to effectively analyse emails for signs of a scam.   

These often are the sender’s email address, where if spoofed, a letter or number will be wrong. They need to know to confirm requests via phone from a known number instead of the one provided in the email. They need to verify any vendor payment changes or transfers by using a secondary sign-off by company personnel.     

They also need to be taught that it’s okay to question. In BEC, the emails sent are demanding and urgent, sent from a higher-up in an organisation to someone they have authority over.   

The recipient typically reacts with anxiety and fear to the authoritative request, approving it without thinking due to a fear of getting in trouble even if they think it appears suspicious.  

In a healthy, secure working culture, where employees are empowered to voice their opinions and question suspicious demands and requests, rates of BEC are drastically reduced.



4. Safe computing

What is safe computing?  

With the rise of remote working, safe computing is more important than ever.  

Safe computing is how software, security settings and behaviours come together in how users interact with devices.  

Devices themselves can pose a serious security risk if organisations are not ensuring their employees are interacting with them securely.

Why is safe computing such a threat? 

Through devices, workers access a lot of highly confidential platforms and work with a lot of private data.   

If those devices are compromised, the repercussions can be serious, allowing cyber criminals to lock organisations out of their portals, destroy backups and steal sensitive data to extort companies.  

Safe computing is a foundational aspect of cyber security awareness that needs to be taught more in 2023, as we use more platforms, devices, locations and WiFi sources to access organisational platforms.

How can I train my staff to do safe computing?  

Safe computing requires a series of security essentials.  

These are things like ensuring devices automatically update (when updates are required) and ensuring all software, including antivirus, is current. It’s considering the decision to give all employees a work laptop to keep information more secure.  

It’s always using caution about when and how you share company information and what employees interact with, be they links or emails. It’s about limiting how employees interact with WiFi networks inside and outside of an office environment.  

The golden rule of safe computing is that if you have doubts about the source or validity of something sent to you, you do not engage until you get outside confirmation.   

Cyber security awareness training will help your staff understand the fundamentals of safe computing and how they must be maintained regardless of time pressures and the desire for greater productivity. 

5. Strong authentication methods

What are strong authentication methods? 

Strong authentication methods, like passwords and multi-factor authentication, are your key - and a cyber criminal’s key - to your private accounts.   

Strong authentication methods are constantly growing, updating and changing, which is critical considering the sheer amount of accounts users must manage and maintain in a modern working environment.  

Why can strong authentication methods pose a threat? 

Stealing strong authentication methods are the number one way cyber criminals compromise and gain access to accounts. Password security, despite endless amounts of discussion, articles and companies moving to enforce certain processes, hasn’t seen a massive improvement.     

This is because password security when the correct steps are followed, like using a password manager, enforcing multi-factor authentication and having a unique password for each login impedes productivity. 

How can I train my staff to use strong authentication methods? 

Cyber security awareness training will teach your employees essential authentication and password requirements. Like using complex, difficult-to-guess passwords that are fifteen characters or more and have both lower and upper case letters.  

The importance of using and how to use a password manager may be explored, as will the helpful nature of multi-factor authentication, which massively upgrades login security.    

Critically, cyber security awareness training will help your employees confront and overcome the mindset that password security slows down and interferes with their ability to do their real work.   

Staying secure should always be understood by employees as part of their job description, something as fundamental as staying productive that they will be helped with and checked in on.  

Robust cyber security requires continual improvement and evaluation. Hence the importance of cyber assessments is to assess where you are as an organisation and how things could be improved.  

With our cyber security awareness training, your staff will gain a crucial understanding of these five core cyber security topics and develop behaviours that will keep your organisation safer in 2023.

Get in touch to learn more.