With remote work now standard, many businesses double down on risk training
By Joe Dysart
Despite widespread awareness of hackers among workers, one the most common ways hackers still penetrate business networks is by spoofing employees.
Given that punking humans is still one of the easiest ways for a hacker to penetrate the most sophisticated of cyberdefense systems, many businesses are doubling down on training their employees to be on the lookout for the latest hacker scams.
“Most security and risk leaders now recognize that major disruption is only one crisis away,” says Richard Addiscott, senior director analyst, Gartner (www.gartner.com/en), a technology advisement firm. “We can’t control it, but we can evolve our thinking, our philosophy, our program and our architecture.”
Granted, most of us know by now that we need to exercise care when clicking on external links, deciding whether or not to download an attachment, or offering up password and other information to someone on the phone who seems like an employee who simply got locked out of the company’s network.
But the plain fact is that despite this common knowledge, hackers keep tricking many of us into allowing them to penetrate our business networks in just these ways to wreak havoc, steal critical company data or hold an entire system hostage with a demand for a ransom.
This vulnerability has become even more troublesome since the arrival of COVID, which transformed millions of employees worldwide into remote workers.
In the process, that change also instantly made thousands of corporate networks even more vulnerable as remote employees accessed business computer networks with non-cyberprotected personal smartphones, personal digital assistants, laptops and other computerized devices, according to Sarah Pavlak, a security industry principal at business consulting firm Frost & Sullivan (www.frost.com):
Add an increase in hacker break-ins on cloud-based systems, a jump in hacking attacks orchestrated by nation-states—and increasing hacker access to tricks and techniques powered by artificial intelligence—and it becomes clear that nothing less than 24/7 vigilance by company staff will be needed by to simply thwart the cybercriminal threat moving
Fortunately, if you’re looking to refresh or deepen the cybersecurity training you give to employees to help safeguard your business, there are a raft of training service providers that offer a number of different approaches to realizing that goal.
Some training courses can be completed in an hour or so. Others can be permanently embedded in a business computer network, continually probing employee ability to identify—and avoid—common hacker tricks. And still others rely on gamification to engage employees in good cybersecurity hygiene and turn hacker awareness into a friendly competition.
Here’s a representative sampling of what’s available:
- ESET Cybersecurity Awareness Training (www.eset.com/us/cybertraining): This is a good option for businesses that are looking to dedicate a small part of one business day to spotlight cybersecurity. ESET offers a 90-min. course on how to outwit hackers, which engages employees by inviting them to enter a gamified environment, where they play the part of a virtual IT security tech.
There are also other modules that focus on defeating malicious emails, as well as mini games where employees can win badges and reputation points for excelling at thwarting the bad guys.
- CybSafe (www.cybsafe.com): This security trainer also offers brief, interactive courses tailored to the various employee roles of a typical business. The interesting twist with CybSafe: The company uses artificial intelligence to analyze each employee’s cybersecurity savvy and then custom tailors a security training program best suited to each employee.
- Living Security (www.livingsecurity.com): This software enables businesses to identify where the cybersecurity risk is greatest within the organization—be it specific departments or geographic regions. Once identified, employees there can play ‘snackable’ training modules—1 to 5 min. long—that strengthen their cybersecurity chops. Focus areas include cybersecurity risks associated with remote work, data classification, password use and malicious emails. This training format is also gamified, which includes a “leaderboard” that tracks cybersecurity competitions and gives special recognition to high-scoring employees.
- Ninjio (https://ninjio.com): This trainer relies heavily on short, animated videos—no longer than 5 min. apiece—that brings home the dangers of hacker risk. The format, like many of its competitors, is gamified and includes a leaderboard where employees engaging in cybersecurity competition can see how they stack up against colleagues.
- Cofense (https://cofense.com): Businesses looking to “try before they buy” may want to check out this cybersecurity trainer, which offers an entry-level training course for free. Cofense relies heavily on short, interactive training modules, which highlight common cybersecurity risks and feature questions at the end to ensure employees have grasped the point of the training.
- Proofpoint (www.proofpoint.com/us/products/security-awareness-training): This trainer places a heavy emphasis on homing in on employees who are extremely vulnerable to malicious emails and then providing them training content that they can use to get savvier when it comes to hacker tricks. Employees can also use Proofpoint’s “PhishAlarm” to flag emails that they receive that look suspicious—and then receive insights on their picks from the cybersecurity pros at their business.
- KnowBe4 (https://info.knowbe4.com): An old hand in this space, KnowBe4 offers extremely in-depth cybersecurity training that features: Web-based training that employees can access to learn or brush up on common vulnerabilities; a look at typical attacker techniques using simulated attacks; ongoing monitoring of employee cybersecurity hygiene by KnowBe4. Unlike many cybersecurity trainers, KnowBe4 can be integrated into a business’ daily operations by opting for its random attack delivery service, which continually tests employee vigilance by sporadically sending them simulated, malicious emails. Paired with a monitoring and reporting system, the service enables managers to easily identify employees who are extremely adept at recognizing the simulated malicious emails that KnowBe4 sends them—as well as spotlighting other employees who need to get more training on resisting hacker tricks.
- Hook Security (https://hooksecurity.co/landing/hook-security-free-trial): Like KnowB4, this trainer offers an ongoing test-and-probe service, which sporadically sends simulated malicious emails to employees and generates reports on individual employee response to those messages. An interesting approach from Hook: Employees who fall victim to a simulated malicious email receive instant training from the system on how to avoid making the same mistake in the future. They also receive monthly dashboard reports from Hook on how they’re faring—and how they’re progressing on Hook cybersecruity training modules. Plus, Hook also offers a free trial.
Joe Dysart is an internet speaker and business consultant based in Manhattan