A List of Issues Your Cybersecurity Training Needs to Include

As we stand on the threshold of a new year, it’s worth noting that the term "cybersecurity" didn't even enter the common lexicon until the late 1980s. Before that, we just called it "computer security" - mostly involving locking the server room door and hoping nobody guessed the password was "admin."

Fast forward to today, and the game has wildly changed. "Hoping for the best" is no longer a viable business plan. As you prepare your resolutions, it’s time to hit the ground running with a cybersecurity posture that is as modern as the threats we face, a goal that will require training for your entire team.

Listed below: what this training should cover, and how you can reinforce the security message you’re trying to share.

Identity and "MFA Fatigue"

With zero trust now the gold standard of protection, identity is the new perimeter. That being said, hackers now weaponize our own notification habits against us. "Prompt Bombing"—where an attacker triggers dozens of MFA requests in a row, hoping the employee hits "Approve" just to stop the noise—is a real threat to stay cognizant of.

As for training, demonstrate the difference between spoofed notifications and the normal ones your team will likely encounter… all while reinforcing that confirming an authentication request that was not pushed is never a good idea.

Social Engineering with AI’s Help

Unfortunately, scams have come a long way, especially with artificial intelligence readily available to help make them even more convincing. Your job is to ensure that your team is aware of the kind of sophistication that modern threats can feature.

Make sure your team is aware of all the shapes a threat can take—from phishing to vishing to smishing, as well as video deepfakes and the like—and know what will and will not be asked of them in any situation. Reinforce this message by sharing examples of the threats that they could face, asking them to differentiate between the two… if they can. This is precisely why you need to implement robust verification protocols for all communication methods.

Data Leakage

Generative AI has become a force in almost all aspects of the modern business landscape and economy. While it can be a highly effective tool for boosting productivity, it can also pose a significant risk to your data security and confidentiality.

Most often, the tools that people associate with AI—things like ChatGPT, for instance—are actively taking all data that users put into them and incorporating it into their data repositories. This means that any data you share with an AI becomes part of that AI. Now, let’s say a company shares some of its proprietary data in an effort to organize it better or come up with improved insights. That data is then public record, and could easily be duplicated on other people’s prompts.

Fortunately, this can be avoided. Give your team members sample documents and ask them to properly anonymize their contents before sharing them with AI. This will help them stay mindful of how careful they need to be when using these kinds of tools.

Shadow IT

How often do your team members turn to external tools, like unvetted software or personal cloud accounts, to accomplish the goals you’ve laid out for them? Not only is this a sign of miscommunication between team members and team leadership, but it also exposes your business to various threats and the risk of data theft.

To protect your business from the insidious threat of shadow IT, have your departments audit and map where the data they are responsible for is stored. It may be enough to get them on board with more centralized, approved tools.

Insider Threats

While the phrase “insider threat” usually brings about thoughts of an employee maliciously planning your downfall, it is far more commonly a symptom of negligence or disengagement. That said, there are key warning signs your team should know to look out for.

Encourage everyone to pay attention, and someone may just spot something critical to avoiding a larger issue… such as a coworker manipulating files in the middle of the night.

Vendor Vulnerability

Imagine if someone managed to breach you through no fault of your own. This is extremely possible, as vendors are also common targets of cyberattacks. From this vantage point, a hacker has a direct line to you.

As a result, you need to reinforce that there is no such thing as a completely trustworthy contact. Try an experiment: send a simulated phishing email that appears to come from one of your vendors, and keep track of who follows the proper steps to verify its legitimacy. Those that don’t… well, you know who needs training the most.

Cloud Overconfidence

It can be very tempting to hear “cloud” and automatically assume that any data stored there is inherently secure. This is very much not the case—while the provider maintains the infrastructure, any access permissions or similar security measures are managed by you and your team.

Take some time to teach your team that even the smallest settings—like whether a folder is set to “public” or “private”—can have significant security implications.

Reporting Standards

Here’s the thing: people make mistakes. We all know this to be true, but the workplace has a tendency to make us all forget it. Too often, a team member tries to hide their mistakes out of fear of reprisal, which can snowball into serious operational issues or security vulnerabilities. You need your team members to know that, first and foremost, they will not be punished for an accident. 

Second, you need them to know how to properly report any suspected issues to IT.

Once you’ve established these standards, you can quiz your team through simulated phishing attacks. In addition to tracking those who need more help, you can track and reward those who successfully identify and—critically—also report the issue.

Cybersecurity and Organization

With remote and on-premises work now combined across industries, team members need to be prepared to keep business documents and data secure wherever they are operating… going so far as to keep sensitive data out of sight and to remain aware of their surroundings as they work.

Every so often, wander around the office and see who is diligently keeping information protected and who needs to be more stringent in their behavior. Leave a note reminding them how even the little things (like locking a workstation when stepping away for a coffee refill) really do matter.

Macro Systems is Here to Help

Security is not something any business should leave to chance, which is why we’re committed to helping the clients we serve in the Metro Washington, DC area optimize every aspect of their technology… including their security.

Find out more about how we can specifically help you and your business. Give Macro Systems a call at 703-359-9211 so we can chat.