We are living in a heightened state of Cybersecurity alerts. Attacks have grown exponentially since the start of COVID – usually through the often-vulnerable network connections serving the new remote workforce. Yet, the advice to institute regular Security Awareness Training, usually falls on deaf ears among the CEOs and administrators of Small and Mid-size businesses (SMBs).
The federal government defines a ‘small business’ as an enterprise with 500 or less employees, but that number seems ‘made-up’ and out of touch with reality. Those in the trenches of IT services, especially in the IT Support Los Angeles Community, don’t generally consider a company with an employee base of over 100 to 150 to be a ‘small’ client, but then again, once a company has even 100 end-users, they generally institute ‘in-house’ IT support. It’s a matter of perspective.
Huge corporations take Security Awareness Training seriously, so why not the little guys? Common sense tells us that huge corporations like Walmart, Amazon, and Berkshire Hathaway have deep pockets, but most SMBs need to be judicious about where to spend resources. The issue is in getting CEOs to understand that Security Awareness Training is a necessity, not a luxury.
According to the IBM Cyber Security Intelligence Index Report, 95% of Cybersecurity breaches are primarily caused by human error – 91% as a result of an email phishing attack - the most common error causing breaches, where a malicious link or attachment is presented with an enticement to click on it. Far too many users click on these. When they click, it’s akin to opening the door, and the best Cybersecurity measures in the world will not keep the malware out.
Please visit our page ‘Security Awareness Training’ for tips on how to better protect yourself. Once regular training is implemented, the effectiveness must be tested.
What are cyber wargames?
This is not about two teams, each trying to capture the enemy’s flag – it’s a series of simulations that test not only your IT support’s readiness, but your weakest link – your employees – and whether they have retained and implemented what they learned in Cybersecurity training.
Testing is crucial from the first grade on – all throughout life we are tested in one way or another about what we’ve learned. If you have no formalized Cybersecurity training, then Wargames are pointless. The most you could expect is to be horrified at how unknowledgeable about scams your employees are. In the military, no serviceperson engages in Wargames without at least having had basic training.
The games consist of simulated attacks to determine awareness and readiness, serving several different purposes: Education, and Research & Analysis. They expose vulnerabilities by subjecting the staff and the network and IT support crew to the same conditions that exist in a real cyber-attack, without the real-world consequences.
In the world of international diplomacy, the stakes are the highest, and the Wargames the most complex. For business enterprises, the stakes are high enough, but a more simplistic approach is the standard.
It is important to view these tests as informative rather than punitive. You do not want fearful employees to worry about every email they receive – these games are here to help – to inform and educate. Ideally, there should be no reprimand (short of a ‘tsk tsk’, perhaps) for falling for the scam.
The Basic Simulations/Tests:
End-user focused attacks
Phishing Test
In effect, legitimate looking emails are sent out with some type of ‘bait’ – a seemingly good reason to share sensitive information, open an attachment, or click on a link.
Password Quality Test
This test simply checks your Active Directory for weak and easy to break passwords – like ‘Password’ or ‘123456’ (Seriously – the most common bad password – breakable in less than a second).
Password Enumeration Test
A skilled professional – usually a 3rd party, plays the role of a hacker to see how easy it is to break employee passwords using a variety of methods from knowledge ( using a birthday for a password, etc.) to computer programs.
There are also tests for password exposure – using the same password for everything – and Dark Web scans to see how many employee passwords are for sale (You WOULD be surprised).
Lost USB Flash Drive Test
Just drop a Flash Drive in a common area and see who plugs it into their computer to see what’s on it. They should know to turn it over to the IT Support Department or to a manager to send to your outsourced Managed IT Services provider for examination.
IT support focused attacks
This is where it becomes more of a game than a test. There are many types of simulated attacks to test both your network defenses and your IT Services Team’s ability to respond. They can range from simple or Distributed Denial-of-Service (DOS and DDOS), which flood a system with so much traffic that they cannot operate to Man-in-the-Middle (MitM) attacks, wherein a hacker intercepts a two-party transaction and places themselves in between, responding to each party as an imposter, gleaning confidential information.
Frequently Asked Questions
What are the elements of security awareness?
Most elements fall under the main 5:
- Education: Identifying the various and n most common types of cyber threats.
- Threat recognition and response training: What to look for and what to do when a threat is spotted.
- Institution of policies controlling privacy, internet, social media, and email.
- Regular testing – Wargame simulations.
- Multifactor authentication and strong password policies.
How regularly would you perform tests to ensure data privacy?
While Security Awareness Training should be done every 4 to 6 months at a minimum, security testing should be every 6 to 12 months.
How can we maintain information security in testing?
- Prioritize information accord to sensitivity.
- Masking – only for sensitive information during testing. Using a standard set of rules, replace characters with other characters – much the same method used in creating strong passwords: A becomes @, S becomes $, 8 becomes & - and so forth. All data should automatically be encrypted.
- Use the appropriate test management tools: the testing software must integrate with the data and masking, provide accurate reporting and tracking, and maintain Cybersecurity protections.
How can you identify phishing?
Inconsistency: In the email address, domain names, links, greetings and subject lines.
If an offer seems ‘too good to be true’ – it probably is.
Suspicious links or attachments.
The message asks to ‘confirm or verify’ information they should already have.
Digging for info of any kind.
Bad spelling and grammar. Most crooks just can’t spell.
How secure is your network?
It costs you nothing to find out. IT Support LA offers a FREE, no-risk network and security assessment to all companies in the Greater Los Angeles area with a minimum of 10 computers and 1 server. No strings, no obligation. Upon completion, we deliver you a free report that is yours to keep. There is no obligation to do business with us.
Just fill out the form on this page or call us at: 818-805-0909