Beyond phishing links: What are other security awareness subjects employees need to know about?

The cyber security industry talks a lot about phishing links, but what about other security awareness subjects? Attackers can use networks, texts/SMS, phone calls, in-person conversations, and USBs just as easily as emails to trick their victims. But, these subjects aren’t as focused on.

Michelle L (ML) – Michelle is the Founder at Risu Consulting a consultancy that helps startups to create meaningful and simple security education strategies. She has 20 years of experience in creating engaging and meaningful training. 

And myself, Scott Wright (SW), CEO of Click Armor, the sponsor for this session. Now, let’s get to our discussion on security awareness subjects that are NOT phishing links:

1) What methods are attackers using to make attacks more convincing? 

FP: Social engineering, I’ve dealt with cases and I’ve been involved with several of them. If anyone knows about the late Kevin Mitnick, he got his start by dumpster diving. So, just being careful what you do, what you dispose of, where you dispose of it, how you share it. 

Also, when you’re in public places, don’t discuss confidential data like where you work, who you work with, what floor you work on, enough that someone could build a profile about you because that’s where most of your evidence is going to come today as we’re returning to office.

EG: There were quite a few conversations at the SANS Awareness Summit about how ChatGPT and different AI methods are making any sort of attack more convincing, whether it’s being able to perform a spear phishing attack without the effort that spear phishing used to take or just the technology of phishing calls and how AI is now able to mimic people’s voices better.

So, now we are in a whole new realm of things to teach, especially to people like our grandparents, who might be more convinced by something like that. So, just emerging technologies are really making attacks much more convincing from every angle.

SC: On the lines of making things more convincing: If recon is done, the timing of the attack becomes important. I have recently seen something happen which was coincidental. There was a smishing, which is SMS, but it happened at exactly the time I was sending a package. It came up as Canada Post. 

The context of time or a place comes into play. So, if somebody has done research enough to know when to do an attack, I believe that context makes it more convincing. 

RH: Urgency and heightened emotion, and to understand those emotions across all the attack factors. And that’s what the threat actors are trying to do. They’re trying to enact those emotions of greed or fear. So if you get level headed and look at things, it can also be a good kind of sense. “Hey, I feel off because of this email.” That is a sign that maybe something isn’t right.

2) What are the most valuable elements of phishing and other attacks, aside from hyperlinks, for employees to learn about? 

EG: It’s funny because you can teach all these things: sender address, hovering over the links, looking at the logo and everything in it. But one of the most important things that I would always teach is, as silly as it sounds, if you are tempted for some reason to click on a phishing link or an attachment, count to five before you do that. It sounds childish, but sometimes we don’t teach people that in this day and age where it’s constantly go, go, go, and we have to have productivity at an all time high, that it’s okay to stop. We don’t slow down in our inbox, we just try to power through everything and we don’t stop to smell the roses and try to sniff out if there might be something a little bit suspicious about an email. 

So counting to three or counting to five might give yourself the space to see some of those flags that we talk about: the sender address and the hovering over the link. I never say to do it for everything because that would slow us down so much, but for some reason there is some temptation to click on a link or to take you somewhere outside of your network where you’re protected, then give yourself that space to slow down for a second. 

ML: When I work with startups, I particularly say to allow people to build that lot of time to respond to messages in the day because your biggest weapon is having a supportive environment.

But, nothing can truly stop everything. Sometimes they are so real that anyone would fall for them. So, in the end it is your security controls that can help stop things. 

FP:  Sometimes it is about common sense. How did you learn about something? How do you know when to open your front door? There are certain techniques that you do day in and day out, like you learn basic techniques. 

We have to bring it into our workforce, there is no separation anymore. I work out of my house, I work for myself, I’ve been remote, there is no separation. So what I apply personally, I have to  apply professionally. What I do professionally, I have to apply personally. And teaching the employees what controls we do have in place, understanding how they interact with them. Teach them how to report and how to use whatever technologies are in place. 

I’d also like to talk about a clean desk policy. We talk about clean desks, but what about clean desktops? We screenshot a lot of things and we leave it sitting just on the desktop. And how many people lock their computer at home when they get up and walk away? I have two kids and they could easily grab a document and walk away with it or click a few keys on my computer and delete, send, or move a document. So, clean up your virtual desktop and clean up your physical desk. 

3) How can organizations enable employees to be more capable of spotting clues that can uncover attacks?

FP: I like the deep breathing mentioned earlier. Pause, count to six, sing Happy Birthday. That can be childish, but they actually relax you. 

For security awareness managers, make your content interesting too. When you are speaking, every seven minutes have some way for people to engage with you or else you will lose their focus. Find ways to break up the monotony of your live training in order to actually engage and keep the attention of your employees. 

EG: Just a reminder not to go on autopilot for stuff, even though we do constantly. From a security awareness manager perspective, learn your business. Learn the different functions of your organization to better train each particular group. That is a really important way to make sure that you are teaching somebody something that’s relevant to them. How are you going to spot something that’s very specific to you or attacks that have been very targeted at your specific group?

— 

There’s a lot more to cyber security awareness than phishing links. As our panel discussed, a lot of it relies on the culture of your organization, how are you teaching your employees? Are you completing targeted training? Do your employees know the tools you have? Can they use them? And most importantly, do they feel rushed when greeted with a potential attack vector? 

If you’d like to hear more from our panel on Beyond Phishing Links, watch the full discussion on our YouTube.

Click Armor is the first highly interactive security awareness platform, with engaging foundational courses and 3-minute weekly challenges that employees love. We offer content on everything from security basics, phishing and social engineering to passwords and privacy.

Even if your organization already has a solution, there’s a high likelihood that some employees are still not engaging and are exposing your systems and information to cyberthreats. Click Armor offers a special “remediation” package that complements existing solutions that don’t offer any relevant content for people who need a different method of awareness training.

Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.