Malicious attackers have always been a part of the cyber world. And with working from home becoming the new normal, hackers have recognized even more possibilities to exploit companies and their employees.
The lack of cybersecurity awareness for many businesses, no matter how big or small can catch up with them unexpectedly. Consisting of multiple employees, especially those working remotely, organizations cannot always monitor each of their actions. For this reason, hackers are finding more opportunities to manipulate employees to fall victim to phishing attacks.
This exposes the need for businesses of every size to make use of cybersecurity tools and measures such as VPNs and security awareness training along with policy guidance.
Craig Taylor, the Co-Founder, and CEO of CyberHoot, a company that offers security awareness training for businesses of every size, says that many businesses still see such measures as unnecessary expenses. Taylor agreed to share his views on the importance of cybersecurity, potential threats, and their outcomes.
CyberHoot was created because the co-founders believed there had to be an easier way to protect small to medium-sized businesses (SMBs) from all the cybersecurity mistakes they were making. The co-founders have worked in cybersecurity for 60 years combined. We have seen a great deal, especially on the enterprise side of cybersecurity. Yet, the most vulnerable companies, the SMBs of the world, were suffering far more at the hands of hackers than enterprises ever did or would. We took the best practices in the industry, boiled them down to their essence, and eliminated all the points of friction getting in the way of security awareness training. From the beginning CyberHoot was:
We have also eliminated other points of friction in billing and administration. We have added multiple industry disruptive capabilities like Phishing Assignments along the way. Everything combined, we have one of the simplest systems on the market with the highest compliance rates available in a tool. Our solution works better than anything else on the market.
CyberHoot specializes in being one of the most liked awareness training tools on the market. We asked our users how many would miss CyberHoot’s extra work – the monthly training assignments. 60% of surveyed users said they would miss our “Hoots” a little or a lot if we stopped sending them.
The reason behind this high approval rating is three-fold:
The content is kept educational by including a quiz after each video. The questions, answers, and explanations are sent to each user in the system following a test for additional learning opportunities. We also link to our online cybersecurity library and blog where thousands of articles and definitions can be reviewed at each user’s discretion.
Almost any threat can be eliminated by following the best practices outlined in our security awareness training videos. The vast majority of cyberattacks occur because of two things:
The industry generally believes that 90% of successful cyberattacks are caused by human error. Our training helps users learn the importance of simple protective technical measures, including two-factor authentication and adopting a password manager. More importantly, they learn why these measures and the ability to spot and avoid phishing attacks are so important and truthfully easy if you learn our methods. CyberHoot’s motto helps users learn that “Become More Aware” means “Become More Secure”. And that gives employees confidence, enhances productivity and security.
The pandemic has changed the way people work on a day-to-day basis. More people are working remotely, opening them up to even more threats than they would typically face in the office. When at home, users tend to be more relaxed, not thinking about cybersecurity threat implications or what they may do, and not having the technical measures in place compared to when they’re in the office. Hackers have recognized this trend and ramped up their efforts over the past couple of years by crafting convincing phishing messages and sending millions out to unsuspecting and untrained users.
CyberHoot has extensively written about the evolution of online attacks during the pandemic. There have been more phishing attacks to be certain. However, there are many more elaborate schemes, including hackers creating fake contact tracing apps, romance website scams (catfishing, for example), fake remote job opportunities, and other things of that nature that have only worsened cybersecurity threats. With employees working remotely, the lack of colleagues sitting in the cube next to you means you’re more likely to fall victim.
Many companies think that they can buy all the technology needed to protect their company but what they fail to recognize is that human error accounts for nearly 90% of company breaches. Another reason is that they don’t think users want to do the training and that it wouldn’t be done effectively. Lastly, companies running security training programs for their employees don’t see the monetary benefit, they just see the costs. Security Awareness Training (SAT) is like insurance but it just costs money and companies don’t believe they’ll fall victim to cyber threats. Alternatively, companies can feel hopeless and think that you can’t stop cyberattacks, so why bother trying?
The truth is that SAT can help companies easily become more productive, confident, and secure for a very small cost. Just one incident at an SMB is expected to cost over $88,000 in 2022. These are numbers for SMB, not large enterprises where a breach can easily cost millions. One incident at an SMB would easily fund 10+ years of SAT.
There are a number of critical measures we always look for when providing our virtual Chief Information Security Officer services to companies. These are simple measures that are often missed and poorly understood. They can provide a great deal of benefits and, in some instances, protect companies from compromise.
First, enabling multi-factor authentication on all critical accounts is key.
Second, having a risk assessment performed to prioritize the risks that you can face in your industry and business goes a long way to spending your time and money wisely.
Third, most companies lack a security culture which is gained in two ways. The first one is security awareness training, and the second – establishing cybersecurity policies to guide employee behaviors when technology cannot. Policies sound boring, but they guide users on how to properly use their computers, accounts, information, etc. For example, password policies ensure that users are using unique, 14+ character passwords/passphrases for every account and that credentials are stored in a password manager. If users don’t comply, they can be penalized or fired by their company. It keeps users accountable with something in writing (that they’ve signed), so that the IT staff don’t have to look over all employees every day hoping they don’t do the wrong thing.
This may seem like an obvious answer from us, but due to the lack of security awareness training and policy guidance for most remote workers, phishing, poor cybersecurity hygiene, and outdated software are the most prominent threats. The mentioned security measures go hand in hand, making employees more secure and aware of cyber threats.
Outdated software happens because some users are on their own personal devices and aren’t getting the software patches automatically installed on their devices to address emerging vulnerabilities. Then there are the employees who log in to any Wi-Fi network they find to work remotely from coffee shops, sports venues, or shopping malls. These employees who haven’t learned the risks of rogue or free wireless access put themselves and their systems in grave danger.
I believe that to effectively fight such threats, security awareness training, policy governance, phish testing, two-factor authentication, password managers, and a risk assessment are crucial.
CyberHoot has found a great deal of friction in traditional phish testing. From time-consuming and error-prone allow lists, junk, and spam folders, the inability to use convincing phishing attacks because of vendors suing companies over the use of their image and logos in phishing simulations to browsers that interject warnings that an email is an obvious phishing attack and preventing the user from learning, phish testing the traditional way is fraught with challenges and headaches.
CyberHoot is going to eliminate many of these points of friction in the near future with an assignment-based phishing module. It eliminates every point of friction, improves the ability to effectively test employees with increasingly difficult phishing tests over time, and ensures that all of them have been tested through compliance reporting. That’s not possible in the traditional phish test where an employee is ignoring their email and misses the phishing test altogether. In this new module, a manager will know with automated reporting whether all employees took and passed their phishing test.
That’s our goal for Q1 of 2022. Beyond that, we’re branching out into fully managed solutions for MSPs (managed service providers) to roll out to all their clients with minimal effort on their part. Our talks with MSP have taught us that they often don’t have the time to roll out SAT to their clients, so CyberHoot will do it for them.
Source: CyberNews
Additional Reading: Craig Taylor, CyberHoot: users tend to be more relaxed at home, not thinking about cybersecurity threat implications
Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.
CyberHoot June Newsletter: Stay Informed, Stay Secure Welcome to the June edition of CyberHoot’s newsletter,...
Read more
Stop tricking employees. Start training them. Take Control of Your Security Awareness Training with a Platform...
Read more
A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...
Read moreGet sharper eyes on human risks, with the positive approach that beats traditional phish testing.
