It is important to ensure that web browsers are kept up to date. Vulnerabilities in web browsers can be exploited to steal information stored in browsers and they can allow threat actors to execute malicious code. For example, in September this year, a CVSS 8.8 severity vulnerability (CVE-2023-4863) was identified in the libwebp code library that allowed malicious code to be executed. The vulnerability affected major web browsers such as Chrome, Edge, Firefox, Opera, Vivaldi, and Brave. The consequences of not updating promptly could be severe. If you store passwords in your browser, all of your stored passwords could be obtained by exploiting a vulnerability, or a threat actor could even take full control of your device.
While this campaign is new, fake browser updates have long been used for distributing malware through compromised websites and malicious adverts. It is therefore important to ensure that this method of attack is incorporated into your security awareness training campaigns to raise awareness of the threat. That is easy to do with the SafeTitan security awareness training and phishing simulation platform. For an additional layer of protection, you should consider using a web filter such as WebTitan. WebTitan will block user access to all known malicious websites and can be configured to block file downloads from the Internet, such as executable files and application installers.
For more information on the SafeTitan security awareness training platform and web filtering with WebTitan, contact TitanHQ today. Both solutions are also available on a 14-day free trial.
Businesses are being targeted in a malvertising campaign that uses Google Ads that impersonate the Webex download portal and trick them into downloading an installer for the video conferencing platform that delivers BatLoader malware.
BatLoader is a type of malware used for gaining initial access to networks and it is often delivered via malvertising campaigns bundled inside Microsoft Software Installation (MSI) packages. The sites used to distribute the malware often use search engine poisoning (SEO) techniques to get web pages to appear high up in the search engine listings for search terms likely to be used by employees. Threat groups previously known to use BatLoader for initial access have used it to download malware variants such as QakBot, RacoonStealer, Bumbleloader, Cobalt Strike, and the Arkey information stealer. Infection with BatLoader can easily lead to data theft and ransomware attacks.
BatLoader is evasive, and the threat actors behind BatLoader campaigns use living-of-the-land techniques once initial access has been gained which can make detection of malicious activity difficult in the early stages of the infection chain.
One of the latest campaigns is a departure from the standard method of delivery as Google Ads are being used rather than SEO poisoning and the campaign stands out from other malvertising campaigns as the malicious adverts are indistinguishable from the genuine advertisements for Webex software.
The easiest red flag to identify in malvertising campaigns is the website offering the software download is not the official site used by the company being impersonated. This campaign, however, displays the correct Webex logo and the legitimate Webex.com URL in the Google Ad, and the adverts appear in position 1 at the top of the page. If the URL is clicked, however, the user will be redirected to a malicious website.
Checks are performed when the ad is clicked in an attempt to filter out automated crawlers and researchers using sandboxes. If the user is rejected, they will be directed to the official Webex site. If the checks are passed, they will be directed to the webexadvertisingoffer[.]com site where they will be offered a fake Webex MSI installer. In this campaign, BatLoader will be delivered along with the DanaBot banking Trojan. DanaBot is capable of stealing passwords, taking screenshots, providing direct access to compromised hosts, and is often used to download ransomware.
The threat actors are able to create legitimate-looking Webex ads by exploiting a loophole in the Google Ads platform using tracking templates. Rather than use a specific URL in the ad for all clicks, tracking templates allow the advertiser to specify the URL for the redirect based on user parameters, such as the device type, location, and other information.
While Google’s policy is that the display URL and the final URL must be on the same domain, the tracking template may redirect users to a different website. In this case, a Firebase URL is used for the tracking template which has a final URL of webex.com, but clicking the ad directs the user to a different URL at monoo3at[.]com where filtering takes place and users are either directed to the malicious download page or the official Webex site, depending on the fingerprinting that occurs at monoo3at[.]com.
A web filter offers protection against malvertising by blocking access to known malicious websites such as the domain used in this campaign, restricting web activity to administrator-defined websites through category filtering, and blocking downloads of executable files. Administrators often block downloads of MSI files to protect against malware and to curb the installation of unauthorized software (shadow IT).
Security awareness training should also teach employees not to download files from unofficial websites. While the advert in this case is indistinguishable from the genuine site, the site offering the malicious installation package is not the official vendor site and the download can therefore be avoided.
TitanHQ can help businesses defend against malvertising through a combination of the WebTitan web filter and the SafeTitan security awareness training platform. Both solutions are available in a free trial, and product demonstrations can be arranged by calling the sales team.
TitanHQ has released WebTitan 5.03 which includes several new features that have been requested by managed service providers (MSPs) to improve usability, along with updated reports, layouts, and several bug fixes.
WebTitan is an award-winning DNS-based web filtering solution that has been adopted by thousands of SMBs, enterprises, and MSPs. WebTitan allows administrators to exercise control over the websites and web pages that can be accessed on wired and wireless networks through category-based and URL filtering, restrictions on file downloads from the Internet, and the blocking of malicious web content through constantly updated blacklists. WebTitan monitors and identifies malicious threats in real-time with unmatched speed, scale, and accuracy and has no limits on the volume of usage and no latency. WebTitan can be used to control Internet access on wired networks as well as off-network through the WebTitan On-the-Go (OTG) agent.
Notable feature upgrades included in WebTitan 5.03 include new customization capabilities for customers’ global default policies, which allow policies to be customized at the customer level. WebTitan 5.03 has the ability to inherit allowed and blocked domains from customers’ default policies, and support has now been added for allowing and blocking a top-level domain (TLD) on customer policy and global domains. MSPs benefit from customization of the global default policy at the MSP level, which allows custom default policies to be applied when creating customer accounts. Other enhancements include a new summary report page and an update to the layout of the custom block page. WebTitan 5.03 is now being rolled out to existing customers and is available to new customers.
Earlier this month, the SafeTitan security awareness training and phishing simulation platform received an update to add a new feature for MSPs to make it much easier for them to provide continuous training and phishing simulations to their customers. The Auto Campaigns feature allows MSPs to automate the provision of phishing simulation campaigns by creating an annual set of simulation campaigns for customers in a matter of minutes, greatly reducing the time that needs to be spent on planning and management. The new feature improves operational efficiency and profitability, eliminating the complexities of managing multiple customers’ security awareness training programs.
SpamTitan users are also due to receive an upgrade with the imminent release of SpamTitan version 9.01, which includes several new and advanced features to improve usability for MSPs. The upgrades include history/quarantine for MSPs to allow them to act on customer emails at the MSP level, Link Lock inheritance, which sees Link Lock inherited from the MSP level to avoid drilling down into individual domains, and pattern filtering for MSPs, which simplifies the administration of SpamTitan, allowing customers to be secured from one place. Email analysis has also been made easier with a simplified mail view, and a new ‘Add Products’ section makes it easier for MSPs to offer other TitanHQ solutions to customers to provide defense-in-depth security to their customers.
Managed Service Providers (MSPs) can easily boost their regular recurring revenue and help clients better protect against cyberattacks by providing security awareness training and phishing simulations. Security awareness training is now an essential part of any security strategy, as employees need to understand the threats they are likely to encounter and must learn how to recognize and avoid those threats. Cybercriminals are actively targeting employees as they know that they are a weak link in the security chain. Companies that fail to provide training to their workforce have a big security gap that cybercriminals can easily exploit.
Creating, running, and maintaining an effective employee security awareness training program can be a challenge for many businesses, which is why many turn to MSPs for help. Since security awareness training needs to be an ongoing process, MSPs that offer training can generate regular recurring revenue and, if they sign up with the right service provider, can make security awareness training a profitable service.
Security awareness training should be combined with phishing simulations – fake, but realistic phishing messages that are sent to the workforce to see how each employee responds. Any failure to identify a threat is turned into a training opportunity, and with SafeTitan, those failures instantly trigger training relevant to the threat that the employee failed to identify. That process is automated and ensures the employee is provided with relevant training at the point where it is likely to be most effective.
Creating phishing simulation programs need not be a time-consuming process. These campaigns could already be easily created through the MSP portal of the SafeTitan platform, but a new feature improves the efficiency of that process, allowing MSPs to set up and execute annual campaigns for their clients in just a few minutes. The new Auto Phishing Campaign feature allows MSPs to dramatically improve customer security awareness while reducing the time they have to spend spent planning and managing campaigns, significantly streamlining the process to improve the profitability of their phishing campaign service.
“By introducing automated campaign scheduling to SafeTitan, we are empowering our MSP partners to optimize their security training efforts, boost productivity, and deliver exceptional results to their clients,” said Ronan Kavanagh, CEO at TitanHQ.“This new feature aligns perfectly with our MSP First Strategy and provides innovative solutions that simplify the complexities of managing a client’s security awareness training.”
Cybersecurity awareness training for staff is a vital component of any cybersecurity strategy. Businesses should not totally rely on technical defenses to protect against cyberattacks, as sooner or later a threat will successfully bypass those defenses and reach an employee. Employees need to be made aware of cyber threats, be taught how to recognize them, and know what to do if they encounter a threat.
It is now common knowledge that cybercriminals use techniques such as phishing to steal login credentials, but surveys on cybersecurity awareness show that across a population, that knowledge is patchy and there are major gaps in understanding of cybersecurity. People generally understand that there are dangers on the Internet, and care must be taken, yet are unaware of what taking care means. Cybersecurity awareness training for staff is concerned with ensuring that all members of the workforce have a baseline level of understanding of cyber threats, are aware that they – as an individual – have a role to play in the overall security of their organization – and know how to work safely and securely.
Cybercriminals are constantly changing their tactics, techniques, and procedures to bypass technical controls such as secure email gateways and malware is constantly being tweaked to evade detection by antivirus solutions. Businesses are putting layered defenses in place to ensure that if there is a failure to detect a threat by any single security component, others will be in place to continue to provide protection. One of those layers of protection must be the workforce, as cybercriminals are actively targeting them and are looking for the errors they make as they provide an easy way to gain access to business networks.
A study by IBM indicates 95% of cybersecurity breaches are due to human error, and the 2022 Verizon Data Breach Investigations Report found 82% of data breaches involved the human element. Cybersecurity awareness training for staff will not prevent all errors and data breaches, but it will significantly reduce the number of security incidents that the IT team has to deal with.
Advice on Cybersecurity Awareness Training for Staff
The ultimate goal of cybersecurity awareness training for staff is to create a security culture, where everyone has the same views, values, and social behaviors that ensure the security of the entire organization. In practice, this means everyone is aware that malicious actors – internal and external – are trying to gain access to systems for financial gain or to achieve their political or personal objectives to the detriment of the organization or its workforce, and everyone behaves in a manner that makes it as hard as possible for those malicious actors to succeed. That is not something that will be achieved overnight, and it is not something that will be achieved if every employee is given a one-hour cybersecurity training session when they join the company. It requires a plan and an effective security awareness training program, and there are key components that will help an organization achieve that goal.
Cybersecurity is a shared responsibility
Everyone in the organization must understand that cybersecurity is a shared responsibility with everyone playing a role in the security of their organization, from the CEO down to the lowest level employee. Everyone should be provided with training to make them more security aware and cbersecurity training should start with the C-suite, as they will need to set an example for others to follow.
Make everyone aware of cyber threats and know how to identify them
Cyber threats take many forms. It is important for everyone to be made aware of those threats, and be taught how they can be identified and avoided. You will not turn everyone into a security Titan overnight, so start with training on the most common threats and build up knowledge over time. Tailor your training course to different departments, roles, and individuals and concentrate on improving understanding of good cyber hygiene practices before building up to more advanced knowledge.
Reward people that practice good cybersecurity
It is important to work towards a culture of compliance with security best practices, and that will be very difficult to achieve if you punish employees for security mistakes. Instead, you should reward people for good security. If there are punishments for poor security, what you are likely to do is create a culture of fear around cybersecurity. The result will be employees keeping quiet if they make a mistake and not reporting it as they fear punishment.
Provide continuous training and make it enjoyable
Cybercriminals are constantly developing new ways to attack businesses and their employees, so training needs to be updated regularly to account for the changes in tactics and be provided regularly to keep security fresh in the mind. Provide training during the onboarding process, and then continuously thereafter, with the program running 12 months a year, provided in small chunks. There is a limit to how much information can be absorbed in a training session. A little and often is by far the best approach.
Automate staff cybersecurity awareness training
Use a training platform that automates training for all employees. This will ensure that no employee misses an important lesson and it will make it easier to track progress and provide feedback on how well each individual is doing. If individuals are not performing well, they can be automatically provided with more training content than individuals who have a very good grasp of security.
Measure and test
You need to regularly check your employees’ knowledge of cybersecurity and cyber hygiene practices. If you do not measure and evaluate, you will have no idea if your training program is effective and if there are any security gaps. Conduct regular assessments through quizzes to identify possible gaps in knowledge and conduct phishing simulations to determine if employees are applying that knowledge. Any gaps in knowledge can then be addressed through further training.
The SafeTitan Security Awareness Training Platform
TitanHQ offers businesses a comprehensive cybersecurity awareness training platform for staff that covers all aspects of security and allows training to be automated. The platform incorporates an extensive range of training content, designed to appeal to all styles of learning. The training content is interactive, fun, and engaging, and split into modules to allow training to be tailored to different departments, roles, and individuals. The modules last no longer than 10 minutes to help ensure knowledge retention.
The platform can be configured to automatically generate training content in response to security mistakes and will deliver training relevant to that mistake in real-time, thus ensuring it is provided at the time when it will have the greatest impact. SafeTitan also includes a phishing simulation platform to test employees’ awareness of phishing attempts – the most common cyber threat encountered by employees.
For more information on security awareness training with SpamTitan, give the TitanHQ team a call today and take an important step toward building a security culture in your organization.
Phishing is the most common vector used by cybercriminals to attack businesses and attacks have grown in sophistication to the point where no single cybersecurity solution is now effective at blocking all of these threats. Cybercriminals are constantly changing their tactics, techniques, and procedures to bypass cybersecurity solutions and fool end users and businesses now need to implement multiple cybersecurity solutions to counter the threat, such as spam filters, web filters, antivirus software, endpoint detection solutions, and multi-factor authentication. They also need to provide security awareness training to teach employees how to recognize and avoid phishing and other cybersecurity threats.
With all of these solutions in place, you will be well protected from phishing attacks; however, it is important to also conduct phishing simulations on your employees. Many businesses provide security awareness training during the onboarding process and annually thereafter but then fail to conduct phishing simulations.
Phishing simulations are proven to improve protection against phishing attacks, with TitanHQ’s data showing customers who regularly conduct phishing simulations can reduce susceptibility to phishing attempts by up to 80%. In this article, we provide some of the reasons why phishing simulations are such an important part of any cybersecurity strategy and why they are so effective at improving the security posture of a business.
What are Phishing Simulations?
Phishing simulations are phishing attempts conducted by businesses on their own workforce. Emails are sent that closely mirror the phishing attempts that are conducted by cybercriminals in real-world attacks, the only difference being a failure will not result in a costly network compromise and data breach. Phishing simulations are typically conducted by the IT department, which can create a simulation program for the entire workforce that is tailored to the types of phishing threats that employees are likely to encounter.
When a simulated email is opened and any action is taken by an employee, the actions are logged. These simulations usually run continuously throughout the year with each employee receiving one or more simulated emails at random times each month. The emails range from phishing attempts that should be very easy to identify, to much more sophisticated phishing attempts.
Why are Phishing Simulations Important?
If you provide security awareness training, how can you tell if that training has been effective and is actually reducing susceptibility to phishing attacks? You can conduct quizzes at the end of each training session, but they will not tell you if the training is being applied in the workplace. Employees will likely remember the points raised in training at the end of the training session but may forget them in a month or two. Phishing simulations provide valuable information about whether the training is working as they are likely to be received by employees when they are not thinking about security. The simulations therefore give a good indication of whether the training is working
Security awareness training costs a business money, as the training must be paid for and will take employees away from their jobs. That money is usually very well spent, but the board will likely want to see the return on investment. Phishing simulations provide that data. Conducting phishing simulations before training and regularly thereafter will give a clear picture of how the spending on training is benefiting the business in terms of reducing susceptibility to phishing attacks.
Phishing simulations are not a way of catching out employees. They are an important part of the training process. If a phishing simulation is failed, it just means that the training has not been effective for that person against a specific threat. The specific type of email that was not identified should generate a relevant training module about that threat, which should be provided at the point of the failure. If phishing simulations are not conducted, if a real threat is encountered, the employee would be likely to respond in the same way and fail to identify it, resulting in an email account compromise. When an employee fails a simulation, they should be automatically scheduled to receive more simulated emails, to help them improve their skills at detecting phishing.
Phishing simulations give employees practice at responding to phishing and help them develop ‘muscle memory.’ If an employee never gets any practice after the training session they are more likely to forget their training. Phishing simulations keep security fresh in the mind and are an important way of developing a security culture, where employees always stop and think before taking an action that could lead to a network compromise. They also help to condition the workforce to report any suspicious emails, which is vital for the IT security team.
Cybersecurity Solutions from TitanHQ
TitanHQ can help businesses improve their defenses against phishing and malware through three cybersecurity solutions and adopt a defense-in-depth strategy – SpamTitan Email Security, WebTitan DNS Filtering, and SafeTitan Security Awareness Training and Phishing Simulation. For more information on these solutions and to start conducting phishing simulations, give the TitanHQ team a call today. All TitanHQ solutions are available on a free trial to allow you to evaluate their effectiveness in your own environment before deciding on a purchase.
Healthcare cybersecurity awareness training is an essential part of HIPAA compliance. The HIPAA Security Rule calls for all HIPAA-regulated entities to “Implement a security awareness and training program for all members of its workforce (including management).” The HIPAA Security Rule implies that security awareness training should be ongoing, and the HHS’ Office for Civil Rights has confirmed this in its cybersecurity newsletters and guidance.
What the HIPAA Security Rule does not specify is the content of training courses. This stands to reason, as the speed at which technology is advancing far outpaces legislative processes. Any specific training requirements would quickly become dated. Instead, it is left to the discretion of each HIPAA-regulated entity what healthcare cybersecurity awareness training should entail, and that should be guided by a risk analysis.
The provision of healthcare cybersecurity awareness training should not be viewed as a checkbox item to ensure HIPAA compliance and avoid a financial penalty from the HHS’ Office for Civil Rights. Training really does make a difference and can greatly improve resilience to cyberattacks. The Verizon Data Breach Investigations Report for 2022 indicates 4 out of 5 data breaches in 2021 involved the human element – mistakes by employees that provided hackers with a foothold in the network or exposed sensitive data to unauthorized individuals. Healthcare cybersecurity awareness training will not prevent all of those breaches, but it will go a long way toward improving awareness of risks and eradicating risky behaviors.
Security awareness training should cover cybersecurity basics, from the importance of not remaining logged in when leaving a computer unattended to setting strong passwords, and the risks of unauthorized app installations, emails, and Internet risks. Employees should be made aware of the extent to which they are being targeted and the consequences of cyberattacks and data breaches, making sure that everyone understands that cybersecurity is a patient safety issue.
Healthcare cybersecurity awareness training also needs to cover the specific threats that employees are likely to encounter, with phishing one of the most vital components since it is one of the most common ways that cybercriminals gain access to healthcare networks. Training modules are important for teaching the theory, but when it comes to phishing, employees need to be given practice at recognizing phishing attempts, and the easiest way to do that is through phishing simulations.
Phishing simulations are not about catching employees out, they should be conducted as part of the training process to give employees practice at recognizing phishing and should include a range of difficulties. Simulations also help the IT department to discover the types of emails that are fooling employees. When employees are tricked by simulations, they can be provided with a short refresher training module that explains how the email could have been recognized as malicious. The next time that type of email is received, there will be a much better chance it will be identified and avoided. Providing on-the-spot training in response to these failures is vital, as that is the moment when the training is likely to be most effective.
TitanHQ’s SafeTitan platform is a comprehensive training platform covering all aspects of security that is delivered through computer-based training sessions. The modules take no longer than 10 minutes each to maximize knowledge retention, and modules can be chosen for individuals, groups, and departments to ensure the training is relevant to each individual’s role. The platform includes behavior-driven training in response to security mistakes, with content automatically generated when mistakes for real-time intervention training. The training content includes training sessions, videos, and quizzes and has been developed to be enjoyable and entertaining, as well as informative, and the content is regularly updated to incorporate emerging threats.
You will not be able to develop a security culture overnight, but through ongoing training and regular phishing simulations, security awareness of the workforce will improve. Training data from the SafeTitan platform and the phishing simulator show organization can reduce susceptibility to phishing by up to 92% through regular training.
For more information on the SafeTitan platform, for a product demonstration or to sign up for a free trial, contact the TitanHQ team today.
Security experts have long recommended that multi-factor authentication be implemented to protect against phishing attacks and for good reason. Single-factor authentication – a password – provides a degree of protection against unauthorized account access; however, with modern GPUs, it is possible to automate brute force attempts to guess passwords and many passwords can be cracked quickly, especially if the passwords are weak. Phishing attempts seek access to credentials and if a user discloses their password on a phishing site, if the password is the only form of authentication required, the attacker will be able to gain access to the account.
Multi-factor authentication requires an additional form of authentication before account access is provided. If a password is guessed in a brute force attack or if the password is compromised in a phishing attack, access to the account will not be granted unless an additional form of authentication is provided. Multi-factor authentication will therefore greatly improve security, and more and more businesses are heeding the security advice and are adding multi-factor authentication to their accounts. It would be a mistake, however, to believe that multi-actor authentication is infallible, as it is possible to bypass this security safeguard, and threat actors are increasingly using a phishing kit that allows them to access MFA-protected accounts. The phishing kit allows a threat actor to conduct an adversary-in-the-middle attack and get around multi-factor authentication.
The attack starts like any other phishing attempt with initial contact made via email (or text message). The communication contains a ruse to get the user to click a link, such as a message indicating a contact has shared a file. The link directs the recipient to a website hosting the phishing kit, and to view the shared document they are required to enter their credentials. If the credentials are entered they are captured as they would be in any phishing campaign, but if multi-factor authentication is in place, account access would be prevented. With this phishing kit, however, multi-factor authentication is bypassed.
This is because the phishing kit acts as a proxy between the user and the legitimate service. The phishing kit will log in to the legitimate account using the credentials provided via the phishing site, and the legitimate site will send the MFA request which is relayed to the user. The user then authenticates and the legitimate site returns a session cookie as the MFA check has been passed, and the session cookie is then used by the attacker to access the service as the legitimate user. Access will remain possible for as long as the session cookie remains active.
This month, Microsoft’s Threat Intelligence Team reported that one such phishing kit is being offered by a threat actor it tracks as DEV-1101. The threat actor started offering the kit on hacking forums for just $100 a month as a licensing fee in the summer of 2022, but the huge popularity has seen the price increase to $300 a month, or $1,000 a month for a VIP license. Since the kit allows MFA to be bypassed, it is a small price for a threat actor to pay to guarantee their phishing attempts will be successful. There have been many takers, and the phishing kit has been used for high-volume campaigns that see millions of phishing emails sent each day. One of the campaigns involved more than a million messages in a single campaign.
While MFA can be bypassed, it does not mean that it shouldn’t be implemented. MFA is still an important security control that will block many unauthorized attempts to access accounts. Businesses should also enforce conditional access policies such as whitelisting IP addresses, only permitting compliant devices to log in, and setting up and enforcing geographical restrictions, and all sign-in requests should be evaluated and access continuously monitored for suspicious activity. Advanced anti-phishing measures should be implemented to block the initial phishing email to prevent the click. A web filter is recommended to control the websites that can be accessed by employees, and end-user training is important to help employees identify phishing attempts.
TitanHQ can help protect against these attacks through SpamTitan Email Security, WebTitan Web Filtering, and SafeTitan Security Awareness Training. All three solutions are available on a free trial to allow businesses to evaluate the solutions in their own environments before deciding on a purchase. For further information give the TitanHQ team a call.
Security awareness training will help to make employees aware of the importance of security and cybersecurity, teach security best practices, and train employees how to identify, avoid, and report threats that they encounter; however, to get the best return on investment and make significant improvements to your organization’s security posture, there are important things to consider. In this article, we provide some security awareness training tips to help you create and maintain a training program that will deliver the results you seek.
There is no one-size-fits-all approach
Many businesses make the mistake of developing a security awareness training plan for the entire organization and provide all employees in the organization with the same training course. While this approach can help to ensure everyone has an understanding of basic security concepts, in practice it doesn’t work. The best approach is to have a modular training course that allows training courses to be tailored to different individuals, departments, and roles. The training required by the IT department will be different from the HR department, C-suite, sales staff, and front-line staff, as the threats they are likely to encounter will be different. Tailoring training to make it relevant will help to engage employees.
Training needs to be an ongoing process
You can – and should – provide training as part of the onboarding process, and then provide periodic training thereafter to keep security fresh in the mind and keep employees up to date on the latest threats. While it was once acceptable to provide an annual training session, the speed at which the threat landscape is changing means that such an approach no longer works. Training needs to be provided continuously if you are to stand any chance of changing employee behavior and creating a security culture in your organization. Providing training each month – such as a couple of short 5-10 minute training modules – will help to keep employees up to date on the latest threats and keep security fresh in the mind until their next annual training session.
Intervention training is the most effective
The best time to provide training is immediately after an error has been made, as that is the time when the training is likely to have the greatest effect. If an employee is tricked by a phishing email, training immediately will help them to learn where they went wrong so they do not make a similar mistake again. If you use the SafeTitan training platform, training is automatically provided in response to mistakes by employees specific to the mistake they made or the threat they failed to identify.
Use a variety of training materials
People learn in different ways, and while some employees will learn best in a classroom setting, others will learn better through videos, online training, quizzes, posters, email alerts, and other methods. You should ensure that you include a variety of media in your training. This will help to improve engagement and get the message across to all employees.
Conduct phishing simulation exercises
Training sessions – whether online or in group sessions – are great, and if quizzes are conducted at the end of the sessions, you can tell who has taken the training on board, but you will not know if the training is being applied. You should strongly consider conducting phishing simulations on the workforce to test whether training is having any effect and to identify any types of threats that employees are failing to correctly identify. Phishing simulations reinforce training, help organizations deliver targeted training where it is needed, and allow them to monitor the effectiveness of training over time. If you are not measuring how effective your training is, you will not know whether you are actually making a difference or just wasting time and money.
Use a quality training platform
There is no need to develop training programs from scratch. Use a vendor that provides quality, engaging training content and regularly updates the training in response to emerging threats. The SafeTitan platform includes a wealth of engaging, gamified training content that is enjoyable and relevant and allows organizations to create and automate tailored training for each individual. SafeTitan will deliver targeted training in response to errors by employees and the platform includes a huge number of phishing templates for running phishing simulations. Organizations that adopt SafeTitan can reduce susceptibility to phishing threats by up to 80%.
In this article, we provide 5 reasons why security awareness training is important. If you run a business and do not provide security awareness training to your workforce, you are taking a big risk.
Data breaches are being reported with increasing frequency and with people leading more and more digital lives, there is a lot more data to steal. The Have I Been Pwned service includes a database of usernames and passwords that have been exposed in data breaches. The database now includes 12 million credentials showing just how common data breaches have become. Data breaches are also becoming costlier to resolve. The IBM Security 2022 Cost of a Data Breach report indicates the average cost of a data breach is now $4.35 million, a 2.6% increase from the previous year.
So how can security awareness training help a business and why is it so important?
1. Helps to Prevent Data Breaches
Businesses store sensitive data, whether that is customer data, financial information, contact lists, or proprietary company information. That information is valuable to cybercriminals as business and customer data can be easily monetized and sold on the dark web. Cybercriminals actively target businesses for the data they hold and misuse or sell that information, or encrypt it to prevent the business from operating, requiring a ransom payment to get the information back. You can implement technical defenses to repel these attacks, but technical defenses are not 100% effective, and attacks often target humans – malicious emails, websites, phone calls, and text messages. Security awareness training is a vital component of any security strategy. All members of the workforce need to be trained on how to recognize and avoid threats. Security awareness training reduces susceptibility to cyber threats and helps to prevent data breaches.
2. Avoid Regulatory Fines and Litigation
Companies of all sizes are required to comply with regulations at the local, state/regional, and Federal level that have data retention and privacy and security requirements. For instance, there is the General Data Protection Regulation in the EU that requires data protection by design and default, and industry regulations such as FISMA (financial services) and HIPAA (healthcare) that have security awareness training requirements. The failure to provide security awareness training can result in significant financial penalties, and if tax records are lost in a ransomware attack, companies can still be fined for not producing those records. By preventing cyberattacks and data breaches through end user training, companies will also reduce the risk of litigation. Lawsuits are now commonly filed after data breaches.
3. Improve Productivity and Save Money
Security awareness training comes at a cost. You will need to devise your own training course, pay for a third-party trainer, or most commonly, invest in a third-party security awareness training platform. For every hour of training provided to an employee, that is an hour of lost productivity. These costs should be seen as an investment that will give you a return. The money spent on training and the time devoted to it will be recouped in terms of productivity gains by preventing ransomware attacks and data breaches. The cost of remediating cyberattacks and data breaches is far higher than the cost of security awareness training to prevent them.
4. Improve Employee Well-being and Job Satisfaction
Security awareness training is concerned with improving cybersecurity defenses, but it is an investment in people. Businesses that provide security awareness training are teaching their employees to be more security aware at work, but this is a transferrable skill and one that is not just valuable for employees for future work positions but also in their personal lives. Train employees to be more security aware and they can apply those lessons at home and avoid personal data breaches and financial losses, which helps to reduce stress and improve mental, emotional, and physical health.
5. Helps to Protect Your Company’s Reputation
One of the most damaging effects of a cyberattack or data breach is the impact on your company’s reputation. Surveys suggest that following a cyberattack that exposes sensitive customer information, two-thirds of customers would take their business elsewhere and would never return. The amount of time, money, and effort that goes into building a business can be lost overnight. Many businesses will be able to weather a cyberattack and take the financial hit, but the reputational damage can take many years to recover. The reputational damage is one of the main reasons why 60% of small businesses cease trading within 6 months of a data breach.
SafeTitan from TitanHQ
TitanHQ offers businesses a comprehensive security awareness training solution for businesses called SafeTitan. The platform includes an extensive library of training content, divided into short (max 10-minute) computer-based training modules that are easy to fit into busy workflows. The training content is fun, gamified, and engaging, and helps to build a security culture and eradicate risky practices. The platform also includes a phishing simulator for testing whether employees can recognize phishing attempts – the most common way that cybercriminals attack businesses. Phishing simulation data shows susceptibility to phishing attacks can be reduced by up to 80% with SafeTitan.
If you have yet to provide security awareness training to your workforce, you will be missing out on all the above benefits. So why not make a start today, starting with a free trial of SafeTitan?
Businesses can significantly improve their security posture by investing in people and providing security awareness training. Many cyberattacks target employees, as they can be tricked into disclosing sensitive information or installing malware. Through training, you can eliminate risky security practices that open the door to hackers and can show employees how to recognize cyber threats and how they should respond when such a threat is identified.
Providing a once-a-year training session covering all aspects of security will help to improve security awareness, but this is not the most effective approach, and it is unlikely to allow an organization to achieve the ultimate goal of security awareness training – to develop a security culture throughout the organization. To help you get the best possible return on your investment in security awareness training, consider these 7 approaches.
1. Ensure Your Communicate That Everyone Has a Responsibility When it Comes to Cybersecurity
It is a commonly held view that cybersecurity is the sole responsibility of the IT department. The IT department should implement safeguards and technology to block and identify threats, but everyone has a role to play in the cybersecurity of the organization, including the CEO, CISO, managers, and workers. Cybersecurity is a collective responsibility, and this should be clearly communicated.
2. Security Awareness Training is an Ongoing Process
If you provide a once-a-year training session that covers all aspects of security, this is likely to improve awareness of the basic lessons of security – Don’t click on links or open attachments in unsolicited emails, log off when you leave your computer, don’t plug in a USB drive you find in the street, make sure you set a strong, unique password for all accounts, and so forth. However, you cannot expect employees to be aware of the latest threats and tactics that are being used by malicious actors with this approach. Security awareness training needs to be an ongoing process. A once-a-year training session is great as a refresher on security best practices, but you should be continuously providing training on the latest threats in short training sessions each month. A couple of 10-minute training modules every month will help to keep security fresh in the mind and keep employees abreast of the latest tactics that are likely to be used by malicious actors against them and the organization.
3. Conduct Phishing Simulations
Phishing simulations are a great way to reinforce training and give employees practice at identifying phishing threats in a safe environment. Conduct phishing simulations of varying difficulty on the entire workforce, and if individuals fail, this can be turned into a training opportunity. They can be told where they went wrong, and how they could have identified the threat so that the next time such a threat is encountered, they will be more likely to recognize it as such and avoid it. Phishing simulations allow businesses to take proactive, targeted action to improve security awareness where it is needed and strengthen the weak links before they are found and exploited by malicious actors.
4. Reward Don’t Punish
You are likely to achieve much greater success if your security awareness training program recognizes and rewards individuals who do well, rather than punishes those that get things wrong. If you punish employees for getting things wrong, that is likely to result in a culture of fear, which can lead to a bad working environment where mistakes are actually more likely to be made. Focus on rewarding or recognizing the individuals that get things right and always look for opportunities to celebrate success. If employees fail phishing simulations or make mistakes, make sure you communicate that this simply means there is a need for further training.
5. Make Security Awareness Training Fun and Engaging
Many people will find cybersecurity training dull and boring. Rather than provide lengthy training sessions and give out long boring printouts, use a computer-based training course that has fun, engaging, and gamified content. Use a variety of training tools including videos, demonstrations, quizzes, and other interactive methods to engage employees. Make training fun and enjoyable, and the message is more likely to be taken on board.
6. Tailor the Training Course for Individuals
Everyone learns in their own way and at different speeds, so a one-size-fits-all approach is unlikely to give you the best return on your investment. The training course should be tailored for individuals. If the course is too basic for people with a high degree of knowledge, they will get bored. If it is too technical for individuals who have a poor understanding of cybersecurity, they will get confused. Tailor the training course to get the best ROI. For that, you will need a modular training course that supports this flexibility.
7. Constantly Update Your Training Course
The threat landscape is constantly changing, and tactics, techniques, and procedures of cybercriminals evolve, so your training course should too. Keep abreast of the changing threat landscape and ensure your training course is updated accordingly, and that you include the latest phishing tactics in your phishing simulations. Choose a vendor that constantly updates its training content and this will be simple.
SafeTitan from TitanHQ
TitanHQ provides a comprehensive security awareness training platform for SMBs, enterprises, and managed service providers called SafeTitan. The platform includes an extensive library of training content on all aspects of security, with the courses divided into short computer-based training modules of no more than 10 minutes, which makes them easy to fit into busy workflows.
The training content is fun, gamified, and engaging, and is proven to help eradicate risky security practices and reduce susceptibility to phishing attempts. The platform is flexible, allowing customized training content to be provided that is tailored to individuals’ roles and the threats they are likely to encounter, and the platform and training courses can be easily customized to meet the needs of businesses of all sizes.
The platform includes a phishing simulator for testing whether employees can recognize phishing attempts – the most common way that cybercriminals attack businesses. Phishing simulation data shows susceptibility to phishing attacks can be reduced by up to 80% with SafeTitan.
If you have yet to provide security awareness training to your workforce and are not conducting phishing simulations, the ideal time to start is now. Contact TitanHQ today for more information or sign up for a free trial of the solution and put it to the test before deciding on a purchase.
Businesses look to their managed service providers to protect them from cyber threats such as phishing, and while many are able to deliver advanced spam filters and web filters, MSPs should also provide another layer of protection: one that addresses the human element of these attacks.
Phishing attacks target employees, and while it is important to implement technical measures to block those messages, it is not possible to prevent every phishing message from reaching inboxes. Given the volume of phishing messages now being sent, and the constantly changing tactics, techniques, and procedures of cyber threat actors, it is inevitable that some messages will land in inboxes. The bottom line is employees need to be trained how to recognize phishing attempts – they are the last line of defense.
One of the greatest benefits to come from security awareness training is getting employees to stop and think, and not blindly believe that every email or SMS message is genuine because it appears to be from an official source and provides a reasonable reason for taking a certain action. Training employees to be curious and to question is a vital part of developing a security culture.
Data from customers of TitanHQ who have started using the SafeTitan security awareness training and phishing simulation platform show clear benefits of the training. Over time, susceptibility to phishing attempts reduces as evidenced by the number of individuals who fall for simulated phishing emails. This has also been confirmed by MSPs that have started providing security awareness training and phishing simulations to their clients.
It is important, however, for MSPs to carefully consider the training platform they use. Providing training is one thing. Getting end users to engage with it and take it seriously is another. The training content needs to be informative, but it must also be enjoyable. Gamification is a key element to keep users engaged and quizzes are great for confirming the lessons have been understood. The training content also needs to be delivered in easily assimilated chunks. Training modules of no more than 10 minutes are best, as this is ideal for ensuring maximum knowledge retention and fitting the training into workflows.
Phishing simulations are an important part of the training process, not just for identifying individuals who require further training, but also for identifying the specific types of phishing emails that are working and are fooling employees. Training can then be tailored to address those security gaps. Phishing simulations need to be realistic, and since these emails will be sent over a long period of time, there needs to be considerable variation. Many different templates are needed to test different phishing tactics and the training platform needs to have constantly updated phishing templates, as real-world attacks are rapidly evolving too.
Phishing simulation failures need to trigger on-the-spot training. The training needs to be automated, so it will be delivered instantly when it is likely to have the most effect. The platform should also notify end users when they successfully reported a simulated phishing email or correctly identified a phishing attempt, to encourage them and praise them for being attentive.
Ultimately, security awareness training is vital for all businesses and a critical component of any cybersecurity strategy. MSPs that can offer this service to their customers can gain a significant competitive advantage, help their customers better defend against attacks, reduce the support time by preventing successful attacks, and ultimately save their clients money. However, there are important features of training products that MSPs need to look out for.
They need a solution that has the maximum impact for the minimum effort, as MSPs have a great deal of work to perform for many customers. The solution must be able to be used efficiently and allow much of the setup and training to be automated, and for reports to be automated and scheduled to send to clients to show them how effective the training is.
TitanHQ has developed the SafeTitan platform to meet the needs of MSPs, with recent updates making it even easier for MSPs to provide this service. These include direct injection of emails to inboxes to make sure they are not filtered out by email security solutions, easy segmentation of customers into groups to allow bulk configuration and changes to campaigns, and – as is the case with all TitanHQ solutions – making sure there is an excellent user experience, which means easy administration and low maintenance.
Security awareness training is a big opportunity for MSPs and can greatly improve the security posture of their clients. Talk to TitanHQ today about getting started and to find out how easy it is to add this important layer of protection to your service stack.
In this article, we explain the importance of security awareness training and the benefits for MSPs of adding security awareness training and phishing simulations to their managed services.
Security Awareness Training Works!
Security awareness training and phishing simulations have been proven to reduce the susceptibility of employees to phishing attacks. Through an ongoing program of training and testing, the average response rate to phishing attempts falls from the pan-industry average of 37.9% to less than 3%. Some employees are prone to click on links in emails and open attachments despite being given training, so getting the response rate lower may not be possible, but such a massive reduction in responses to phishing emails will save several times more money than the cost of providing training to the workforce.
Despite the high ROI of providing training, 57% of SMBs provide no security awareness training to their workforce whatsoever. When training is provided, it is often provided to new employees during the onboarding process, or as a once-a-year training session. The threat landscape is constantly changing and new phishing and malspam campaigns are constantly being developed to fool employees, so for training to be effective it must be an ongoing process.
Phishing is one of the main ways that ransomware actors gain initial access to networks, and according to the Verizon Data Breach Investigations Report, 82% of security breaches involve a human element. Given the extent to which employees are targeted, the rapidly changing threat landscape, and the high percentage of data breaches that are caused by human error, training is vital.
SMBs are Requesting Security Awareness Training from Their MSPs
The problem for many SMBs is they lack the in-house staff and the resources to create effective training campaigns. Training content needs to be constantly updated to teach employees about the emerging techniques used by threat actors. For this reason, many SMBs turn to third-party companies and use their solutions to train their workforce, and it is becoming increasingly common for SMBs to ask their managed service providers to assist with training and conducting phishing simulations.
Phishing simulations are a vital part of the training process as it gives employees practice at identifying phishing attempts outside of a training setting; however, there is potential for things to go wrong when these simulations are conducted by SMBs on their own staff. Having a managed service provider conduct the campaigns can be highly beneficial for SMBs. That extra degree of separation can help to prevent bad feeling amongst employees that management is trying to catch them out.
Interestingly, despite the benefits of security awareness training and phishing simulations and the demand from SMBs, only 60% of MSPs currently offer security awareness training and phishing simulations to their clients as part of their managed security services. The security awareness training market is now estimated to be worth $1 billion annually and is growing at a rate of 13% a year, and MSPs that provide security awareness training and phishing simulations as part of their managed services are reaping the rewards. They profit from providing the training, reduce the susceptibility of their client organizations to phishing attacks, and reduce the time they need to spend helping clients recover from successful attacks. MSPs may be surprised to hear that 69% of SMBs said they would hold their MSP accountable at some level for a successful phishing attack.
One of the problems that MSPs face when they consider offering security awareness training as a managed service is finding a suitable platform that allows them to easily provide training and automate the training and conduct phishing simulations. TitanHQ is now happy to announce that its award-winning security awareness training and phishing simulation platform – SafeTitan – has now been upgraded and has a host of new features to meet the needs of MSPs.
SafeTitan for MSPs – An MSP-Friendly Security Awareness Training and Phishing Simulation Platform
TitanHQ has conducted extensive research to find out exactly what MSPs need from a security awareness training platform. The company asked its MSP advisory council and extensive MSP customer base about aspects of the SafeTitan platform that could be improved to make it even better for MSPs. After extensive research and further development, TitanHQ is happy to announce that SafeTitan for MSPs has been launched.
MSPs already familiar with the security awareness training and phishing simulation platform may notice several new features that have now been added, which make it much easier to conduct mass training campaigns and phishing simulations. The MSP dashboard has been improved to make it easy for quick actions to be performed and to access live analytics and schedule client reports to demonstrate the ROI, either weekly, bi-weekly, quarterly, bi-annually, or annually.
The solution can be provided as a white label, that can take the MSP’s branding or be branded for their clients. Clients benefit from 80+ videos, training sessions & webinars, the training content is provided as modules of 8-10 minutes max to make it easy to be conducted without impacting productivity, and the phishing simulation platform has over 1,800 phishing templates based on real-world phishing and smishing attacks.
MSPs can easily set up and automate training and phishing simulations so that this managed service requires little in the way of actual management by the MSP. The solution is SSO-ready to avoid the annoying entry of login credentials, and now has direct email injection to ensure that phishing emails are delivered without having to configure allow lists and firewalls and if campaigns need to be modified, it is easy to make tweaks such as adding additional users. When phishing simulations are failed, the solution will automatically trigger targeted training in real-time in response to the specific failure.
We genuinely believe that we have created the ideal security awareness training and phishing simulation platform for MSPs and invite you to book a free product demonstration to see the product in action and to explain all the features.
Email may be the most common vector used in phishing attacks, but there has been a marked rise in other forms of phishing in 2022, such as voice phishing (vishing) and SMS phishing (smishing).
Voice phishing or vishing attacks are conducted over the telephone and use similar social engineering techniques to email phishing. The scammer impersonates a trusted individual or company and uses either a threat or a potential reward to trick the victim into disclosing sensitive information, downloading a malicious file, or opening a remote desktop session with the scammer. These scams often involve caller ID spoofing to make it appear that the call is being made from a legitimate number, such as a hospital, business, or government department.
Oftentimes, the scammer has information about the victim to make it seem like an official call or that there has been previous contact. This information is obtained from past data breaches or can be collected from public sources such as social media profiles. Vishing is commonly used in tech support scams, where an unsolicited call is made by the threat actor who claims to work at a cybersecurity company or a broadband provider and requires the victim to pay to have a fictitious malware infection resolved or must download fake software to resolve the issue.
Vishing attacks are conducted impersonating the IRS advising the victim that they have a rebate, or outstanding tax, or threatening legal action, with the scams conducted to obtain sensitive information. Banks are often impersonated with the victim convinced to confirm their identity by disclosing their bank details or credit card number. The caller is usually coercive and the issue at hand requires urgent action to correct.
Several campaigns have been conducted on healthcare targets in the US. In one campaign, senior executives at a hospital were targeted, with the caller claiming to be a representative of Medicare. The caller requested a Social Security number for verification of identity. Patients of Spectrum Health and Priority Health were targeted, with the scammers spoofing the caller ID to make the calls appear to have been made using the genuine hospital phone number, with victims pressured into providing sensitive personal and health information to the scammers.
A smishing attack is a phishing attack conducted via SMS messages. These attacks are becoming increasingly common and are used to obtain sensitive information such as credit card numbers or login credentials. These attacks often trick the recipient into downloading malicious code to their mobile devices. These attacks take advantage of the relative unfamiliarity of this form of phishing and the small screen size of mobile phones, which do not display the full URL of a website, which makes it easier for scammers to hide their malicious URLs. Mobile phones are also much less likely to have antivirus software installed than desktop computers and laptops, which makes it easier for malicious code to be downloaded undetected.
Smishing attacks often involve messages purporting to be from a bank that requests financial information, or for banking Trojans to be distributed that spoof the login page of a financial institution to steal banking credentials. The IRS has recently issued a warning about an exponential rise in smishing attacks impersonating the IRS in 2022. These scams use a variety of lures such as warnings about unpaid tax bills, law enforcement action, and tax rebates. The IRS warned that smishing attacks are being conducted on an industrial scale, with hundreds of thousands of smishing messages delivered in hours or a few days.
How to Defend Against Vishing and Smishing Attacks
The problem for businesses is few cybersecurity solutions can identify and block vishing and smishing attacks. The key to defending against these attacks is education. Businesses should be providing security awareness training to the workforce to teach cybersecurity best practices and to raise awareness of cyber threats. Email phishing is usually extensively covered in training courses, but it is also important to ensure vishing and smishing attacks are covered.
This is an area where TitanHQ can help. TitanHQ offers businesses the SafeTitan security awareness training platform – a comprehensive security awareness training platform with gamified, interactive, and enjoyable security awareness training content covering all aspects of security, including phishing, vishing, smishing, and other social engineering methods. The training modules are short, allowing them to be easily fitted into busy workflows, and the training content has been proven to reduce susceptibility to all forms of phishing attacks. SafeTitan also includes a phishing simulation platform to allow businesses to test the effectiveness of their training.
For more information on how you can improve your human defenses against phishing and other cyberattacks, contact the TitanHQ team today.
TitanHQ is proud to announce that the company has been recognized in the Fall 2022 Expert Insights ‘Best-Of’ awards, and collected five awards for email security, email archiving, web security, phishing simulation, and security awareness training.
The Expert Insights ‘Best-Of’ awards recognize the leading cybersecurity solutions that businesses are using to keep their networks and sensitive data secure. Selecting the best software solutions to use can be a challenge for businesses. Expert Insights makes that process easier by providing objective and honest reviews and advice, producing buyers’ guides, and other valuable information to help businesses choose the best software solutions to meet their needs. Each month, more than 85,000 businesses use the Expert Insights website, with the site having more than 1 million visitors a year.
The Fall 2022 Best-Of awards were split into 41 categories. The Expert Insights editorial team researched to identify the best cybersecurity solutions on the market for inclusion in each category, which contain up to 11 software solutions. Those solutions are selected based on several criteria, such as the feature set of the products, their ease of use, market presence of the company, and how genuine business users of the solutions rate the products. There naturally needs to be a winner in each category, but simply being included in the list confirms the quality of a product.
TitanHQ collected 5 Best-Of awards in the following categories:
Best-Of Email Security – SpamTitan
Best-Of Security Awareness Training – SafeTitan
Best-Of Phishing Simulation – SafeTitan
Best-Of Web Security – WebTitan
Best-Of Email Archiving – ArcTitan
In addition, SpamTitan was rated as the top email security solution in the category and ArcTitan was rated top in the email archiving category. Vendors ESET and CrowdStrike also performed exceptionally well and picked up multiple awards.
“We are honored that TitanHQ was named as a Fall 2022 winner of Expert Insights Best-Of award for phishing simulation, email security, security awareness training, web security and email archiving” said TitanHQ CEO, Ronan Kavanagh. “Our cloud-based platform allows partners and MSPs to take advantage of TitanHQ’s proven technology so they can sell, implement and deliver our advanced network security solutions directly to their client base”.
Phishing simulations are an invaluable training tool and have been proven to help reduce the susceptibility of the workforce to phishing attacks. Phishing simulations are more than just a tool for testing whether employees have understood their training. Quizzes at the end of training sessions are good for that, but phishing simulations test whether the training is being applied when employees are working and not focused on cybersecurity.
If a cybercriminal were to send an employee a phishing email at the moment an employee had finished a training course, chances are the employee would recognize the email for what it is. The longer the time between the training ending and the threat being encountered, the greater the chance that the employee will be fooled.
Phishing simulations test whether employees are likely to be fooled by a real phishing email. The simulations are expected, but employees do not know when the simulations will take place. Phishing simulations mimic real world phishing attacks and tell an organization how an individual is likely to react if a real threat lands in their inbox.
If an employee fails one of these simulations and clicks a link, opens an attachment, or responds in another risky manner, an alert is immediately generated, and the employee is told what went wrong and how it was possible to tell that it was a phishing attempt. The employee can then be provided with a brief training session – generated by the phishing simulator – on how to respond when similar emails are received.
When ongoing security awareness training is provided and phishing simulations are conducted, security awareness improves. Over time, the combination of training and simulations greatly reduces susceptibility to phishing emails – much more than providing training alone. There are, however, some common mistakes that are made by employers that reduce the effectiveness of these phishing tests.
Mistakes to Avoid When Conducting Phishing Simulations
If you want to get the best return on your investment in training and phishing simulations, it is important to set up your program correctly and to avoid making these common mistakes.
Not Telling Employees You Will Be Conducting Phishing Simulations
Don’t broadside employees. Tell them during their training that you will be conducting phishing simulations as part of the training process. If employees are unaware you will be using simulations, they may feel that you are trying to catch them out. Make sure employees are aware that you are conducting these tests to identify training needs and to test how effective your training program has been. Don’t tell employees when you will be sending the emails, and make sure the HR department and other stakeholders are aware that you are conducting phishing simulations.
Making the Simulations Too Difficult
You want to test how employees will respond to a real phishing email; however, building up security awareness is a process. Your simulation program should include emails of varying degrees of difficulty and it is best to start with phishing emails that are relatively easy to identify. That will help build confidence.
Not Conducting Phishing Simulations on the Board
Members of the board are targeted in whaling attacks. They have the highest level of privileges and the credentials for their accounts are the ultimate goal in many phishing campaigns. You want to improve the security awareness of the board, so ensure they are included in your phishing tests. Also don’t avoid conducting phishing attacks on infrequent email users. Any credentials can be valuable. Attackers can use them to conduct internal phishing campaigns and move laterally.
Conducting Phishing Simulations on Everyone at the Same Time
If you use the SafeTitan phishing simulator you can create your simulation program and schedule emails to be sent at set times. Don’t send the same emails to everyone at the same time, as employees will likely tip each other off. You will then not get valid results. Vary the times you send the emails and target different individuals in a department at different times.
Not providing retraining in real-time
You should not be conducting these campaigns and then sitting on the results until you can arrange a training course for everyone that failed the test. The simulator should be configured to automatically tell a user when a test was failed and assign immediate training. The training modules should be brief, and concisely explain how the threat could have been avoided. It should only take a couple of minutes, but that training is likely to be much more effective when delivered instantly.
Punishing employees for failing phishing simulations
It may be tempting to punish employees who repeatedly fail phishing simulations, but this approach is best avoided. The goal of training and phishing simulations is to change employee behavior. You are likely to have far greater success achieving that goal by encouraging employees to take security seriously rather than punishing them for failures. Focus on positives – departments that performed well, individual successes – rather than any failures.
SafeTitan Security Awareness Training and Phishing Simulations
SafeTitan is a comprehensive security awareness training platform that makes it easy for businesses to develop training courses for their employees. The content consists of short training modules on all aspects of security, allowing businesses to create tailored and relevant training courses for the entire workforce, and the phishing simulator has hundreds of customizable templates for conducting realistic phishing tests. The training content is gamified, engaging, and fun, and when combined with simulations, has been proven to be highly effective at changing employee behavior and reducing susceptibility to phishing and other cyberattacks.
Phishing emails are commonly used to distribute malware and in recent years malware loaders have been a common payload. Malware loaders include the likes of BazarLoader and Bumblebee, which are used to infect devices with the goal of delivering the malware and ransomware payloads of other threat groups.
Security researchers have identified a relatively new malware loader dubbed Matanbuchus that is being delivered via phishing emails. Like other malware loaders, Matanbuchus is operated under the malware-as-a-service model, and has been developed to stealthily download and execute second-stage malware payloads and executable files. The Matanbuchus loader has recently been observed dropping Cobalt Strike on infected systems. Cobalt Strike is a legitimate adversary simulation framework that is used in red team operations for detecting vulnerabilities that could potentially be exploited, but is also extensively used by criminal hackers for post-exploitation activities.
The Matanbuchus loader is currently being offered on Russian cybercrime forums for $2,500, and has been available since at least February 2021, with a malware developer operating under the moniker BelialDemon believed to be the developer of the malware. BelialDemon is known to have been involved in the development and sale of other malware loaders, such as TrumpLoader.
Matanbuchus, which is an alternate name for the demon Belial, can be used to launch an .exe or .dll file in the memory, add or modify task schedules, launch PowerShell commands, and execute standalone executable files to load a DLL. The malware has already been used in several attacks in the United States, including entities in the education sector.
Researchers at Palo Alto Networks’ Unit 42 team have identified phishing emails being used to deliver the Matanbuchus loader that use Excel documents with malicious macros. As is common in these types of phishing campaigns, if the user opens the attached file, they are informed that the document was created in an earlier version of Microsoft Excel, so the content cannot be viewed unless the user clicks on Enable Editing and then Enable Content. Should content be enabled, Excel 4.0 macros are then leveraged to drop and execute the Matanbuchus loader.
A campaign has also been detected that uses a .zip file attachment that contains an HTML file, which delivers a second .zip file that includes an MSI installer. If that file is executed, an error message is displayed indicating to the user that something has gone wrong, when in the background a DLL file is delivered and executed, which acts as the loader for delivering the Matanbuchus loader DLL file.
To block the delivery of malware loaders such as Matanbuchus, it is important to implement multiple cybersecurity solutions. A Spam filter such as SpamTitan can be used to block the delivery of the phishing emails. SpamTitan includes dual antivirus engines for detecting and blocking known malware and sandboxing to identify unknown malware through in-depth analysis of the behavior of attached files.
A web filter such as WebTitan should be used to block connections to malicious websites that host the malware. WebTitan can also be configured to block downloads of files often used to deliver malware and command-and-control center communications.
It is also strongly recommended to provide comprehensive security awareness training to all members of the workforce to explain the threat of phishing emails, explain the red flags to look for in emails, and not to open attachments unless they can be verified as authentic. TitanHQ can help in this regard through the SafeTitan Security Awareness Training solution, which includes a phishing simulation platform for simulating phishing emails to test how employees respond. For further information on these solutions, contact TitanHQ today.
It can be a challenge for organizations to stay agile, competitive, and innovative in a digital world, especially when cyber threat actors are actively targeting businesses. Small- and medium-sized businesses are facing a multitude of threats, many of which target employees – a weak link in the security chain.
Cyberattacks can cause significant financial losses and irreparable damage to a business’s hard-earned reputation. While security solutions can be implemented to block those threats, cyber actors target a weak point in security – employees.
In addition to technical defenses, businesses need to create a human firewall through security awareness training. Digital security needs to be front and center of a business’s continued innovation, but it can be difficult to develop and maintain a cyber-savvy workforce, especially considering the rapidly changing threat landscape.
To help businesses succeed. TitanHQ, in partnership with the Oxford Cyber Academy, will be hosting a webinar to discuss employee cyber risks in growing organizations, and how to balance safety and agility.
During the webinar, attendees will be provided with valuable information on:
The rapidly changing threat landscape
What needs to be protected
The consequences of failing to protect digital assets and systems
How to balance technology and human cyber risks
How to improve employee security awareness and change employee behavior
A solution that makes it easy to provide intuitive, easy-to-understand, personalized, and targeted training that delivers it where it’s needed the most.
Join TitanHQ on June 7th where Nick Wilding, Neil Sinclair, Cyber Programme Lead, UK Police Crime Prevention Initiatives, and Richard Knowlton, Director of Security Studies at the Oxford Cyber Academy will discuss:
If you can’t make the event, register anyway and you will receive the webinar to watch on-demand at any time.
Many organizations punish employees who make cybersecurity mistakes and fail phishing simulations but punishing employees for failing phishing simulations is often not effective and can have unintended negative consequences.
Actions taken by companies when employees fail phishing simulations
Studies suggest that around 40% of companies punish employees for failing phishing simulations and for making other security mistakes. The actions taken can range in severity from naming and shaming employees, removing access privileges, losing other privileges and benefits, locking computers or blocking email until training has been completed, and disciplinary action, such as verbal and written warnings, and termination.
There naturally needs to be consequences if employees fail phishing simulations or make security mistakes, as if there are none, there will be no incentive for change. However, there are risks with using the stick rather than the carrot. Punishing employees for non-malicious security failures and failed phishing simulations often does not work.
Do you really want to create a culture of fear?
If you want to create a security culture in your organization you need to motivate your employees to become security titans, and that is unlikely to happen if the motivation comes from the threat of being fired if a mistake is made. Employees can become stressed and anxious if they are scared of severe punishments for security failures, especially if they have already failed a phishing simulation. That is unlikely to be beneficial for the company and could lead to the creation of a hostile work environment and loss of productivity. It could also serve to demonize the security team which is never a good thing.
If employees are scared about making mistakes, they may not report them when they happen
When employees make a mistake, such as clicking a link in a real phishing email or installing malware, and recognize the mistake, it is essential that they report it. Prompt action by the security team can be the difference between neutralizing the threat before any harm is caused and suffering an incredibly costly ransomware attack or data breach. If employees are worried about losing their jobs for making a mistake or suffering other serious consequences, they may avoid reporting the error.
Businesses need to be careful with punishing employees for non-malicious actions or security failures and should ensure that they make it clear to employees that the failure to report a known security mistake is a serious issue that could result in termination and will have far more serious consequences than the actual error.
Security awareness training should not be viewed as a punishment
If employees make security mistakes or fail phishing simulations it can be due to many reasons. The training provided has clearly not been effective has not been effective with certain employees and this could be due to the training material or the different needs of employees – It may not be a case of employees not paying attention or sloppy working practices.
When security mistakes are made or phishing simulations are failed, there is clearly a need for further training, but it is important that security awareness training is not seen as a punishment. It should be a positive experience and be explained that it is part of an ongoing educational process.
Consider real-time security awareness training
You should be providing security awareness training during the onboarding process, and annual training sessions are important, but if you want to create a security culture you need to go further. Cybersecurity newsletters, reminders, and additional training can be useful if they are not provided too regularly. Daily emails will be ignored, whereas monthly, bimonthly, or quarterly updates are more likely to be read and assimilated.
One of the best approaches to training is to provide basic training to everyone and then to provide behavior-driven, real-time security awareness training. When an employee makes a mistake, falls for a phishing simulation, or is discovered to have engaged in a risky behavior, an alert can be triggered and immediate training can be provided. This is bite-sized training that is relevant and specific to an action that was taken, that explains how the mistake was made, why it is a problem, and how it could have been avoided. Mistakes serve as educational triggers and can be turned into teachable moments and training provided in this way is likely to be much more effective than making an employee go through the same standard training program again.
The SafeTitan security awareness and phishing simulation platform
SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time, allowing businesses to mitigate the growing problem of social engineering and advanced phishing attacks. The platform includes an extensive library of training courses, videos, and quizzes that businesses can use for greater general and custom training campaigns, and provides gamified, interactive, and enjoyable security awareness training sessions with short and efficient testing.
Training can be automatically generated in response to specific employee behaviors to ensure errors and risky behaviors are immediately tackled. The platform also includes fully automated simulated phishing attacks, using regularly updated phishing templates to match current attack trends. The training and simulations have been shown to reduce susceptibility to phishing by up to 92%. Users also benefit from enterprise-level reporting in an easily digestible format that demonstrates the ROI.
Contact TitanHQ today for more information and to sign up for a free trial of SafeTitan.
Expert Insights has announced its Spring 2022 Best-Of awards and TitanHQ has been given awards in 5 categories, including best-in-class awards for SpamTitan Email Security, WebTitan DNS Filter, ArcTitan Email Archiving, and SafeTitan Security Awareness training.
Expert Insights is an online publication that receives more than 80,000 visitors a month. Business owners and Information Technology professionals rely on the website which provides insights into the best business software solutions, along with blog posts, buyers’ guides, technical product reviews and analyses, interviews with industry experts, and reviews of software solutions by users of those solutions, who give accurate advice on their experiences and how the products perform in practice.
The Best-Of Awards recognize vendors and products that excel in their respective categories and help businesses achieve their goals. “Each of the services recognized in our awards are providing in many cases an essential service to their users, driving business growth, securing users in a challenging cybersecurity marketplace, and massively improving business efficiency,” Joel Witts, Expert Insights’ Content Director.
Each category includes a maximum of 11 products that have been analyzed by Expert Insights’ editorial and technical teams in the UK and US and have achieved excellent ratings from genuine users of the solutions. “These awards recognize the continued excellence of the providers in these categories,” said Witts.
At the Expert Insights Spring 2022 awards, TitanHQ was ranked the number 1 solution in the Best Email Security Gateway category for SpamTitan Email Security, ArcTitan Email Archiving was ranked number 1 in the Email Archiving for Business category, WebTitan DNS Filter ranked second in the Web Security category, and SafeTitan Security Awareness Training was ranked in the top 10 in two categories, Security Awareness Training and Phishing Simulation.
“The recent pandemic and the growth of remote working initiatives have further highlighted the need for multiple layers of cybersecurity and our award-winning solutions form key pillars in this security strategy,” said TitanHQ CEO Ronan Kavanagh. “We will continue to innovate and provide solutions that MSPs can use to deliver a consistent, secure and reliable experience to their customers.”
Businesses need to invest in an advanced email security solution to block email-based cyberattacks and nuisance emails. SpamTitan, for instance, will block 99.99% of spam emails and 100% of known malware. SpamTitan includes advanced threat protection mechanisms and machine learning technology that can predict new attacks, along with sandboxing to identify zero-day malware threats.
The problem for businesses is that even with cutting-edge email security, some threats will bypass email defenses and will land in inboxes where they can be opened by employees. All it takes is for a single email to be opened by a single employee to give an attacker the foothold in the network that is needed to launch a devastating ransomware attack.
Technical defenses against phishing such as spam filters and web filters are important for cybersecurity, and alongside robust backup procedures, prompt patching, good password policies, and a next-generation firewall, your business will be well defended, but it is important not to neglect your human defenses, especially considering that 85% of cyberattacks involve human error.
Security awareness training for the workforce has always been important, but with cyberattacks on businesses now occurring at record rates, it is now a critical security measure. Security awareness training aims to teach the workforce the skills they need to be able to recognize and avoid security threats. Training should cover cybersecurity best practices such as setting strong passwords, never writing passwords down, and never accessing the network on a public Wi-Fi network without using a VPN, and other important security best practices.
The importance of training on how to identify phishing emails cannot be overstated. 9 out of 10 successful cyberattacks start with a phishing email. Phishing is concerned with tricking employees into disclosing their credentials or opening a malicious file that triggers a malware download. Attacks may also impersonate trusted individuals to trick employees into emailing sensitive data. Some phishing emails are easy to identify due to spelling mistakes, grammatical errors, and too-good-to-be-true offers, but many attacks are not so obvious. Employees need to be taught how to identify these emails, what to look for, and to be cautious when opening any email.
Spear phishing emails can be very convincing. They can be personalized, highly targeted, include the correct branding and logos, have spoofed sender names, and make perfectly plausible requests. Social engineering techniques are used to get the recipient to take the requested action and to do so without thinking, such as enabling content when opening an email attachment. Untrained employees cannot be expected to know about these cyberattacks and scams, and that enabling content in a document or spreadsheet will allow macros to run, which will silently download malware.
Security awareness training is important for everyone in the organization, from the CEO down. In fact, the CEO and other executives are the real prizes in phishing attacks as they have credentials that provide more extensive access to networks and sensitive data, so they need to also receive security awareness training. Providing regular security awareness training to the workforce is important, but so is testing the effectiveness of the training. Phishing simulations should be conducted to see if the workforce has taken the training on board. Simulation exercises provide immediate feedback on how the workforce will respond when a real threat is encountered. If the simulation is failed, employees will need to be given further training.
TitanHQ has developed SafeTitan to help businesses with their security awareness training. The platform provides real-time security awareness training to develop a human firewall to complement your technical cybersecurity defenses. The SafeTitan platform also allows businesses to run phishing simulations to see how effective the training has been and how employees will respond to social engineering and advanced phishing attacks when they are encountered.
For further information, get in touch with TitanHQ and take the most important step toward creating your human firewall.
Information about the 2021 ransomware trends identified by U.S. and European cybersecurity agencies and simple steps you can take to improve your security posture and prevent ransomware attacks.
2021 Ransomware Trends
Cybersecurity agencies identified several 2021 ransomware trends that look set to continue throughout 2022. There was an increase in ransomware attacks in 2021 with education and government the most commonly targeted sectors. The pandemic and lockdowns meant businesses needed to switch to remote working and security teams struggled to defend their networks. Ransomware gangs were quick to exploit vulnerabilities to gain access to networks, steal sensitive data, and encrypt files to extort money from businesses.
2021 also saw an increase in sophisticated ransomware attacks on critical infrastructure. Cybersecurity authorities in the United States said cyber threat actors had conducted attacks on 14 of the 16 critical infrastructure sectors, with the UK’s National Cyber Security Centre reporting an increase in attacks on businesses, charities, legal firms, healthcare, and local government.
While initially, several ransomware threat actors were focused on big game hunting – attacking large, high-value organizations that provide critical services such as Colonial Pipeline, Kaseya, and JBS Foods – the attacks prompted the raising of the status of ransomware attacks to the level of terrorism, and the increased scrutiny on ransomware gangs saw ransomware attack trends change, with the focus shifting to mid-sized organizations.
Double extortion tactics have been the norm for the past two years, where attackers exfiltrate data prior to file encryption and then demand payment for the decryption keys and to prevent the publication of stolen data. A new trend of triple extortion in 2021 saw ransomware gangs also threaten to inform the victim’s partners, shareholders and suppliers about the attack. It is also now common for ransomware gangs to work with their rivals and share sensitive data. There have been multiple cases where ransomware gangs have shared information with other gangs to allow them to conduct follow-on attacks.
2021 saw an increase in attacks on the supply chain. By compromising the supply chain, ransomware gangs are able to conduct attacks on multiple targets. There was also an increase in attacks targeting managed service providers, where MSP access to customer networks is exploited to deploy ransomware on multiple targets. Russian ransomware gangs have been increasingly targeting cloud infrastructure, accounts, application programming interfaces, and data backup systems, which has allowed them to steal large quantities of cloud-stored data and prevent access to essential cloud resources.
Diverse tactics were used in 2021 to gain access to victim networks, including quickly developing exploits for known vulnerabilities, conducting brute force attacks on Remote Desktop Protocol, and using stolen credentials. These tactics have proven effective, helped by the increase in remote working and remote schooling due to the pandemic.
Improve Your Defenses Against Ransomware Attacks
To defend against ransomware attacks, it is important to prevent attackers from using these tactics. The number of reported vulnerabilities increased in 2021 and security teams struggled to keep up with routine patching. Security teams need to prioritize patching and concentrate on patching the vulnerabilities that are known to have been exploited, such as those published in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog, and critical vulnerabilities where there is a high change of exploitation.
To combat brute force attacks, it is important to ensure all default passwords are changed and strong passwords are set for all accounts. Consider using a password management solution to make this easier. Multifactor authentication should be set up for as many services as possible, especially for access to critical systems, VPNs, and privileged accounts. RDP, other remote access solutions, and risky services should be closely monitored and ports and protocols that are not being used should be disabled.
It is also vital to take steps to prevent phishing attacks. Phishing is commonly used to gain access to credentials to gain a foothold in networks, or for phishing emails to be used to deliver malware. An advanced email security solution should be implemented to detect and block as many phishing threats as possible to prevent then from being delivered to employee inboxes. A web filtering solution can improve defenses by blocking access to the websites linked in phishing emails and to prevent the downloading of malware from the Internet. Security awareness training for the workforce is also important. Training should raise awareness of the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments.
TitanHQ can help with all of these anti-phishing defenses through SpamTitan Email Security, the WebTitan DNS-based Web Filter, and SafeTitan Security Awareness Training. To find out more about these solutions for SMBs, enterprises, Internet Service Providers, and Managed Service Providers, give the TitanHQ team a call.
TitanHQ, the leading cybersecurity SaaS business, today announced its acquisition of Cyber Risk Aware. Established in 2016, Cyber Risk Aware is a global leader in security awareness and mitigation of human cyber risk, assisting companies to help their staff protect the company network.
Cyber Risk Aware delivers real-time cyber security awareness training to staff in response to actual staff network behavior. This intuitive and real-time security awareness training reduces the likelihood users will be impacted by the latest threats such as ransomware, BEC attacks, and data breaches, whilst also enabling organizations to meet compliance obligations. Leading global businesses that trust Cyber Risk Aware include Standard Charter, Glen Dimplex, and Invesco.
TitanHQ has been providing email and web security solutions to businesses, enterprises, and managed service providers for more than two decades and now provides a range of security solutions to more than 8,500 businesses globally, including more than 2,500 managed service providers.
The acquisition will further bolster TitanHQ’s already extensive security offering. The combination of intelligent security awareness training with phishing simulation and TitanHQ’s advanced email protection, DNS security, email archiving, and email encryption solutions to create a powerful, multi-layered cybersecurity platform that secures end users from compromise. This is the go-to cybersecurity platform for IT Managed Service Providers and internal IT teams.
“This is a fantastic addition to the TitanHQ team and solution portfolio. It allows us to add a human protection layer to our MSP Security platform, with a fantastic feature-rich solution as demonstrated by the high caliber customers using it. Stephen and his team have built a great company over the years, and we are delighted to have them join the exciting TitanHQ journey.” said TitanHQ CEO Ronan Kavanagh.
The solution is available to both new and existing customers and MSP partners at TitanHQ.com and is now branded as SafeTitan, Security Awareness Training. Cyber Risk Aware existing clients are unaffected and will benefit from improvements in the platform in terms of phishing sims content and an exciting, innovative product roadmap.
Stephen Burke, CEO of Cyber Risk Aware, commented: “I am incredibly proud that Cyber Risk Aware has been acquired by TitanHQ, cybersecurity business that I have greatly admired for a long time. Today’s announcement is fantastic news for both our clients and partners. We will jointly bring together a platform of innovative security solutions that address the #1 threat vector used by bad actors that cause 99% of security breaches, “End User Compromise”. When I first started Cyber Risk Aware, my aim was to be the global security awareness leader in delivering the right message, to the right user at the right time. Now as part of TitanHQ, I am more excited than ever about the unique value proposition we bring to market”.