As many organizations transitioned into a “new normal” of hybrid work this year, their security teams were focused on thinking of new and creative ways to help protect their users from novel attack types. In fact, nearly half (48%) of chief information security officers (CISOs) surveyed for the 2022 Voice of the CISO report from Proofpoint said they felt their organization was at risk of suffering a material cyber attack in the next 12 months.
As you work to compile metrics to analyze the success of the security awareness education programs you launched throughout 2022, you’re also likely wondering how to educate your employees effectively as you enter 2023. The “Get Ready for ’23” Security Awareness Kit from Proofpoint can help. It provides three weeks’ worth of cybersecurity best practices and educational assets to help your users become more knowledgeable about cyber threats so they can:
- Avoid falling for ransomware attacks
- Stay safe when working from home
- Remain vigilant against phishing lures
Ransomware attacks are difficult to detect—and can have tremendous consequences
Ransomware continues to be near the top of security teams’ concerns, and for good reason. Attackers using this approach don’t just encrypt files and information—they demand payment in return for this data. Ransomware can also cause organizations to shut down their operations while they investigate the extent of the damage. According to our 2022 State of the Phish report, 78% of organizations faced ransomware attacks in 2021, and nearly 15 million phishing messages contained malware payloads with later-stage ransomware.
Although secure email gateways (SEGs) are designed to block malicious emails, cyber criminals are becoming more adept at bypassing SEGs by embedding ransomware in multistage attacks that are challenging for traditional gateways to detect. In multistage attacks, the initial attachment or link might be harmless, but users are prompted to interact with several assets and click on various items before they’re infected by ransomware—making these attacks virtually impossible to detect.
Once a ransomware attack gets through the gateway and into a user’s inbox, users must be knowledgeable enough to identify the email as malicious, know the appropriate action to take, and have the time and motivation to follow through and practice safe cyber habits. That’s why it’s crucial to have a multi-layered approach to security to ensure the best protection for your users. It is the combination of security defenses, protocols, and end user education that will help keep your organization safe.
As a security professional, your end users need to understand the dangers of ransomware and how to remain vigilant for these attacks so they can help keep the organization safe. Knowing what to do when faced with ransomware needs to become second nature so end users can respond quickly even if they are distracted, have a slew of emails to sift through or are checking their emails when fatigued.
Remote work requires safeguards to avoid personal and professional compromise
Many employees now work from their home office environments for a significant portion of the workweek. While most of these workers have dedicated time and resources to set up their office in a way that is ergonomic, quiet and conducive to focusing, how many of your users have given thought to the safety and strength of their Wi-Fi networks, account passwords or their social footprint?
While home is associated with peace and safety, there are several avenues that criminals can use to launch attacks, and they can be successful if people don’t expect or know how to identify them. If a Wi-Fi password is weak, for example, attackers can easily guess it and gain access to your entire network.
When setting up home Wi-Fi networks, users want to ensure they can stream movies, listen to music, log on to video calls and more with ease. It might not be high on their priority list to ensure their network has a strong password, remote administration is disabled or that the router’s firmware is up to date.
Also, employees use personal devices to access work material and personal social media—and even share devices like a laptop or tablet with several members of their household. Thus, if a user interacts with a malicious email on their personal device, it can lead to the compromise of data beyond their personal information and a breach spanning the entire organization. This makes it especially important that your end users establish the appropriate safeguards to ensure their network, devices, accounts and data are protected and challenging for cyber criminals to “hack into.”
Educate users to avoid falling for phishing lures—and to report them
Users often sift through several emails daily, sometimes at the end of a long workday or while tackling multiple projects, which can increase their chances of accidentally falling for a phishing email. Malicious actors know users are distracted and will use social engineering tactics to lure them into taking action to further their nefarious crimes.
For example, when using emotionally charged language, attackers attempt to stir up “fast” emotions like fear, curiosity, empathy and greed. These emotions are labeled as “fast” because they drive humans to act quickly before they have a chance to fully process and think about what is occurring—making it more likely that they will click or take the required action before realizing it’s a phish.
While falling for a phish may seem like a minor inconvenience, it can have serious consequences and lead to data breaches and the exposure of business secrets and financial losses to organizations. It can also lead to stolen data, identity theft and emotional damage within users’ personal lives.
It is therefore essential to provide users with cybersecurity best practices and educate them not to blindly trust emails that seem vague, elicit emotionally strong responses or pressure them to take some type of action. Above all, it’s critical that employees understand the importance of reporting messages so that no one else in their organization falls for those attacks, even if they themselves didn’t open the phishing emails.
Take action: Protect your organization in 2023 by downloading this kit
Reducing cybersecurity risks and protecting your organization depends on security teams working in partnership with end users who also practice safe cyber habits. To help your users become resilient in the face of unique attacks, we have curated a selection of free resources to support your security awareness education and get off to a strong start in 2023.
The cybersecurity best practices kit from Proofpoint is divided into a three-week program:
- Week 1: Avoid falling for ransomware
- Week 2: Stay safe when working from home
- Week 3: Remain vigilant against phishing lures
Download the kit today and use the “Start Guide” to craft your weekly campaign messages—and help your users become a strong line of defense inside and outside of the workplace.