As we increasingly work remotely, either from home or from our favorite coffee shop, the lines between the corporate and consumer worlds are becoming increasingly blurred. Unfortunately, at the same time, the risks of IT security breaches are increasing.

Building a safer cyber world starts here. So what should IT managers include in their security awareness programs now and in 2024? It’s important to adapt to today’s and tomorrow’s digital threats, not the risks of yesteryear.

The human factor, the weak link in IT security and the importance of training

According to Verizon, three-quarters (74%) of all global security breaches reported last year were related to “human factors,” often translated as error, negligence, or users falling victim to phishing and social engineering. Safety training and awareness programs are an important way to mitigate these risks, but there is no quick and easy path to success. In fact, what you should implement is not just about education or awareness, but rather about changing user behavior in the long term.

This can happen only if educational programs are constantly held to maintain the relevance of information and knowledge obtained during training sessions. In addition, it is important to ensure that everyone, from internal employees to entrepreneurs and senior executives, is involved. Anyone can be an indirect target of an attack, and one minor mistake is enough for a major incident.

Also, organize and deliver the training in several compact modules to increase the chances that the information will be well understood and retained. Where possible, include simulation exercises or “gamification” to create some real-life threat and make learning more interactive and fun, motivating participants to engage more and experiment.

Of course, lessons can even be tailored to specific roles and sectors to make them more relevant to each individual.

3 topics to consider in IT security training in 2024

1. Business Email Compromise (BEC) and Phishing

Business Email Compromise (BEC) fraud, which uses targeted phishing messages, remains one of the most lucrative cybercrime categories for criminals. In cases reported to the FBI last year, victims lost more than $2.7 billion. This type of crime is fundamentally based on social engineering and is usually carried out by tricking the victim into approving the transfer of corporate funds to an account controlled by the fraudster.

There are various methods by which this is done, such as impersonating a CEO or supplier, and these can be successfully prevented by practicing phishing awareness. These should be combined with advanced email security software solutions, very carefully handled payment processes and additional verification (e.g. by phone) of any “urgent” or unexpected payment requests.

Phishing as such has been around for decades and is still one of the most effective vectors for fraudulently infiltrating corporate networks, and due to the inherent distraction of remote workers, the chances of such an attack being successful are increasing. But with a change in tactics, phishing awareness exercises must also change. This is where real-time simulations can really help change user behavior. In 2024, consider training teams on text or message phishing (smashing), voice calls (vishing), and other new techniques that even include multi-factor authentication (MFA) bypassing.

Specific social engineering tactics change extremely frequently, so it’s a good idea to work with an IT security training and education provider that can update their content accordingly.

2. Security for remote or hybrid work

Experts further warn that employees are more likely to ignore or simply forget IT security rules or policies when working from home. One study found that 80% of workers who work from home admitted that they are more relaxed and entertained under certain circumstances, such as on Fridays or during the summer months. This can expose them to an increased risk of IT security breaches, especially as home networks and devices are not as well protected as corporate equivalents. And that’s where training programs should come in, with advice on being aware of phishing and ransomware risks, laptop security updates, password management, and only using devices approved by IT managers for work.

In addition, hybrid work has become the norm for many companies today – according to one study, 53% of them now have such a policy, and this number is growing. However, going to the office or working in a public place carries a number of risks. One of these is the threat posed by public Wi-Fi hotspots, which can expose employees to Adversary-in-the-Middle (AitM) attacks, where hackers gain access to the network and compromise data transmitted between connected devices and router, as well as “evil”. twin” where attackers can duplicate a Wi-Fi hotspot with a malicious hotspot that appears to be legitimate in a specific location.

3. Data protection

GDPR fines are set to rise 168% annually to more than €2.9 billion ($3.1 billion) in 2022 as a result of regulators’ ongoing crackdown on non-compliance. This makes a strong case for organizations to ensure that their staff adhere to data protection policies.

Regular training is one of the best ways to remember data best practices. This involves using strong encryption of sensitive data on laptops, effective password management, device protection and immediate reporting of any incidents to the appropriate contact.

Employees can also benefit, for example, by updating information about errors related to activity on standard email platforms, errors that can lead to inadvertent leakage of data via email. Another aspect to consider is educating employees about the privacy of social media posts.

While training and awareness are an important part of any security strategy, they are ineffective when working in isolation. In addition, organizations must implement well-designed software security solutions and security policies based on controls and powerful tools such as mobile device management, data encryption, mail server protection, or even automating the detection and remediation of vulnerabilities in applications and operating systems. “People, Process and Technology” is the mantra that will help create a more secure corporate cyber culture.

ESET, one of the world leaders in the market for cyber security solutions, with a history of more than 30 years of experience and innovation, includes in its range anti-virus and anti-malware solutions that meet the needs of companies and organizations, regardless of size.

Its suite of anti-malware solutions offer additional layers of integrated multi-layered protection and have the ability to detect early unclassified attacks, including ransomware, to avoid financial and reputational damage to organizations.

ESET PROTECT Complete is such a comprehensive solution for companies that they can test for free at any time. In addition to complete malware protection, it adds an extra layer of protection for Microsoft 365 cloud email and stored data. Always protect your company’s PCs, laptops and smartphones with a powerful management console that can be deployed on-premises or in the cloud. The solution includes LiveGuard Advanced sandbox analysis technology to protect against new and previously undetected threats. In addition, it includes features to manage application patches and vulnerabilities to reduce the attack surface on business infrastructure, as well as the ability to fully encrypt storage units for enhanced data protection on laptops.

Solutions can be tested for free by companies of any size with no additional obligations. To download the trial version, click here.

Article based on ESET