This article will dive into how implementing employee cybersecurity training will help your business prevent a breach that could expose your sensitive data and leave you open to a wide range of devastating financial and reputational damages. Incidents such as the 2022 Uber hack and similar attacks against American Airlines, Twilio and Colonial Pipeline demonstrate the potential impact of human error when users are not properly educated and equipped to spot phishing, or to know how to respond to a possible intrusion.
Continue reading below to learn more about security awareness training and how it can strengthen your last line of cyber defense:
What is Employee Cybersecurity Training?
An employee cybersecurity training program is any curriculum that delivers user education materials and potentially other resources for improving knowledge on network security topics. This can include many other additional solutions, depending on the partner, which can range from proactive testing for real-world malicious behavior scenarios to comprehensive analytics that track performance metrics from courses taken. However, to ensure that cyber hygiene lessons stick, an effective security awareness training regimen must consistently reinforce due diligence among employees for all levels of access to your business data.
Examples of the Risk of an Employee Breach
There have been plenty of examples of the significant impact human error has in allowing data to be exposed over the years, whether from the occasional mistaken email or sophisticated cyber fraud. Here are just some of top cases from late 2022 and how they demonstrated the needed for employee cybersecurity training:
Midway through September 2022, Uber notified the public that it had a discovered a breach in its network after the attacker posted in an internal Slack channel announcing their own intrusion. Reports followed afterwards from security researchers and journalists claiming to have been spoken directly to the hacker, who explicitly outlined how they had breached those systems and with at least the core details confirmed by Uber later. A contractor’s account had been the gateway for the breach after the attacker successfully tricked them into responding to an MFA push notification and inevitably granting the hacker access.
The contractor’s basic authentication credentials (name and password) were somehow acquired beforehand and used to interact with the MFA program to spam their account with push notifications until past midnight. The attacker finally reached out to the contractor claiming to be Uber’s IT and instructed them to accept a final push notification, giving them enough access to dig deeper and find an exploit for administrator privileges. This represented a security failure on many levels for Uber, and could have been avoided with better enforced zero trust controls as well as education that reinforced to report suspicious behavior and to double-check emails from “IT.”
American Airlines filed a data breach notification in response to an incident that they had investigated since July 2022, letting authorities and customers know that that “certain personal information” had been compromised. Multiple American Airlines employees had fallen victim to a targeted phishing campaign that stole their credentials and allowed the attacker to access their email accounts. After an investigation with a third-party forensic firm, American Airlines concluded that the hackers could have obtained access to the PII (personal identifiable information) of “a small number” of employees and customers but could not definitively determine if the data had been used yet.
With American Airlines still remaining tight-lipped about the more granular details of the incident, it is difficult to analyze the full impact of the breach. However, what has been revealed about the origin point reflects the most persistent reality of modern cybersecurity – phishing is the top vehicle for cyber threats. Employees need to be well-versed in the red flags that will inevitably appear in a spoofed message upon closer inspection, which can go unnoticed
A months-long phishing campaign was uncovered in July 2022 that had targeted a known total of 136 organizations around the world, with several victims confirmed but many more potentially impacted. This includes Twilio, a communication services and solutions provider, who had an undisclosed number of employee accounts breached that allowed the attacks to access sensitive data. Leveraging a mix of tools and credentials – some from past breaches – along with sophisticated social engineering tactics, the hackers tricked the employees into clicking on hyperlinks that redirect them to spoofed domains that captured their basic login authentication.
As with other examples, what happened with Twilio demonstrates the ability of experienced hackers to recreate messaging convincing enough to deceive users when paired with a trusted authority (namely IT in most cases). However, it also reflects another reality that makes employee cybersecurity training and zero trust security that much more vital – hackers already have access to basic authentication credentials. The Dark Web features a considerable ecosystem of cybercriminals trading in stolen data, much of which include the billions of credentials exposed in past breaches.
Security Awareness vs Risk
Knowing what level of cyber hygiene must be enforced across your business network is a matter of measuring security awareness vs cyber risk, especially when both are increasingly mandated by new and updated regulations. How much access would an attacker gain from just one compromised employee account, and how much sensitive data do your employees interact with on a daily basis?
Human error can be a hard factor to quantify for when calculating risk, yet research shows that it has a hand in the overwhelming majority of data breaches. You will not know just how vulnerable your data ultimately unless you have a way to measure just how susceptible your employees may be to repeat mistakes, such as by testing their knowledge of phishing red flags.
The Uber and Twilio breach examples illustrate that even MFA can be affected by the consequences of human error and especially cyber stress. When technology fails, the human element still remains, and users need to be weary of MFA fatigue.
360 Cyber Guard – Employee Cybersecurity Training Services
- Baseline Phishing Test to gauge user knowledge of & susceptibility to email compromise techniques
- Simulated Phishing testing that measures user response to real-world attack methods
- Employee Vulnerability Assessment (EVA) Dashboard that scores users based on testing & training results
- Continuous Micro Training modules that cycle through additional education & assessment courses
- Security Awareness Newsletter delivering monthly updates on cyber incidents and developments
Contact SWK & Learn More About 360 Cyber Guard
Investing in cybersecurity technology must go hand in hand with reinforcing the human element in your business network, or gaps will inevitably form where hackers can get to your people. Reach out to SWK today and discover how the training services available with our 360 Cyber Guard program will help you secure your last line of defense against all manner of cyber threats.
Contact SWK here to learn more about 360 Cyber Guard and how its comprehensive employee cybersecurity training solutions are tailored to fight modern phishing threats.
Learn More About SWK’s Security Training Services