Cyber security on a budget: The case for awareness training

Awareness training has long been recognized as a key component of cyber security risk management. On the surface, setting aside time to train staff on the proper handling of sensitive information or how to recognize phishing e-mails might seem like an afterthought in the fight against sophisticated hackers. But nothing could be further from the truth. Teaching everyone on the team to understand the role they play in protecting sensitive data and systems has several advantages, especially when it comes to cyber security at public entities.


First, a large number of cyber attacks begin with gaining a small foothold in a system. In order to do this, malicious actors will start by sending employees phishing e-mails. It’s an inexpensive technique for hackers to use and can be effective when it’s done well. Phishing e-mails have come a long way since the days of the Nigerian letter scams, asking for a funds transfer in exchange for the promise of much greater returns.

Today’s attackers make an effort to send well-crafted emails with seemingly legitimate requests. Even if 99 percent of these emails end up blocked or unopened, it only takes one person clicking on a link or opening up an attachment to launch a disruptive ransomware infection or open a door for the hackers to exploit.

What’s more, raising staff awareness on how sensitive data should be handled is especially important for public entities.

From June 1, 2015 through May 31, 2017, data mishandling events – such as posting personal information on the organization’s website, snooping into files restricted to official use only or inadvertently emailing sensitive data – accounted for 45.3 percent of the data loss incidents at U.S. governmental entities. That’s nearly half of all breaches attributable to data handling mistakes that might have been avoided with greater data security awareness.

Not only is awareness training a valuable tool for lessening the risk of a data breach, it’s also one of the most cost effective strategies that any organization can use. Unlike expensive new technologies that can take months to fully implement, a basic awareness training program can be created and delivered in a matter of weeks. What’s more, training can be easily customized to the specific needs of your organization or department.

For example, phishing for W2 details is a popular scam that kicks into high gear shortly after the New Year. Attackers use social networks like LinkedIn or staff contact information published on websites in order to find and target HR staff.

Fraudsters will send a “spoofed” e-mail that appears to come from a trusted person within the organization, asking for W2 data on all employees.

More than 200 organizations fell victim to this type of attack in the first few months of 2017, compromising thousands of employees’ W2 forms and resulting in countless fraudulent tax returns being filed. Targeted training for everyone working with this type of information – from raising awareness about the scam and how to recognize this type of phishing attack to reinforcing expectations for safe handling of sensitive employee data – can greatly reduce the chances of inadvertently emailing every employee’s name, Social Security number and wage details to fraudsters.

Even technologically sophisticated companies like Google and Facebook embrace staff training. Both of these tech giants take time to ensure their employees receive regular security reminders through a combination of routine educational sessions and intermittent phishing exercises.

Facebook in particular has created a phishing simulation known as “Lunch with Zuck.”

For this exercise, random members of staff receive an e-mail informing them they have been selected for an employee lunch with Mark Zuckerberg. All the employee needs to do to attend is click the confirmation link. With this tool, Facebook can measure how many employees clicked on the link and by doing so, which employees would benefit from additional training.

The YourCISO service available to VMLIP members includes a variety of awareness training materials and simple reminders that can be downloaded and customized to fit with your cyber awareness objectives. The options range from one-page reminders to short, topic-specific presentations that can be delivered individually or tied together for longer training sessions.

For members interested in trying a “Lunch with Zuck” style phishing exercise, Risk Based Security can assist with designing and delivering a program best suited for your organization. As the saying goes, we’re only as strong as our weakest link and with a solid security awareness training program, all the links become a little stronger.

To learn more or request assistance with a phishing exercise, contact VMLIP Director of Member Services Jeff Cole at: 800-963-6800.