Cyber security

---

Let’s start with a clear understanding of the three different types of learning activities that organizations use, whether for information security or for any other purpose:

• Education: The overall goal of education is to help learners improve their understanding of these ideas and their ability to relate them to their own experiences and apply that learning in useful ways.

• Training: Focuses on building proficiency in a specific set of skills or actions, including sharpening the perception and judgment needed to make decisions as to which skill to use, when to use it and how to apply it. Training can focus on low-level skills, an entire task or complex workflows consisting of many tasks.

• Awareness: These are activities that attract and engage the learner’s attention by acquainting them with aspects of an issue, concern, problem or need.

You’ll notice that none of these have an expressed or implied degree of formality, location or target audience.

 Security Awareness Training Examples

• Education may be used to help select groups of users better understand the ways in which social engineering attacks are conducted and engage those users in creating and testing their own strategies for improving their defensive techniques. 

• Training will help users increase their proficiency in recognizing a potential phishing or similar attempt, while also helping them practice the correct responses to such events. Training may include simulated phishing emails sent to users on a network to test their ability to identify a phishing email.

• Raising users’ overall awareness of the threat posed by phishing, vishing, SMS phishing (also called “smishing) and other social engineering tactics. Awareness techniques can also alert selected users to new or novel approaches that such attacks might be taking. 

Phishing

The use of phishing attacks to target individuals, entire departments and even companies is a significant threat that the security professional needs to be aware of and be prepared to defend against. Countless variations on the basic phishing attack have been developed in recent years, leading to a variety of attacks that are deployed relentlessly against individuals and networks in a never-ending stream of emails, phone calls, spam, instant messages, videos, file attachments and many other delivery mechanisms.

Phishing attacks that attempt to trick highly placed officials or private individuals with sizable assets into authorizing large fund wire transfers to previously unknown entities are known as whaling attacks.

 Social Engineering

Social Engineering is an important part of any security awareness training program for one very simple reason: bad actors know that it works. For the cyberattackers, social engineering is an inexpensive investment with a potentially very high payoff. Social engineering, applied over time, can extract significant insider knowledge about almost any organization or individual. 

One of the most important messages to deliver in a security awareness program is an understanding of the threat of social engineering. People need to be reminded of the threat and types of social engineering so that they can recognize and resist a social engineering attack.

Most social engineering techniques are not new. Many have even been taught as basic fieldcraft for espionage agencies and are part of the repertoire of investigative techniques used by real and fictional police detectives. A short list of the tactics that we see across cyberspace currently includes:

• Phone phishing or vishing: Using a rogue interactive voice response (IVR) system to re-create a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted through a phishing email to call in to the “bank” via a provided phone number to verify information such as account numbers, account access codes or a PIN and to confirm answers to security questions, contact information and addresses. A typical vishing system will reject logins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems may be used to transfer the victim to a human posing as a customer service agent for further questioning.

• Pretexting: The human equivalent of phishing, where someone impersonates an authority figure or a trusted individual in an attempt to gain access to your login information. The pretexter may claim to be an IT support worker who is supposed to do maintenance or an investigator performing a company audit. Or they might impersonate a coworker, the police, a tax authority or some other seemingly legitimate person. The goal is to gain access to your computer and information.

• Quid pro quo: A request for your password or login credentials in exchange for some compensation, such as a “free gift,” a monetary payment or access to an online game or service. If it sounds too good to be true, it probably is.

• Tailgating: The practice of following an authorized user into a restricted area or system. The low-tech version of tailgating would occur when a stranger asks you to hold the door open behind you because they forgot their company RFID card. In a more sophisticated version, someone may ask to borrow your phone or laptop to perform a simple action when he or she is actually installing malicious software onto your device.

Social engineering works because it plays on human tendencies. Education, training and awareness work best to counter or defend against social engineering because they help people realize that every person in the organization plays a role in information security.

We use many different passwords and systems. Many password managers will store a user’s passwords for them so the user does not have to remember all their passwords for multiple systems. The greatest disadvantage of these solutions is the risk of compromise of the password manager.

These password managers may be protected by a weak password or passphrase chosen by the user and easily compromised. There have been many cases where a person’s private data was stored by a cloud provider but easily accessed by unauthorized persons through password compromise.

Organizations should encourage the use of different passwords for different systems and should provide a recommended password management solution for its users.

Examples of poor password protection that should be avoided are:

• Reusing passwords for multiple systems, especially using the same password for business and personal use.
• Writing down passwords and leaving them in unsecured areas.
• Sharing a password with tech support or a co-worker.

Building data security awareness is essential for protecting the company and the whole business. A successful data breach could not only see your company lose important data, but result in costly regulatory fines and a damaging loss in brand reputation among customers and partners.

Successfully training employees on data security involves identifying the right topics, building, or finding training material, and creating a schedule for when/where the training will take place.

· What data security awareness topics should we train employees in?

· Where can we find data security awareness courses material?

· What schedule should we train end users on data security with?

Identifying the right topics is essential to successfully raise data security awareness in organization. You should consider the risks that your end users are likely to face and through what medium.

As almost all end users will use email and the internet in their day-to-day work, businesses should include training in secure use of these for every employee. Through the email and internet, end users will also meet threats like phishing, malware, ransomware and drive-by-downloads, so it is essential to also include training on these topics.

If employees use online services as part of their work, businesses will also need to train them on secure password use and multi-factor authentication to ensure that they are taking the necessary steps to prevent damaging breaches.

To find out more about which data security topics to train your employees in, read our guide on cybersecnewbie.com the 10 essential security awareness topics.

You can always build data security awareness training material yourself, but in doing so you will run into a couple of difficulties. While it allows you to customize material to ensure it is relevant specifically for your company, you will end up using a lot of your valuable time in writing and editing content. Building engaging training can also prove difficult.

Lectures based on slide-show presentations are one of the most common forms of data security awareness training - especially for companies that build their training themselves. Yet this type of training is rarely successfully in actually grabbing the attention of end users and getting them to remember learning objectives.

Video and interactive content is far more likely to get your users to stay engaged and actually learn from their training than text-based content or slide-shows. Well-produced video content is relatable and fun for end users to view, while providing up-to-date advice on the best data security measures that end users can apply in their day-to-day work life.

There are a number of vendors for data security awareness training. Cybersecnewbie has a library of courses on all essential data security awareness topics, as well as fun video courses that are certain to keep your end users watching even as they learn about all they can do to help protect data in their company.

Almost as important as how you train end users is when you train end users. Traditionally, many companies performed annual training sessions consisting of a lecture and a slide-show presentation. These were often accompanied by print-outs and reminder emails on helping keep data safe. Unfortunately, annual training usually meant that end users would forget all about data security for 11 months of the year.

Performing training regularly is essential to keep security awareness on the top of users' minds. Learning happens best through repetition, and being exposed to data security topics on a regular, monthly/quarterly basis allows end users to retain more of their learning and make them more likely to actually apply it to their day-to-day work life.

Making training a regular, monthly/quarterly exercise rather than having one annual session also has the benefit of allowing you to break down training into small components. This means that users will have less to digest at once, making them more likely to stay engaged for the duration of the whole training session, as well as allowing them to more easily remember the contents of their training.

Cybersecnewbie contains a library of data security awareness training courses on all the essential topics, from phishing to using a VPN. The courses are followed by a series of questions that help your end users retain their knowledge by having to recall it from memory - and you will also be kept up-to-date on the learning progress of your end users.

 Cybersikkerhet forklart

Cybersikkerhet er et sett prosesser, anbefalt praksis og teknologiske løsninger som bidrar til å beskytte de kritiske systemene og nettverkene mot digitale angrep. Etter hvert som data har spredt seg og flere mennesker jobber der de vil, har ondsinnede aktører svart med å utvikle sofistikerte metoder for å få tilgang til ressurser og stjele data, sabotere for virksomheter eller drive med pengeutpressing. Hvert år øker antallet angrep, og fienden utvikler nye metoder for å unngå å bli oppdaget. Et effektivt program for cybersikkerhet omfatter mennesker, prosesser og teknologiske løsninger som samlet reduserer risikoen for forstyrrelser i virksomheten, økonomisk tap og skadet omdømme fra et angrep.

 Ta i bruk strategier for nulltillitssikkerhet

Nå som flere organisasjoner innfører bruken av modeller for hybridarbeid som gir de ansatte fleksibiliteten til å jobbe både på kontoret og eksternt, vokser det frem et behov for en ny sikkerhetsmodell for å beskytte personer, enheter, apper og data – uansett hvor de befinner seg. Et rammeverk for nulltillit starter med prinsippet om at du ikke lenger kan stole på en forespurt tilgang, selv om den kommer internt i nettverket. For å redusere risikoen må du anta at du har et sikkerhetsbrudd, og eksplisitt bekrefte alle tilgangsforespørsler. Gi minst mulig rettighetstilgang for å gi personer tilgang bare til de ressursene de trenger.

Gjennomfør regelmessig opplæring for cybersikkerhet

Cybersikkerhet er ikke bare sikkerhetseksperters ansvar. I dag bruker vi arbeidsenheter og personlige enheter om hverandre, og mange cyberangrep starter med en phishing-e-post sendt direkte til en ansatt. Selv store og ressurssterke selskaper kan bli ofre for kampanjer for sosial manipulering. Å konfrontere cyberkriminelle krever at alle jobber sammen for å skape en tryggere Internettverden. Lær opp teamet å beskytte personlige enheter, og hjelp dem med å kjenne igjen og stoppe angrep med regelmessig opplæring. Overvåk effektiviteten til programmene med phishingsimuleringer.

Innfør cybersikkerhetsprosesser

For å redusere risikoen for cyberangrep kan du utvikle prosesser som bidrar til å forhindre, oppdage og svare på et angrep. Oppdater programvare og maskinvare regelmessig for å redusere sårbarheten og gi klare retningslinjer til teamet, slik at de vet hvilke tiltak som skal til ved et angrep.

Du må ikke opprette en prosess fra grunnen av. Få veiledning fra Cybersecurity Framework, som International Organization for Standardization (ISO) 2700 eller National Institute of Standards and Technology (NIST).

Invester i omfattende løsninger

Teknologiske løsninger som hjelper deg med å ta tak i sikkerhetsproblemer blir bedre for hvert år. Mange løsninger for cybersikkerhet bruker kunstig intelligens og automatisering for å oppdage og stoppe angrep automatisk, uten menneskelig innblanding. Annen teknologi hjelper deg med å forstå hva som foregår i miljøet ditt med analyse og innsikter. Få en helhetlig oversikt over miljøet og eliminer hull i dekningen med omfattende løsninger for cybersikkerhet som jobber sammen med økosystemet i organisasjonen for å beskytte identiteter, endepunkter, apper og skyer.

 En cybersikkerhetstrussel er et tilsiktet forsøk på å få tilgang til systemet til en enkeltperson eller organisasjon. Ondsinnede aktører utvikler stadig sine angrepsmetoder for å unngå å bli oppdaget og å utnytte nye sårbarheter, men de er likevel avhengige av noen vanlige metoder som du kan forberede deg på. 

• Skadelig programvare
  Er en samlebetegnelse på alle skadelige programvarer, inkludert ormer, løsepengevirus, spionprogrammer og virus. Skadelig programvare er utformet for å skade datamaskiner og nettverk ved å endre på eller slette filer, trekke ut sensitive data, som passord og kontonummer, eller sende skadelige e-postmeldinger eller -trafikk. Skadelig programvare kan installeres av en angriper som får tilgang til nettverket, men ofte distribuerer enkeltpersoner utilsiktet skadelig programvare på enhetene eller firmanettverket etter å ha klikket på en skadelig kobling eller lastet ned et infisert vedlegg.

• Løsepengevirus
  Er en form for utpressing som bruker skadelig programvare til å kryptere filer, og dermed gjøre dem utilgjengelige. Angripere henter ofte ut data under et løsepengevirusangrep, og kan true med å publisere dataene hvis de ikke får betalt. I bytte mot en dekrypteringsnøkkel må ofrene betale løsepenger, vanligvis i form av kryptovaluta. Ikke alle dekrypteringsnøkler fungerer, så betaling garanterer ikke at filene blir gjenvunnet.

• Sosial manipulering
  Ved sosial manipulering drar angriperne nytte av folks tillit ved å lure dem til å overlevere kontoinformasjon eller laste ned skadelig programvare. I disse angrepene maskerer ondsinnede aktører seg som kjente merkevarer, kollegaer eller venner, og bruker psykologiske strategier, som å skape en følelse av at det haster, for å få folk til å gjøre det de vil.

• Phishing
  Er en type sosial manipulering som bruker e-postmeldinger, tekstmeldinger eller talepostmeldinger som fremstår som en pålitelig kilde, for å prøve å overbevise folk om å oppgi sensitiv informasjon eller klikke på en ukjent kobling. Noen phishing-kampanjer sendes ut til et stort antall mennesker i håp om at én person klikker på koblingen. Andre kampanjer, for eksempel målrettet phishing, er mer målrettet og konsentrert om én enkelt person. For eksempel kan en angriper utgi seg for å være en jobbsøker for å lure en rekrutterer til å laste ned en infisert CV.

• Interne trusler
  I en intern trussel kan personer som allerede har tilgang til visse systemer, for eksempel ansatte, leverandører eller kunder, forårsake et sikkerhetsbrudd eller økonomisk tap. I noen tilfeller er skaden utilsiktet, som når en ansatt ved et uhell publiserer sensitiv informasjon til en personlig skykonto. Men noen interne brukere har ondsinnede hensikter.

• Avansert vedvarende trussel
  I en avansert vedvarende trussel får angripere tilgang til systemer, men forblir uoppdaget over en lengre periode. Angriperne undersøker målfirmaets systemer og stjeler data uten å utløse forsvarende mottiltak.

Hvorfor er cybersikkerhet viktig?
I dagens samfunn er vi mer koblet sammen enn noen gang. Den globale økonomien er avhengig av at folk kommuniserer på tvers av tidssoner og har tilgang til viktig informasjon der de befinner seg. Cybersikkerhet muliggjør produktivitet og innovasjon ved å gi mennesker tryggheten til å jobbe og være sosiale på nettet. De rette løsningene og prosessene gjør det mulig for bedrifter og myndigheter å dra nytte av teknologi for å forbedre hvordan de kommuniserer og leverer tjenester på, uten å øke risikoen for angrep.

With human error playing a key part in 95% of cybersecurity breaches, managing employee cyber risk is essential for businesses around the world, to steer clear of a user-related data breach.

One core component of a strong human risk management (HRM) program is ongoing security awareness training that educates end-users on how to identify and combat modern threats and best practices for staying security-savvy.
 

But deciding to launch this type of training comes with some common questions, first of all, is “which topics should be included in the security awareness training?”.

In this article, we'll learn which topics should be included in the core security awareness training library for 2022.

Here is the list of most relevant cyber security awareness training topics for employees in 2022:

1. Phishing attacks

2. Removable media

3. Passwords and Authentication

4. Physical security

5. Mobile Device Security

6. Working remotely

7. Public Wi-Fi

8. Internet and Email Use

9. Social Engineering

10. Security at Home

As years before, phishing remains one of the most effective avenues of attack for cyber criminals. Having doubled in 2023, phishing attacks steadily increased throughout 2024, with remote work making it harder for businesses to ensure their users aren't falling victim. 

But why is phishing still such a threat to businesses in 2025?

One major factor is due to how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick employees into compromising sensitive data or downloading malicious attachments. 

For example, business email compromise is a common form of phishing that uses prior research on a specific individual — such as a company's senior executive (email whaling) to create an attack that can be incredibly difficult to distinguish from a real email.

These more intelligent attacks in combine with the common misconception that phishing is 'easy to spot', in result gives businesses headache in 2025 to.

Another security awareness topic that is used daily by companies is removable media. Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. Universal serial bus (USB) devices containing malware can be left for end-users to find when they plug this into their device.

98% of USB drives were picked up, according to research! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside".

As well as understanding the risks your employees need to know how to use these devices safely and responsibly in your business. There are numerous reasons a company would decide to use removable media in their environment, (or move to the cloud). It is important that employees protect (personal or corporate) data on these devices. 

A few common examples of removable media:

• USB sticks
• SD cards
• CDs
• Smartphones

This security awareness topic should be included in security awareness training and cover examples of removable media, why it's used in businesses, as well as how to prevent the risks such as lost or stolen removable devices, malware infections and other inconveniences coming with removable media.

A very simple but often overlooked element that can help company's security is password security. Often commonly used passwords will be guessed by malicious actors in seconds in the hope of gaining access to your accounts/admin accounts. 

Using simple passwords or having recognizable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the dark web market.

Implementing randomized passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Making passwords complex but nor predictable can help in big scale, or even better use of passphrases instead of passwords.

Other steps, such as two-factor authentication, provide extra layers of security that protect the integrity of the account.

Company`s should have policy about how to protect passwords? Do you have employees that keep their passwords on sticky notes under the keyboard. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company's security system.

Simple awareness of the risks of leaving documents, unattended computers and passwords around the office space or home can reduce the security risk. 

A clean desk policy (CDP) is a corporate directive that specifies how employees should leave their working space when they leave the office

By implementing a 'clean-desk' policy, the threat of unattended documents being stolen or copied can be significantly reduced.

Do not forget Win+L, when you leave your workspace.

The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. 

With many people now having the option to work on the go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training in 2022, especially for travelling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.

Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password-protected, encrypted or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.

Make sure that company have a mobile security policy signed by employees.

Obvious need for remote working in 2021, combined with the increasing uptake, led to many companies taking drastic steps towards full time working from home policies. Remote working can be positive for companies. This trend does however pose an increased threat to security breaches when not safely educated on the risks of remote working. Personal devices that are used for work purposes should remain locked when unattended (not to play games by kids) and have anti-virus software installed. If a company wants to offer this incentive, it should focus on educating remote employees on safe working practices.

Going into 2022 it is likely that this trend will continue. Companies are hiring remote workers, and those who have adapted to working from home (WFH) lifestyle may prefer to work this way. The need to train employees to understand and manage their own cybersecurity is apparent. 

Some employees who need to work remotely, travelling on trains and working on the move may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end-users vulnerable to entering information into non-secure public servers.

Educating users on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the company's awareness and minimize risk.

Some employees may have already been exposed to data breaches, by using simple or repeat emails for multiple accounts. This means that if one account is compromised, a hacker can use this password on work and social media accounts to gain access to all the user's information on these accounts.

Often websites offer free software infected with malware, downloaded applications from trusted sources only is the best way to protect computer from installing any malicious software. Educating employees on safe internet habits should be a key part of any awareness training program, though some may see this training as obvious, it is a key part of the safety.

Many large websites have had large data breaches in recent years, if your information has been entered into these sites, it could have been made public and exposed your private information.

Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated on security awareness topics that cover the most common social engineering techniques and the psychology of influence, in order to combat these threats.

Unfortunately, the threat of malicious actors does not stop when you leave the workplace. Many companies allow their employees to use their personal devices (Bring your own device - BYOD), which is a great cost-saving method and allows flexible working, however, there are risks associated with this. Unwittingly malware downloaded applications on personal devices can risk the integrity of the company's network if, for example, log-in details are compromised.

Additionally, the growing network of digital resources available to workers and companies has increased connectivity and productivity. 

Increasing employee knowledge, sharing encrypted files and authenticating downloads will reduce the risk.