About  •  Libelium UK  •  IoT Test Vehicle  •  Careers  •  News    Support: +44 1624 639437  •  Sales: +44 1624 777837

Blog

Cybersecurity Training for Staff – Five Step Approach

By teaching your staff members about cybersecurity and phishing attacks, you will significantly enhance the security and cyber resilience of your business. A lack of employee training is one of the most common reasons that businesses are left vulnerable to cyber phishing attacks. Cyber security awareness training will show your employees how to safeguard themselves and your business data.

Despite the presence of firewalls, endpoint protection and web filtering – your staff serve as your last line of defence.

Five-Step Approach

Cybersecurity Phishing StatsStaff Cyber Security training educates your teams on the principles of cybersecurity, the most common threats, what to look out for and also security best practice. Most business owners know that time is money, so sending staff members out on a course may be impractical or undesirable.

Online cyber awareness training is more accessible and can be completed in the office and at a time that suits you (or your staff).

When the material is customised to match your business or industry, it becomes much more relevant and effective.

In this article, we highlight the five-step approach to awareness training and how simulated phishing attacks can be used to measure and improve, your cyber resilience.

1 – Establish a baseline

This phase takes the form of a simulated cyber-phishing attack using e-mails. To gain an accurate picture, it is essential that your staff members are not aware that this testing is taking place.

The step is perhaps the most interesting for business owners or managers. It will enable you to understand the risks that exist in your business today and develop a sense of how resilient (or vulnerable) your teams are to cyber phishing attacks.

There are some necessary preliminary steps associated with this phase.

Add or import staff members

The training platform will require a list of e-mail addresses to which simulated e-mails will be sent. This step is a simple task that can be done manually, or for larger organisations – imported by your IT teams or us.

Artificial Whitelisting.

Office 365 Phishing E-mails
Phishing E-mails can look authentic – tricking staff members into entering their business credentials which may be later traded on the dark web or used against you.

We would white-list the training platform, so it is not picked up by your usual filtering or antivirus systems. The reason that whitelisting is needed is to permit the simulated phishing e-mails to be delivered, emulating a real-world, high-risk phishing attack.

Tailored content

Once the platform is whitelisted, you will want to generate industry-specific, customised content and e-mails. This customisation gives your e-mails authenticity and makes them relevant to your business or industry. Personalisation is made easy through a simple customisation wizard – so no design skills are needed!

Schedule the campaign

The final step is to schedule the initial attack, including the start dates, duration, and so on.

2 – Launch the simulated phishing campaign

Once you have scheduled the campaign, the system will begin to send out crafted phishing e-mails to staff in your organisation. These e-mails may prompt your staff members for their credentials, redirect them to a dummy website, or impersonate a trusted company.

The simulated e-mails do not pose a threat to your business, but they will look authentic and reflect a real-world phishing e-mail. Perhaps their most important function – they will record instances of opening e-mails, clicking links and opening attachments.

The goal of this phase is to establish your exposure by observing staff behaviours. If staff members are opening your simulated e-mails, there is a good chance they are opening high-risk phishing e-mails.

3 – Measuring the response.

Cybersecurity Staff Training Dashboard
The dashboard provides a high-level overview of who opened e-mails, clicked links or entered credentials. Rather than apportioning blame(!) – the dashboard identifies training opportunities.

The data from the campaign phase will generate a report that will both educate and inform:

  • How many staff received the (simulated) phishing e-mails.
  • The staff who opened the e-mails.
  • Which staff members clicked the links.
  • The staff who were tricked into entering their username and passwords.

The report will give you high-level statistics and trends, but with specific examples of staff members or teams affected.

The goal of this phase is to identify those staff members or teams who would benefit most from cybersecurity awareness training.

4 – Enroll people in staff cybersecurity training

After understanding your cyber-phishing exposure – you will recognise the need to educate your staff. The training platform we use makes it easy to schedule and automate cybersecurity training courses and workshops.

To commence the training, the platform will send out links to staff members where they can learn about phishing attacks and cybersecurity.

The training programme consists of short but effective presentations and quizzes to educate your teams, and test their knowledge. It is designed for non-IT professionals and is a very effective way of sharing knowledge and giving people the skills to make them more cyber resilient.

Much like phase 3, you have access to data and statistics that show how many people have completed the training and their quiz scores.

5 – Repeat the campaign

Step 5 is a repeat of Step 2. To measure the effectiveness of the training and the simulated phishing attacks, we will repeat the campaign phase. The schedule could be days or weeks later and scheduled over days or weeks. Following staff training, we would expect to see a significant improvement in awareness. This awareness would be reflected by a reduced open rate and (hopefully!) no more staff members opening dodgy e-mails or entering their credentials on spoofed websites!

After this phase is completed, the process becomes continual. Launch campaign, send e-mails, measure, test, repeat.


New Starters

New staff members should automatically be enrolled for cybersecurity training when they start their new role in the business. We would recommend that cybersecurity training this forms part of their induction. In other words, do not let them begin to use your systems until they have undertaken mandatory training. The training might add 1 hour to their first day – but the benefits far outweigh this initial investment in time.

How is it priced?

The service has a low monthly fee, priced per user. There is a very low administrative burden, and it is something that needn’t be administered by your IT team.

The easy to use platform means that you can configure it yourself, or where MTG is your IT Support Provider – this is something we can do.

Free Trial – Staff Cybersecurity Training

Staff Cybersecurity training and phishing attack simulation will enhance the security and resilience of your staff and pay dividends in terms of the protection it affords your organisation.

If you would like a free trial of our cybersecurity training platform, speak to our solutions team. E-mail sales@mtg.im, call +44 1624 777837 or submit a Request a Quote form on our website.

Previous ArticleNext Article
Joe Hughes is the CEO of Manx Technology Group. Joe has a background in software development, information security, networks, datacentres and enterprise IT.
Request a quote
+44 1624 777837