protecting your people in 2020€¦ · protecting your people in 2020 ... make sure your home w-fi...

Protecting Your People in 2020

Inspired eLearning Exclusive Report

™

© 2020 Inspired eLearning,LLC


™

Table of Contents

2 Executive Summary3 Protecting Your People In 20204 Working From Home5 Supply Chain Hacks6 USB Phone Charging Cable Intrusion7 Deepfakes9 Security Awareness in a Human Centric Way?11 Social Proofing13 Importance of Neurodiversity14 Conclusion


™

As more companies and government agencies are becoming cyber dependent, the outbreak of malware attacks and their sophistication are growing exponentially.

This report – based off of the March 24, 2020 panel webinar with cyber experts from Inspired eLearning and the FBI – examines the top threats we face today as well as how we humans can combat against them. Today, people are the most targeted by cyberattacks and yet they can be an organization’s strongest defense.

This report covers:

• What role the human element plays in trending cyberattacks

• The newest cyberthreats targeting people, such as: the O.MG cable, deepfakes, and how these threats can wreak havoc on society

• Practical methods of defense that we can use to defend ourselves and our organizations from these menacing attacks

Executive Summary


™

What’s top of mind for most people right now is how we can protect ourselves from the coronavirus. To compound the physical threat of the virus, we now have cybercriminals taking advantage of our collective distress by sending email phishing campaigns with malicious links and attachments under the guise of providing COVID-19 updates.

Protecting Your People in 2020

How the general public can protect against coronavirus related cyberattacks:

Train your users to recognize coronavirus related cyberattacks using our PhishProof simulated phishing tool coronavirus templates.

Template Topics Include:

• CDC URGENT UPDATE• Coronavirus Insurance Scam• Coronavirus Attachment• Coronavirus Blood Donations• Coronavirus Scam Warning

• Coronavirus Scam Warning• Coronavirus Donations Scam• Coronavirus U.S. Map• Coronavirus HR Update• AND MORE!

https://inspiredelearning.com/security-awareness/covid-19/


™

Another result of the coronavirus is more people starting to work remotely or from home.

Working From Home

Best practices people should consider when working away from the workplace:

1. Get prior authorization and instructions before accessing your organization’s information.

2. If you have access to a VPN through your organization, be sure to use thisbefore accessing workplace information.

3. For wireless network connections, be sure to use Wi-Fi Protected Access version 2 (WPA2).

4. Avoid public Wi-Fi as these tend to be unsecure.5. Make sure your home W-Fi router is updated with the latest firmware from the

manufacturer. Cybercriminals have been taking advantage of well-known exploits to take over routers and get access to people’s networks.

6. Be sure your smartphone is not setup to connect automatically to a Wi-Fi network as these can be easily impersonated by cybercriminals.

7. Keep your laptop and other mobile devices always in sight.8. If you do have to leave a mobile device in your vehicle, lock it away in the trunk.9. And remember that an organization’s acceptable use policies still apply when

working away from the workplace.


™

There’s been an increase in cybercrooks attacking our supply chain through various methods.

Supply Chain Hacks

Business Email Compromise is on the rise:

American International Group (AIG) issued a report in 2019 that noted BECs as being the top reported cybersecurity insurance claim, surpassing even ransomware. Typically, it involves a cybercriminal posing as an executive, manager, or vendor and sending emails to employees requesting funds to be transferred, confidential data (W-2s, PII, etc.) provided, or payment information changed.

What to do if you receive a suspicious email:

• Call the person to verify that the request is legitimate.• Double-check the email address of the sender to make sure it isn’t being

spoofed.• Avoid replying to the sender, especially if this is being received from a personal

email address. Instead, forward your response to what you know is their actualwork email address.

• Be wary of changes in how the sender communicates, especially if you areasked to maintain secrecy or if the tone is urgent.

• If you do fall victim to a BEC, it is very important to alert your manager quickly.If funds were transferred, there may be a chance to freeze the process andrecover the funds.


™

Another public threat is the newly available compromised USB phone charging cables, also called O.MG Cables. The concern is that attackers can potentially embed malicious code into the USB connector plug of this charging cable. These charging cables – with executable code built-in – have just hit the web and are now for sale online to the masses.

USB Phone Charging Cable Intrusion

How do we protect against these attacks?

Always resist the temptation to connect a “found” USB, Micro USB, Lightning Cable, or other external cord into your computer or phone. Even if you’re somewhere heavily trafficked like an airport or coffee shop, the best practice is to bring and use your own charging cable. Also, it is never a good idea to plug your cable into a publicly available USB charging port. These can be compromised and used to infect your mobile device.

As an added protection, you can purchase devices called USB Blockers that connect between your cable and the USB port. These will stop data from syncing or transferring through the cable and only allow electrical power to cross through.


™

• Social Engineering• Disinformation• Extortion• Outsider trading• Financial/Marketing Manipulation (stock exchange)• Political Elections

Deepfakes

Deepfakes are getting trickier to detect with the human eye and are expected to become more prolific in 2020.

What are Deepfakes? Deepfakes are fake media, such as videos or audio recordings that look and sound just like the real thing. The technology is enhanced with machine learning that is drawing from a pool of genuine media that is publicly available.

What are some implications of Deepfakes?

So far, deepfakes have mostly been used by hobbyists to get attention on the internet by creating funny videos or celebrity mashups. However, if used by a highly-skilled cybercriminal, the implications could be much larger. Phishing attacks could become even more convincing or elections could be disrupted if a conceivable fake video or audio clip is sent out spreading disinformation.

What types of attacks can cybercriminals use Deepfakes for?

https://www.csoonline.com/article/3293002/deepfake-videos-how-and-why-they-work.html

1

1

alli

Cross-Out


™

Deepfakes in Social Engineering:

Social engineers recently fooled the CEO of an energy firm in the UK into believing that he was talking to the chief executive of its parent company, including the man’s German accent. This was a deepfaked audio that tricked the CEO into wiring 220,000 Euros to the cybercriminals.

What are some best practices to detect and protect against Deepfakes?

Detecting deepfakes can be tough. Some amateur creations can have flaws – like rough edges – but well done deepfakes can be near-impossible to detect with the human eye. Technologyfirms such as Nvidia and Google are working on ways to discern them from genuine media.However, to help keep yourself from falling for a deepfake, consider the following:

• Be skeptical of sensational or suspicious media.• Look for flaws, such as differences in skin tones or lighting.• Typically, subjects in a deepfake video don’t blink as the media they are pulling

from are photos where the subject likely has his/her eyes open.• If you receive a suspicious call that sounds like the real person, double-check

where the call is originating from or the number being used for anythingunusual.

The best way to avoid being exploited is to verify the authenticity of requests for sensitive information or funds. If something seems off, go with your gut. It’s best to verify the request with the person directly through another communication channel, such as another phone call, through a number you know is legitimate.


™

Security Awareness in a Human Centric Way?

There are learning techniques organizations can take advantage of to spread security awareness in a “human centric” way. For example, we have seen movement in the industry away from what has traditionally been a fear-based approach (FUD: fear, uncertainty & doubt) to one of empowerment when training end users in cybersecurity best practices.

What approach is most successful in getting your people interested and engaged in security topics?

• Fear is not conducive to learning. People do not learn well in environments where they fear failure or humiliation.

• Fear does not change behavior. It produces a knee-jerk reaction and, in the long term, leads to more harm than good.

• You need to make the result you want as accessible as possible for your employees to encourage the behavior.

▪ If you wish to have your employees report phishing emails, be sure your phishing simulation platform has a button for your email client to make the process easier and hence the effort more successful.

▪ If you wish to make sure people are shredding confidential documents, place shredders in convenient locations that are easily accessible to employees and that they are aware of these devices.

Examples


™

Social Proofing

What social proofing is and how it can apply to security awareness:

What is social proofing?

Social proofing is a phenomenon where people will follow what others are doing as a way to conform and to do what is interpreted as “correct” behavior. This can occur when there are as few as 25% of a group of people performing an action. An example is a man stepping into an elevator to find everyone else facing the opposite direction away from the door. The man is likely to turn in the same direction as the others even if he believes it is the wrong way to face because he assumes the others know something he does not.

How can this behavior be utilized in security awareness?

It’s always important that employees see good role-modeling in cyber hygiene from their lead-ers when it comes to security awareness. But, this can be strengthened by also seeing their fel-low employees embracing good security behaviors as part of the “norm”. A good way to create this environment is to have a “Security Ambassadors” or “Security Champions” program where employees can be a part of the program and encourage their fellow workers to help secure the organization.

When communicating the results your efforts, be sure to focus on the majority of people fol-lowing the correct behavior. For example, when discussing the results of phishing simulations where 20% of people fell for the attack, laud the 80% who were successful in detecting the phish and ask the others to do better next time and be a part of the majority. Or when using signs to reinforce correct behavior such as not tailgating, be creative and state something like “Cool people don’t tailgate.” It may seem silly, but people, if only subconsciously, will want to be “cool” like others and likely follow the intended behavior.


™

“Neurodiversity” is a concept in human resources where it is best to hire people with diverse backgrounds, experiences, and perspectives to create a more robust workforce.

How this approach is important to security awareness:

An effective security awareness program requires cross-departmental communication and coordination.

Security shouldn’t just be an IT effort. There are departments in the organization with different strengths and perspectives that can really bolster the effectiveness of a security awareness program. When it comes to communicating internally or giving a security awareness program presence and branding, the Marketing Dept is a valuable resource to do this effectively. If you’re dealing with compliance considerations or are deploying eLearning courses to your workforce, there are likely already systems and processes in place in your Human Resources dept for this. Leverage them. A “tiger team” of people from the different depts in your organi-zation will be more effective in coordinating and deploying your program than a team of just security or IT personnel.

Importance of Neurodiversity


™

2020 will present a host of new cyberthreats. Using a training provider that gives you a turnkey solution, assisting you with training deployments and providing robust reports will teach your workforce to recognize these costly threats and how to defend against them.

For the past 17 years, Inspired eLearning has been working to protect organizations of all shapes and sizes from cyberthreats. Our fully automated, award-winning educational programs are designed to be used wherever your employees are at, whether in the office or helping your team work safely while working remotely so they can stay safe at all times. Our solution will help your team keep security awareness top-of-mind as they work from home, ensuring that your employees are learning, retaining, and following security awareness best practices.

For additional details on Inspired eLearning’s Award-Winning Security Awareness Training, in-cluding more information on how to create a secure work-from-home workforce, visit: https://inspiredelearning.com/security-awareness/working-remotely/

Conclusion

https://inspiredelearning.com/blog/inspired-elearning-launches-new-working-remotely-solution/

https://inspiredelearning.com/security-awareness/working-remotely/%20

Named an Inc. 5000 company for the 5th year in a row, Inspired eLearning delivers the highest quality educational products to transform corporate culture, nurture and enhance workforce skills and deliver maximum ROI for the corporate education budget. Inspired eLearning offers Security Awareness and Compliance solutions that include Security First Solutions, CyQ Cyber-security Assessment tool, PhishProof phishing assessment software, content integration and a fully hosted web-based eLearning course delivery and tracking system using the iLMS (Inspired Learning Management System).

About Inspired eLearning

Contact Inspired eLearning at: [email protected] or call us at 800.631.2078.

4630 N Loop 1604 W, Suite 401 San Antonio TX 78249

Phone: 1.210.579.0224 Toll Free: 1.800.631.2078

Sales: [email protected] General: [email protected]


™

protecting your people in 2020€¦ · protecting your people in 2020 ... make sure your home w-fi...

Documents