In 2021 and 2022, human error was reported by Verizon‘s Data Breach Investigations Report for being responsible for 85% and 82%, respectively, of all data breaches that occurred within those years. While the new year might mark the start of new beginnings for most of us, cyber attackers will continue using old tricks until they become ineffective. The risk that human error poses is unlikely to drop in 2023.
It’s an uncomfortable statistic, especially when it’s hard to prevent something human as a mistake. It is, however, possible to educate and train your users on cybersecurity dangers so the threat of human error causing a breach is minimized. This education and training is delivered through security awareness training (SAT).
With an SAT program, it is important that the topics and modules are relevant and comprehensive. These modules are like “cybersecurity classes” that contain informative and fun content on specific cybersecurity cases, scenarios, and threats. Pretty much every SAT vendor will offer the same broad range of topics, with more niche areas being focused on by specific vendors.
What Is Security Awareness Training?
Most SAT programs will include specialized and basic training topics, phishing simulations, and reporting capabilities to track user progression. Taken together, these facets are more than a sum of their parts.
Training usually begins with short modules comprised of video clips and case studies. These will highlight how to spot a threat, and what to do about it. Once the training is completed, the data can be fed back to the admin through the reporting function. Then, the user will have to respond to a phishing simulation to test how much of the content they have understood. Anyone who fails the training may be required to complete further modules or face more simulated threats.
It’s worth checking that the vendor you’re looking at provides phishing simulations with the training as not all vendors do. Having separate simulation tools can add extra expenses and be less cohesive than solutions that come with SAT and phishing simulations hand in hand.
For more on security awareness training and how it operates, check out our blog here:
Do I Need Security Awareness Training?
The short answer is yes. It doesn’t matter if you’re in a tech company and “should know better”, as everyone is capable of human error. Unfortunately, not everyone is as internet-savvy as they should be and this lack of knowledge and training can be highly damaging–in some cases even fatal–for your business.
In many cases, the last thing standing between your organization and a breach, is an end user who must decide whether to downloading a potentially harmful file or report it. It could be that they are poised to share data with a “colleague” who is, in fact, a malicious actor. In these instances, you want to ensure that your employees are as well trained as they can be. The way to ensure this is with SAT.
Beyond the obvious cyber security benefits, SAT is a requirement of HIPAA, PCI-DSS, and GDPR frameworks. Having an effective SAT solution will ensure your organization is compliant, as well as safe. For more information on selecting an SAT solution, you can read our article here:
Security Awareness Training Trends for 2023
Now we’ll consider some of the topics and trends that we expect to see in 2023. Some of these are new and emerging areas, whilst others are pre-existing, but likely to become even more significant.
While we’ve probably all heard about the dangers of phishing attacks, they’re unlikely to go away in 2023. It is worth starting the year by reminding ourselves of how important it is to train your users on the dangers of phishing attacks, and how to best present them from causing damage. IBM calculated that phishing is one of most common causes of a breach and has the highest average remediation costs at USD 4.91 million.
Read next: The top 10 phishing simulation solutions.
Anyone who has worked in an office during the past decade will be aware of the dangers of phishing emails – years of warnings, training, and reminders have turned phishing into a hot topic.
This effective messaging has, in turn, has forced threat actors to get creative and develop new, unusual ways of tricking users to grant access or give up critical information.
Two novel phishing attacks that we expect to see more of in 2023 are vishing and smishing.
Voice Phishing Or Vishing
Vishing refers to the practice of making fraudulent phone calls to individuals, by claiming to be a trusted party, with the intention of the recipient verbally giving over sensitive information or data. So far, this threat has predominantly focused on attacking private individuals rather than companies – that doesn’t mean this will always be the case though.
When it comes to personal vishing attacks, threat actors often trick people into handing over their bank or credit and debit card information for financial gain. As with all phishing attacks, the threat actor will pose as a trusted figure from a reputable company to make the request for information seem realistic.
While vishing attempts in the business world are rare, it can and does happen. It can be particularly easy to impersonate a more senior person within a company such as a C-level executive. In large organizations many employees may have never met the executive employees but wouldn’t think twice about following and instruction purportedly sent from them. There is often enough information to make this impersonation plausible through social media sites like LinkedIn and Facebook. With company information on the website, attackers can easily weave a credible and believable story to target specific end-users with certain levels of clearance and privilege.
SMS Phishing Or Smishing
Smishing is the art of sending fraudulent text messages to intended victims, again posing as a trusted figure or representative. Again, this is often done with the intent of stealing financial details and other sensitive information.
One of the current smishing attacks involves the attacker pretending to be a family member texting off a different phone, telling the recipient that they’ve broken theirs and are waiting for a replacement. In the meantime, they need some money to help with a bill or another expense. This is often done with a sense of time pressure and urgency – this encourages the recipient to act without thinking.
Smishing attacks often target lone individuals rather than specific companies, but that doesn’t mean it can’t happen. Staff can be busy and do not always have the time or mental bandwidth to check if the message is genuine. This could lead to them clicking on a harmful link or sending over sensitive information. If your organization uses cell phones heavily, or has remote employees, this type of attack could pose a significant risk.
While email phishing predates vishing and smishing attacks in terms of popularity, vishing and smishing attacks are fast catching up in terms of prevalence in both frequency and severity. With smartphones being commonplace – with the same device often being used for both work and personal – attackers have begun to favor smishing as a low effort, high reward attack.
So, what does this mean for SAT? It means that training needs to stay ahead of the curve and educate users about new and emerging threats. With an ever-changing threat landscape, it’s important that your SAT program include vishing and smishing content, whilst encouraging users to be cautious.
Business Email Compromise
While it may feel as though business email compromise (BEC) goes hand in hand with phishing, they are sometimes used interchangeably, it is worth making the distinction between the two and stressing the importance in having separate training modules that address each in finer detail.
One of the key differentiators between phishing and BEC is the level of detail and complexity. Phishing generally involves little effort. Attackers send out mass amounts of emails (or calls or SMS) at once, with the assumption that someone, somewhere will fall for it. BEC, on the other hand, takes this a step further.
BEC is (usually) an email scam where an attacker will target a specific individual within a specific business. Again, the intention is to defraud for financial gain, or steal data and information for further exploitation. Threat actors going the BEC route will create fake accounts and email addresses (sometimes even websites) in order to make the attack as credible as possible. The attacker may even have a realistic LinkedIn page in case a potential victim wants to make a quick check.
Real time and effort will go into ensuring that BEC attacks are as realistic as possible. These attacks can be highly sophisticated, with some threat actors even going as far as to use deepfake technology in order to trick unsuspecting users. In 2019, a CEO was scammed out of $243,000 after being scammed by a threat actor using a deepfake vishing attack. In this case, the CEO thought they were receiving a message from chief executive of the firm’s German parent company.
Another variation of the attack is email account compromise (EAC), which is sometimes referred to as email account takeover. This can be insidious and a difficult attack to spot. EAC is where an attacker exploits an valid email account to give the seal of authenticity. Once they have gained access, the attacker will target other individuals within the company, posing as the colleague, until they have the money, data, or information they want.
Both BEC and EAC can be incredibly difficult to spot and, due to their sophistication, not every email security tool is adept at finding and filtering these emails out. As such, BEC and EAC will continue to be important trends as we move further on into 2023.
A certain global pandemic forced organizations to reconsider how they operate. In 2020 we saw the rise of remote working, with some organizations and employees still opting for a remote or hybrid practice.
Some organizations have seen financial benefits in giving up rented offices, and decided to pay a “home working stipend” instead. Even though we’re a year further on from the pandemic, we’re not back where we started.
It’s easy for standards and security to slip when you have a hybrid, flexible, or entirely remote workforce. It’s even harder to maintain security if you also factor BYOD (bring your own device) into the mix. All your users, wherever they choose to work from, should understand the dangers that can present themselves while working remotely and how to appropriately address the issue as and when it occurs.
One of the reasons why remote or hybrid users are so vulnerable is that they don’t have the support system or knowledge base that an office environment can bring. For example, if a user receives a potential phishing email that they’re not sure about, it is much easier to ask for advice in an office. Yes, it’s very easy to send a message via Teams to ask for a second opinion, it is also easy to downplay your worries and be less likely to reach out.
This physical distance between employee and workplace can allow attackers to get in between. All it takes is for an employee to throw caution to the wind, click on a risky link, and expose your whole organization. Ensuring that your staff are trained on cybersecurity threats, and knowledgeable on how to maintain security from wherever they work will continue to remain relevant into 2023 and beyond.
It is important for any SAT program to highlight the dangers and risks of storing data. With the widespread adoption of the cloud, data storage security has been at the fore of our minds, but some SAT vendors overlook the amount of data stored on removable media. Removable media refers to physical storage devices such as USBs, external hard drives, and even CDs.
Removable media is an important topic to include because not everyone considers the potential dangers and can get caught up with a focus on securing your company’s virtual perimeter, rather than the physical one. There are two main risks to consider with removable media: the threat of having data on removable media physically stolen or having a piece of removable media infected with malware or ransomware planted within the office, biding its time.
Users must take care when storing removable media devices to prevent them from being stolen. Their size makes them easy to lose or steal. We often don’t consider something like a USB as significant object, making it easy to overlook the significance of the data that is stored on it.
Employees should know your organization’s removable media policy, with their usage being controlled and monitored. Users who work remotely should be aware of how to protect their company-mandated or personal services used for work while out and about and at home. Removable media should be kept safe in cafes, coworking spaces, and even users’ home offices.
With removable media so easily accessible, user’s often know how to keep it safe, but need to be reminded of its significance. In January of 2022, Expel reported that roughly 9% of security incidents stemmed from attackers leveraging removable media in their attacks, either from stealing a company’s removable media object or planting a malicious one themselves.
Despite the previously mentioned methods of having your accounts accessed, instances of stolen passwords are still the number one cause for a breach. About 81% of all hacking-instigated breaches were possible because of stolen passwords. In addition to this figure, Surfshark has suggested that this figure is on the rise, with a 70% increase in accounts compromised in Q3 compared with Q2 of 2022, with 108.9 million accounts breached in those three months alone. This worrying figure is expected to cause a significant number of breaches in 2023. If the attack works, there’s no reason why a hacker would stop trying it.
It’s safe to say that passwords, despite being our go-to method for authentication, aren’t that secure–or at the very least aren’t being kept secure. With passwords continuing to be a huge problem for organizations to manage and the golden ticket for threat actors, instilling good password hygiene is an imperative as we go through 2023. There will still be password breaches but making sure your users know how to create effective passwords, how to use them securely, and how to store them, is the first step in protecting your passwords.
While passwords have been around for a while, passwordless authentication is really starting to take off. SAT should cover other methods of authentication such as additional factor authentication or the entire removal of passwords. A lot of companies and consumers, are looking for ways to replace passwords thereby making their life easier, whilst maintaining their security. One of the ways of achieving this is passwordless authentication–total authentication just without the passwords.
In 2022, Microsoft, Apple, and Google all announced their plans to move towards a common passwordless sign-in approach that would be accepted as standard, supported by the World Wide Web Consortium and FIDO Alliance. The intention was to have a passwordless approach supported across mobile, desktop and browsers.
Passwordless really is the future, with an average of over a million passwords stolen each week. They’re a hot commodity on the dark web where they’re often available for purchase in bulk. Multi-factor and two-factor authentication aren’t new solutions, but they are becoming more widely adopted as companies eagerly look away from passwords to more secure forms of authentication.
It’s exciting stuff for the tech world, with many untold benefits not just to do with security but enhancing the user experience as well. We’re sure to see MFA and passwordless authentication become more of a hot topic in SAT programs as users need to learn best practices when managing their accounts.
If it feels like everyone is migrating to the cloud these days, it’s because they are. Moving to the cloud provides a lot of benefits – users can work from anywhere, easily access data, and have a streamlined work flow. There are, however, a number of security risks associated with the cloud.
As your entire security stack, your data, and everything you use to work is stored on the cloud – it is a critical piece of infrastructure that attackers might target. While there is shared responsibility between the cloud provider and the customer, organizations need to take extra care on their side to ensure that security is kept tight in the cloud at all times. This responsibility will also extend to your users, and you should ensure that best practices and behavior is maintained at all times.
As more and more companies migrate to the cloud, it is important to make sure users know what this means and how they can work safely in the cloud. SAT programmes should make users aware of the risks, while explaining how to make best use of the cloud’s benefits.
Social Media Scams
Long gone are the days of email being the only attack vector. As the number of communication channels increase and diversify, cyber attackers will develop new tactics and attack types. One of the emerging attack vectors is social media.
KnowBe4 has predicted that social media will become more prevalent for attackers to instigate social engineering-based attacks. With fake and parody accounts easily made, it opens up a whole new avenue for threat actors to create successful phishing, BEC, and deepfake attacks against intended targets. Attackers may use multiple tactics in conjunction to increase their chances of success.
You can expect SAT vendors to incorporate social media scams into their content, with a focus on how users should approach with caution when managing work and personal social media accounts.
As tech and security solutions adapt and advance throughout 2023, you can be sure that threat actors won’t be far behind. As technology ever gets more advanced, it can be harder for your users to spot threats, so they need to be trained as best as possible. In the case of deepfakes, with advanced AI it’s getting harder and harder for end-users to be able to tell the difference between real content and fraudulent material.
In a global poll by iProov, it was found that 43% of respondents didn’t think they would be able to tell the difference between a deepfake and a real image or video. And it’s not just advancing AI, users are still regularly falling for phishing and WhatsApp scams, which are becoming more targeted and more specific. With old attacks continuing to work, and new threats emerging, the number of ways you can be attacked is only increasing.
While it might seem like beating against an unstoppable tide, having a strong SAT programme in place is an effective and relatively simple solution. It is critical in safeguarding your users as best as possible against many forms of attacks, with your users often being the last line of defense.
Good SAT solutions will include a wide range of important and broad topics to educate your users. The very best solutions will be continually adding addition content to as the threat landscape changes and adapts.
With that in mind, we’ve compiled a list of the best SAT solutions currently on the market for you to consider: