Skip to main content Skip to main menu Skip to footer

Mejorar la formación en materia de seguridad

Mejorar la formación en materia de seguridad

Disminuir el tamaño del texto Aumentar el tamaño del texto

Page Article

Lo que no funciona

  • Do Nothing and Hope for the Best - Only about one in five organizations admit to this as their "strategy" against the rise of phishing. But the actual number is probably much higher.
  • Break Room Training - About 30% of organizations favor the break room approach. They gather as many employees as they can in the break room, provide lunch and have someone from IT or a security expert lecture on topics such as phishing, spear-phishing, and whaling. This is certainly better than nothing, but often attendance is low and most of the audience looks upon the event as a time to make some headway on their email backlog.  
  • Monthly Security Videos - This can be done informally with videos made available via email or placed on the website for employees to view, or formally via mandatory classes. These short clips educate users on the perils of promiscuous clicking and on the many snares used by phishers to reel in unsuspecting employees. About one in four organizations gravitate towards this method. At best, this can be categorized as being little more than a superficial training program. On its own, it can’t be expected to do much to diminish the risk of a data breach. It also causes training fragmentation because important topics are covered months too late.
  • Phishing Tests - This approach pre-selects high-risk employees only and sends them simulated phishing emails to see how many fall victim to the attack. This is typically paired with some kind of educational module such as links to training modules for offenders as well as short videos to view to increase awareness. The plus of this method is that it offers some kind of metric about phishing. The minus is that employees soon get wise to it and "prairie dogging" begins to happen – an employee sees a phishing test email and pops his or her head up above the cubicle to let the others know to watch out for it. This approach, then, is both limited and too simplistic.

Lo que funciona

  • Comprehensive Programs Work - Most security awareness programs are superficial at best. They may include some sensible actions, but they don't dovetail into a coordinated and comprehensive program. What is missing is an appreciation of the adversary being faced and the degree of commitment an organization has to have to stave off attacks. It is vital that the C-suite comes to terms with the extent of the threat and the sheer weight of resources the enemy is bringing to bear against naive employees. Only by doing so is it possible for C-level executives to comprehend the measures that must be taken to secure the enterprise and the vital necessity of erecting a human firewall of informed and ever-vigilant users. The crux of this best practice is having an awareness of the scale of the problem and the resources necessary to defend against it.
  • Desarrollar una campaña coordinada que combine la formación y la simulación de phishing - La formación por sí sola, normalmente una vez al año, no es suficiente. La simulación de phishing del personal por sí sola no funciona. Pero juntos, pueden combinarse para aumentar enormemente la eficacia. Una práctica recomendada importante es integrar inteligentemente estos componentes en una campaña global. La mejor forma de conseguirlo es encontrar una plataforma que integre el phishing simulado y la formación en materia de seguridad.
  • Baseline Phishing Susceptibility - Security awareness training can be undermined due to difficulty in measuring its impact. How exactly are you supposed to prove that it obtains results? All it takes is one fresh outbreak and someone in authority can point to the event as evidence that such training dollars would be better spent elsewhere.

    This is where the baseline comes into play. It is vital to establish a baseline on phishing click-through rates so you know the percentage of users who open malicious emails prior to the awareness training campaign commencement. This is easily accomplished. Send out a simulated phishing email to a random sample of personnel to find out the number that is tricked into opening an attachment, clicking on a link or entering sensitive information. This is your baseline phish-prone percentage. This metric can be later used to determine how effective the campaign is. Further, it provides specific numbers that can prove useful during the purchase order approval process.
  • Gain Executive and IT Buy-In - To be effective, top executives and IT managers must be onboard. Thus extensive briefings before and during a training program are a must. Briefings are needed in advance to accomplish finance approval, but it should never end there. Prior to beginning a phishing simulation project, communicate to executives and iron out all political or sensitive issues in advance. This should include HR, Legal, and union representatives where applicable. Otherwise, such campaigns may be unjustly accused of targeting specific employees, undermining morale, or discriminating against certain groups. Only by keeping all interested parties involved, listening to their concerns, and addressing their needs can the campaign hope to succeed. In some organizations, there may be pressure to inform employees that a simulated phishing campaign is about to be launched. In those cases, where staff is forewarned, the effectiveness of the campaign is significantly reduced.

    Another aspect of this best practice is to inform executives about baseline phishing numbers so they are more aware of the extent of the problem and the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results. Showcase all drops in phishing effectiveness as a way to demonstrate the value of the program.
  • Conduct Random-Random Phishing Attacks - Earlier, we mentioned prairie dogging where an employee notices a simulated phishing email and warns the others in the once about it. This phenomenon can even bring about an apparent drop in phishing susceptibility in tests that don't translate into the real world. Employees get used to the simulated actions of the campaign, learn to watch out for them every Monday morning, and thereafter continue as normal. What you end up with is a simulated phishing initiative that has little or no impact on employee gullibility.

    This is particularly important when you consider the findings from a study by Proofpoint. It found that no company had a zero click rate from phishing attacks. While repeat clickers account for the majority of clicks on malicious links, 40% of clicks are typically one-off clickers. In other words, even the best and the brightest can be caught unawares and will click on something malicious from time to time. Prairie dogging might allow these rare but occasional phishing victims to develop complacency.

    The way to guard against this is to use what are termed random-random simulated phishing attacks. This Security Awareness Training practice entails the selection of random groups, random schedules, and random phishing education to gain a more accurate estimate of an organization’s likelihood to fall victim to phishing. Instead of sending out the same phishing emails every Monday morning to accounting, every Tuesday at lunch to sales, and every Friday evening to manufacturing, switch the tactics and schedules around by varying the groups and schedules randomly. This eliminates prairie dogging and provides the organization with a real metric they can use to determine effectiveness.
  • Personalized Emails - Personalized emails are more believable. In some cases, this can be as simple as adding the employee's first name. But in large organizations, personalization must be taken further. For example, obtain from payroll the names of the banks used by employees for direct deposit and use that bank name in a phishing campaign. Another tactic is to split phishing emails into groups such as by departments or to tie phishing emails into topical or popular events.
  • Don’t Expect Miracles - With this type of awareness training, phishing victimization rates generally fall from the 10-25% range to about 2%. It appears that getting below that point is extremely difficult. But the continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. With malware infections caused by phishing minimized, IT is able to contain remaining outbreaks more effectively as there are far fewer of them.

    Due to the dramatic drop in infections, other security measures have a greater chance of success. IT finds itself moving from constant troubleshooting mode to being able to move forward with projects that provide greater strategic value to the organization.
  • Avoid Witch Hunts - A common concern about simulated phishing is that the results could be used in witch hunts. Therefore, don't ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.

    The exception to this comes once the coordinated campaign of training and phishing simulation has brought about marked results. After a prolonged series of simulations and training steps, and once the numbers have bottomed out, companies are likely to find the same small group of repeat offenders. Proofpoint noted that less than 10% of users are responsible for almost all clicks on any given wave of malicious attacks. While Security Awareness Training can push that number down far lower, there will remain a handful of individuals who continue to click despite being given every opportunity to reform.

    By this point, they will have attended several training classes, and received a thorough education on how phishing can fool them. Yet they go on being fooled no matter what remedial steps are taken. Now is the time to involve HR to take up findings with repeat offenders who show no improvement despite several attempts at retraining. To take any possible negative connotation away from 'flunking' simulated phishing tests, it sometimes works to incentivize departments to encourage their staff to complete training or retraining in an effort to achieve a 0% click rate. Those doing so, or scoring below a particular level can be awarded gift cards or other inducements.
  • Continue to Test Employees Regularly - Even when testing confirms that phishing susceptibility has fallen to nominal levels, continue to test employees frequently to determine if anti-phishing training remains effective. The bad guys are always changing the rules, adjusting their tactics, and upgrading their technologies. Therefore, training reinforcement must remain a part of the organizational security arsenal in order to keep pace with constantly evolving threats.
  • Provide Thorough Security Training - Old-school security training favored a lecture or video approach. The problem with this type of training is that it can rapidly become outdated – the security landscape of one year ago is very different from that of today. It also focuses too much on theory and isn’t balanced by practical application. Security Awareness Training is interactive, balances theory and application is continually updated, and is based upon a thorough insight into how cybercriminals operate. Ideally, it will incorporate the services of an expert hacker who knows all the ways of entering an organization and all the tricks of the phishing trade. It should make sure employees understand the mechanisms of spam, phishing, spear-phishing, malware, ransomware and social engineering, and are able to apply this knowledge in their day-to-day jobs.
Esta formación debe incluir, pero no limitarse a:
  • Responsabilidad por los datos de la empresa - Haga hincapié continuamente en la naturaleza crítica de la seguridad de los datos y en la responsabilidad de cada empleado de proteger los datos de la empresa. Usted y sus empleados tienen la obligación legal y reglamentaria de respetar y proteger la privacidad de la información y su integridad y confidencialidad.
  • Procedimientos de gestión y notificación de documentos - Los empleados deben ser instruidos en el procedimiento de notificación de incidentes de datos en caso de que el ordenador de un empleado se infecte por un virus o funcione fuera de lo normal (por ejemplo, errores inexplicables, funcionamiento lento, cambios en la configuración del escritorio, etc.). Deben estar capacitados para reconocer un mensaje de advertencia o alerta legítimo. En estos casos, los empleados deben informar inmediatamente del incidente para que su equipo de TI pueda participar en la mitigación e investigación de la amenaza.
  • Contraseñas - Forme a sus empleados en la selección de contraseñas seguras. Las contraseñas deben ser crípticas para que no sean fáciles de adivinar, pero también deben ser fáciles de recordar para que no sea necesario escribirlas. Los sistemas de su empresa deben estar configurados para enviar periódicamente recordatorios automáticos a los empleados para que cambien sus contraseñas.
  • Software no autorizado - Haga saber a sus empleados que no pueden instalar software sin licencia en ningún ordenador de la empresa. Las descargas de software sin licencia podrían hacer que su empresa sea susceptible de recibir descargas de software malicioso que pueden atacar y corromper los datos de su empresa.
  • Internet Use - Train your employees to avoid emails or online links that are suspicious or from unknown sources. Such links can release malicious software, infect computers and steal company data. Your company also should establish safe browsing rules and limits on employee Internet usage in the workplace.
  • Política de medios sociales - Eduque a sus empleados sobre los medios sociales y comunique, como mínimo, su política y orientación sobre el uso de una dirección de correo electrónico de la empresa para registrarse, publicar o recibir medios sociales.
  • Mobile Devices - Communicate your mobile device policy to your employees for company-owned and personally-owned devices used during the course of business.
  • Proteger los recursos informáticos: forme a sus empleados para que protejan sus ordenadores de los robos, cerrándolos con llave o manteniéndolos en un lugar seguro. Debe hacerse una copia de seguridad de la información crítica de forma rutinaria, guardando las copias de seguridad en un lugar seguro. Todos sus empleados son responsables de aceptar las actualizaciones del software de protección antivirus en los ordenadores de la empresa.
  • Email - Responsible email usage is the best defense for preventing data theft. Employees should be aware of scams and not respond to emails they do not recognize. Educate your employees to accept emails that:
    • Viene de alguien de quien han recibido correo antes.
    • Es algo que esperaban.
    • No tiene un aspecto extraño con grafías o caracteres inusuales.
    • Pasa la prueba de su programa antivirus.
    • Ingeniería social y phishing
    • Train your employees to recognize common cybercrime and information security risks, including social engineering, online fraud, phishing, and web-browsing risks.



Page Footer has no content