December 23, 2016 by The GLS Team
Keeping your sensitive data safe from hackers and internal threats is one of your top concerns in running your business. Even if you have skilled and conscientious employees and a training program in place, they still need to be kept up to date on security skills. A workplace that has regular training and education opportunities also fosters a culture of learning which helps make your organization more competitive and innovative. For security purposes, key concepts should also be covered at least once or twice a year. But you don't have all the time in the world to retrain employees on your own, or have middle management take time out for assessment and training of skills gaps. If your business is home to a great deal of data that needs to be kept secure at all times, SecureGenius™ is the solution for turning all of your employees into a Human Firewall®.
Why You Need Periodic Security Skills Assessments Through SecureGenius™
More acute awareness of mitigating enterprise risk. Risk management is one of the primary goals of IT and information security skills assessment. Technological and regulatory risk changes so much in the course of just a year. Since SecureGenius™ trains your employees multiple times throughout the year, we educate your best and brightest to stay one step ahead of hackers.
Efficient and tailored education solution for employees of all skills levels. When setting up training programs in-house or using a "pre-packaged" outsourced training module, it may be too prefabricated for all of your employees' skills levels and needs. With SecureGenius™' on-demand library, you can customize your training program based on skills gaps or other criteria.
Our experts can design a training plan for you after assessing your staff. You may be unsure what an information security assessment should contain and what type of assessment is best for your organization. We create and manage the plan for you so that you and your management team can focus on running and growing your organization. Whether you need a general user or role-based training, our instructional design team can create a custom SecureGenius™ plan at any stage of the training cycle that best fits your organization's needs.
SecureGenius™ isn't just a test. Once one of your employees completes an assessment, they can immediately view the results and get links for related educational content based on areas that they tested poorly on. By receiving a visual cue to do this right away, this allows your employees will immediately follow up on addressing these skills gaps.
SecureGenius™ works at any point in the training cycle. SecureGenius™ assessments can be done prior to any training to determine security awareness knowledge and can tailor the program to your organization's needs. Our assessments can also be done within the training program to gauge skills gaps and how it is affecting your staff's knowledge and awareness. SecureGenius™ assessments can also be a "final exam" at the end of the training cycle to demonstrate that your staff has increased their knowledge in security best practices.
Whether you need a year-round information security update solution, one-time refresher courses and video training, or onboarding assessments Global Learning Systems has the right solution for you. Call us today to see what SecureGenius™ can do for your business and have peace of mind that your employees are receiving quality security awareness education.
December 19, 2016 by The GLS Team
Data breaches don't just affect people who are careless with passwords or fall victim to phishing scams. With the rash of large-scale breaches today, it has unfortunately become easy for your personal data to be compromised without you even having to do anything. Even if you go out of your way to keep your information secure, you have zero control over hackers massively ripping off large organizations that must safeguard the vast amounts of data they hold. This is especially true of organizations that do not provide devices to employees and have a BYOD (Bring Your Own Device) policy.
You can check with Privacy Rights Clearinghouse to find out if you were inadvertently victimized by hackers and take action. You want to make a damage control plan before your data gets compromised, so that you don't have to panic if a breach does take place. Here's what you need to do:
Change your passwords immediately.
The same goes for PIN and security codes. If you have "pet passwords" that match or are similar to the one used on the compromised account, change it immediately.
You should also enable two-factor authentication on as many of your accounts as possible. If you were already using two-factor authentication, which is commonly a second password or code, make sure that the second factor has also been changed and that you also aren't applying the pet password principle to it across your accounts.
Be mindful of communications from the organization that was breached recently.
There are many phishing attempts that are made to look real, and cyber criminals are ruthless. They may send emails containing malware and other attempts to get more personal information, or even ransomware. Beware of texts and calls from unknown numbers as these are also usually related phishing attempts. The real organization is likely to communicate with you following up on a breach, with a verifiable phone number or email domain.
Open up communications with the organization yourself.
You should contact the breached organization directly. Don't wait for them to come to you. Find out the extent of the damage and what their information security department's course of action will be. They may have additional instructions on what to do next. However, you should also try to find out what kind of information was stolen. Even if they tell you it was encrypted, don't trust this claim because the hackers already have that information.
File reports with the local police and the Federal Trade Commission, but wait until you have more information.
Your first instinct may to be file these reports right away. But your reports need to include the extent of the damages, and every single incident, and the compromised organization might not have this information right away. If you decide to file these reports you should take note of everything you do as well as everyone you speak to.
Keep a watchful eye on your credit report as well as your snail mail and email.
Hackers may have tried to open a credit card in your name and you should be wary of anything that seems off with notices in the mail and your email. It can be tempting to just report those messages as spam or group credit card notices with junk mail, but once you're aware of the breach you should immediately check your credit report. Contact the credit bureaus to put a fraud alert on your file.
Global Learning Systems can educate you and your employees on data breach prevention and other best practices for security, as well as what to do in the event of a large-scale data breach. Our instructors are one step ahead of hackers so that you can be as well. Contact us today!
December 12, 2016 by The GLS Team
Businesses are faced with an epic challenge – making the workplace comfortable and safe for all, but how? What is the definition of a hostile work environment? It is a difficult concept to define because it is subjective. What feels like harassment to one person may seem harmless to the next.
Legally, the harassment must be severe enough to change the conditions of the victim’s employment, according to FindLaw, either by making them want to quit or by requiring certain behavior to stay employed.
It boils down to getting everyone on the same page when it comes to behavior, so there are clear boundaries and training modules based on them. Consider some concepts you need to address when looking to educate staff about workplace harassment.
How to Avoid Workplace Harassment?
Approach workplace harassment the same way you do any safety and security issue – by establishing written policies to address it. Use various scenarios to outline bad behavior and reinforce the company's written policy statements while laying down information to help to avoid these issues like:
Objecting to harassment immediately
Understanding that saying no is the appropriate response to unwelcome advances. Ignoring that response is considered harassment.
Being aware and accountable for your own behavior.
Avoiding jokes or words that are discriminatory.
Understanding the value of diversity.
Harassment avoidance is as much about what you see as it is what you do. Bystanders should understand how to support colleagues that are victims of harassment, as well.
How to Prevent Workplace Harassment
The U.S. Equal Employment Opportunity Commission calls prevention the best tool to eliminate harassment problems. As part of compliance training, ask each employee should sign a statement saying they are accountable for their behavior at work and they understand the companies no tolerance rules.
Set up a clear path employees can use to report bad behavior, as well. This will encourage them to ask for assistance if necessary. If a violation does occur, management should act immediately as a deterrent to further incidences and retaliation.
How Should Businesses Address Workplace Harassment
Employers have a legal obligation to investigate complaints of harassment, but do you start? Assign someone on staff to take charge of complaints then invest in some professional workplace security and management training for this person.
Part of the process will include developing clear protocols for these investigations:
Who should they talk to
What questions are okay to ask
How to reassure the complainant and protect them from retaliatory harassment
How to address the person accused of the behavior
How to corroborate complaints and spot contradictions
The investigation strategy should cover documentation, as well. What needs to be put in writing and how is that documentation kept private? Documenting both the complaint and investigation are critical in case there is further legal action taken by either party.
Once the investigation is complete, the company should lay out a plan for acting on that information such as who will make the final decision on what to do about the complaint.
How to Deal with the Aftermath of a Harassment Complaint
The investigation is complete and action is taken, so what now? It is important for the company to respect the privacy of both people involved in the incident. Secure the documentation and advise all parties involved not to discuss what happened. Review your harassment training program to ensure the scenario is covered and that you have a written policy in place that applies to it.
Consider hiring professionals like Global Learning Systems to create to customize harassment training modules that cover all the bases. Give them a call to find out more about diverse learning tools and to see a demo of their training platform.
December 05, 2016 by The GLS Team
Phishing scams meant to hit up your email for credit card information, your Social Security number, and other sensitive data may seem like a known threat. But phishing scams are only getting more sophisticated as time goes on and it's unfortunately too easy to fall victim. You should contact credit bureaus and credit card issuers as well as change login information on accounts to take precautions. However, phishing prevention needs to go a lot deeper especially in larger organizations.
Here's what you need to do if one of your employees accidentally clicked a phishing link or opened a suspicious attachment.
Steps to Take After You Have Been Hit By a Phishing Attack
Activate IR Procedures: It's go time for your IR procedures. Once you've realized that phishing actually took place, you'll need to determine the who, what, when, and where of the incident.
Obtain a Copy: Copy the email message in full. This includes headers, attachments, routing information, and IP address. Don't leave any text out.
Mine for Web Threats: Examine the URLs, domains, and IP address linked to the email. You can easily look them up in IP Void and Virus Total. Don't neglect to put the IP address in quotes when searching for it so you don't accidentally go to a malicious site.
Talk to Clickers: Ask the user who clicked the malicious link about what they saw. What happened when they clicked it and if they noticed anything out of place.
Adjust Perimeter Email Filters: You want to prevent this same attack from striking again, so you'll want to search carefully for attributes in that email you can filter on that are likely to remain static. Subject lines and from fields will change but a regex is less likely to change immediately.
Start Searching: Pore over your firewall logs for all suspicious URLs and IPs from the email, attachment, and anything else the attachment left behind. Go through your DNS logs and see if any host on your network did lookups on the IPs associated with the phish. DHCP logs should tell you which workstation this happened at.
Review Proxy: If you use a proxy, examine the logs to see if any other users accessed the phish or other suspicious URLs. If you log outbound firewall requests, check for the IP address of the server that the malicious site is running on.
Review Mail: Which users received the suspicious email? Check the mail server logs. Scope out the source IP, from and subject lines, attachment name, and other information.
Review DNS: Import your DNS logs into Splunk and run queries on them to determine which one of your hosts did lookups on any malicious domains that come up.
Ensure Logs are Retained: Make sure that your logs haven't rotated off. This goes for DNS, firewall, proxy, DHCP, and other logs. Save these logs in the event you need to take them to court.
Make an Example Out of It: Use this phishing attack as a learning experience. Demonstrate to your employees that this is what happens if they are careless when clicking on attachments or don't examine emails carefully. But you also need to make them feel like there's no shame in reporting the incident if something does happen.
Clean up and apply spam filters: Change the affected users' passwords even if you don't think anything happened. Better safe than sorry. If a user's credentials were definitely compromised, an attacker can easily return using legitimate access methods. Remember to monitor the accounts of impacted users for a while after the incident.
PhishTrain is the ideal training for helping you and your employees stay ahead of cybercriminals ready to smack down your defenses. Talk to Global Learning Systems today to learn more about our comprehensive cybersecurity programs!