December 03, 2018 by The GLS Team
The holiday season is a difficult time to enforce information security best practices. Employees get distracted byholiday shopping and activities, and holiday leave can cause gaps in regular training. Unfortunately, the period between Thanksgiving and Christmas is also one of the busiest times for cyber criminals--especially when it comes to phishing.
Increased email volume combined with time off around the holidays can create a perfect storm for phishing attacks. A full inbox can lead to hurried decisions and poor choices when it comes to link-clicking -- at home and at work. Even if your training regimen slows down in November and December, you can help keep employees safe from the most common phishing threats by passing along information in this post.
Hackers take advantage of consumers by promising great deals and counting on shoppers’ tendencies to relinquish common sense for the sake of a bargain. There are two major categories of retail-oriented phishing attacks:
More sophisticated: Some hackers will pose as real companies, either by hacking the company or simply by borrowing their branding and a similar URL
Less sophisticated: These attacks come from made-up brands or retailers with an amazing, time-sensitive deal
Both types of attack encourage clicking and lead to bogus sites that may request personal or credit card information, or install dangerous malware on the user’s computer.
Helping Employees Tell the Difference
The good news is that these personal phishing attacks can be detected with the same cyber hygiene practices as workplace attacks. Recipients just need to slow down and think before they click. Here are some classic telltale signs:
Suspicious domain names. If a phishing email is mimicking a real company, the domain might be misspelled or slightly altered. Roll over the sender’s email address to see the originating domain and compare it to the known domain of the company.
Lack of contact information. Phishing emails often don’t contain contact information or the fine print you would expect in a legitimate message. Even good fakes will likely be missing something. Look carefully, and delete any email that doesn’t give you adequate information about what it’s for or who it’s coming from.
Urgency. Phishing emails usually demand immediate action from recipients and create a sense of urgency or threaten dire consequences. If the email is threatening or withholds information about the deal’s timeframe, that’s a bad sign.
Too good to be true. If the deal is over the top, or even just feels unlikely, be wary. While many companies do offer legitimate deals during the holidays, hackers utilize this technique to encourage clicks.
In general, verify the information in any email outside of the email itself. Visit the established company website and look for the deal there. If you’re not familiar with the company, search for it online and see whether it’s a legit business.
Retail scams are not the only type of phishing email you or your employees might receive this time of year. Hackers also take advantage of a generous holiday spirit to reel in unsuspecting victims. According to CNBC, scammers are use phishing emails to con users into giving money to phony charities. As with other phishing emails, independently verify the so-called charity rather than clicking the link in the email. Be similarly careful if you receive an email from FedEx or UPS--those could also be scams, promising shipping information or updates if you click an embedded link.
The hectic holidays are not the time to stop using good cyber sense, no matter how stressed you may be or how good the deal seems. Taking the time to spot the phish could keep you from getting into some big holiday trouble. You’ll probably find that it’s worth it.
Contact a GLS representative to learn more about courses we offer on personal cybersecurity and how you can keep your employees safe from online threats at home and at work.
November 19, 2018 by The GLS Team
The month between Black Friday and Christmas is, by far, the busiest shopping month of the year. Shoppers flood brick-and-mortar stores as well as online marketplaces to shop for holiday presents and take advantage of great deals. Generally speaking, this jump in commerce boosts the economy and creates happy shoppers and happy retailers--but it comes with dangers. Credit card fraud is a huge risk around the holidays, as increased shopping traffic--both in-person and online--creates unprecedented opportunities for hackers. So, how can shoppers and retailers stay protected?
As a shopper, be wary of where you use your credit card, especially when shopping online. Most major online stores are well-protected and designed to keep your credit card information secure. These sites are usually marked by a “lock” icon in the search bar, as well as an “https” in the URL, which indicates a secured site. Many retail sites will also indicate that credit card data is being encrypted, which helps prevent it from being accessed by hackers. NEVER enter credit card data on a site that has only “http” in the URL, rather than “https”--those sites are not secure and put your data at serious risk.
The same basic idea applies to physical stores. Hackers have tricky ways of infiltrating POS systems and can place tiny devices on card readers that export data pulled from the magnetic strip. Bigger retailers are more likely to have processes in place to monitor data transfer and ensure that your card information stays safe, while smaller retailers may not have the same safeguards. Be careful where you swipe, and remember that machines with chip readers are generally more secure.
When in doubt, don’t risk credit card fraud. If you’re not entirely sure that the site you’re visiting is safe, go somewhere else. The same goes for shopping in person. If something seems off or the store doesn’t seem to be using an up-to-date system, use cash or shop elsewhere. As consumers, it’s our right--and responsibility--to demand certain standards for credit card processing. If retailers aren’t following those standards, it’s in everyone’s best interest to avoid those stores and take our business somewhere else.
The flip side of the credit card safety coin is, of course, safe retailing. If your business handles credit cards in any capacity, you must be up-to-date on current standards and update your devices as necessary. If haven’t implemented Payment Card Industry Data Security Standard (PCI DSS) training, that’s a great place to start.
PCI training instructs employees in proper practices for handling credit cards, including encryption, tracking access to card data, and developing secure applications. Many companies are required to be PCI DSS compliant and may need to provide proof of training, but either way, implementing PCI DSS standards is crucial to maintaining a good relationship between your company and the individuals that trust you with their cards. They’ll be assured that they can safely do business with you, and you’ll be confident that no data will be compromised during card transactions.
During the busy holiday season it’s crucial that everyone involved with credit card transactions understands what’s at stake and how to protect card data. In many ways, credit cards make shopping nearly effortless both online and in person, but using them carelessly can leave the door wide open for a financial nightmare or a major data breach. Raising awareness that the PCI DSS standards exist, and that consumers can and should insist that the businesses they shop with adhere to them, will gradually discourage poor security and make credit card hacks more difficult to pull off. Talk about happy holiday shopping.
November 16, 2018 by The GLS Team
Washington, DC | November 16, 2018 – Global Learning Systems (GLS), a leading provider of security awareness and compliance training programs, today announced it has been positioned by Gartner, Inc. in the “Challengers” Quadrant of the Magic Quadrant for Security Awareness Computer-based Training. This marks the fourth consecutive year GLS has been recognized in this arena based on its completeness of vision and ability to execute.
Achieving a position in the Gartner Magic Quadrant serves as an objective reference for organizations seeking vendors that will meet their security awareness training needs. Meeting the objectives set by Gartner can demonstrate that a vendor’s offering is tailored to the real needs of the market.
“We consider our positioning in the Security Awareness Computer-based Training Magic Quadrant for the fourth consecutive year as a testament to the strength of our commitment to helping organizations secure their greatest asset—their people,” said Larry Cates, CEO of GLS. “Our clients turn to us year after year for innovative security awareness programs that engage learners, reinforce cyber safe behaviors and protect the organization. And, incidentally, that don’t break the bank.”
Global Learning Systems recently launched its new Human Firewall 2.0™ program to provide a flexible and extensible framework for security awareness training. With this framework, customers assess learners’ knowledge and select topic-specific program blocks accordingly. Each block contains the training and reinforcement materials needed to make a lasting impact on behavior. GLS specialists provide strategy and guidance throughout an organization’s security awareness journey to ensure the program is targeted and effective.
According to Amy Holloway, GLS’ Director of Product, “We believe it’s this kind of approach that’s kept us in the Gartner Magic Quadrant for four years. We’re constantly adapting our product to meet evolving threats, while recognizing that clients want choices and high-touch service as they implement their multi-year training plans.”
To receive a copy of the report, visit https://marketing.globallearningsystems.com/acton/media/33014/gartner-2018mq
November 14, 2018 by Amy Holloway
In 2018, being mindful of diversity and disability when making hiring decisions is more important than ever. According to the 2017 Disability Equality Index (DEI) survey , “U.S. businesses are becoming increasingly accessible for people with disabilities.” The survey analyzes companies’ engagement with, and recruitment of individuals with disabilities. Of the 110 companies that participated in 2017, 68 earned a 100% rating in recruitment and engagement efforts of people with disabilities; but 110 companies is a very limited sample. If your organization were surveyed, how would you rate? What initiatives have you taken to ensure that you’re not only offering jobs to differently-abled employees, but taking their unique needs into account day-to-day? A good place to begin designing an inclusion program is with Section 508 compliance.
Section 508 is an amendment to the Rehabilitation Act of 1973, requiring that all federal agencies provide accessible “electronic and information technology” (including web-based training) to their employees. The Act also provides a great baseline for any organization. By following Section 508 compliance standards, companies can ensure that all employees have access to resources that meet their needs. Compliant security awareness training, for example, is designed to be useful and effective for users with a variety of disabilities, and contains multiple special aids so that all users can understand and interact with the material presented.
What’s the first step? First of all, determine whether you are required by law to provide 508-compliant training. If you are part of a federal agency, you are. Doing business with a federal agency also requires you to be compliant. If you are required to be compliant, realize that you may also be required to prove compliance, and that many types of hardware, software, and content fall under the umbrella of 508 compliance.
If you are not required to be compliant, it may benefit your organization to make the effort anyway. Begin by deciding which aspects of applications and resources you use can be made accessible. Since security awareness training is frequently deployed company-wide and directly impacts organizational security, it’s a great starting point. And, while providing every security course in a 508-compliant format may not be possible, determining key topics to cover in a more accessible format is also more than worthwhile.
To aid in this effort, GLS offers 508-compliant versions of some of our most popular courses, including Security Awareness Essentials Challenge (our comprehensive core course) and our topical Best Practices Modules. These courses contain the same information and retain the same basic format as the standard versions, but, among other features, have been designed in a text-based format for the hearing impaired and optimized to work with screen readers for the vision-impaired. The courses have been confirmed 508-compliant by the Voluntary Product Accessibility Template (VPAT).
Regardless of your organization’s compliance needs, accessible resources are an important element to creating a favorable and non-discriminatory work environment. Providing all employees with the tools they need to thrive at work should be a top priority, not just an afterthought ━ and supplying and encouraging the use of 508-compliant security awareness training is a great place to start.
Contact your Account Representative or visit our website to learn more about how GLS can assist you in your compliance efforts.
November 07, 2018 by Joe Williams
Security awareness training (SAT) can be thought of like a fitness program. Just as you would consider different exercises for your strength training or aerobic goals, there are many factors to consider when planning your SAT program each year -- and your choices should reflect your organization’s current needs, goals and vulnerabilities. Whether you’re just starting a fitness program, (or a SAT program for your company) or you’re a veteran of annual planning, you should never stop thinking about what will sharpen and strengthen your training program from year to year.
In my recent webinar, I discussed “6 Critical Elements for a Successful Security Awareness Training Plan.” In this post, I’ll take a closer look at two of those considerations: aligning your program with your audience; and measuring your success.
Align Training to Your Users’ Needs
While a general cyber awareness course will benefit the entire organization, some members of your workforce will require more training, or different training, than others. Highly-specialized positions typically need in-depth, role-based training courses that speak to the particular challenges of their jobs. This is especially true for developers as they design the applications that will potentially come under attack. Training on concepts such as the OWASP Top 10 risks can help mitigate these threats. Whatever the roles may be, a security awareness program that provides specialized content will be more successful at creating and maintaining security organization-wide.
In any educational scenario, it’s important to gauge how much students are learning and how much they’re improving from year to year. Awareness training is no different, so you may want to determine:
- Which topics have been the most sticky?
- Does a particular type or style of course have more effect on users?
- Are there trickier subjects that users just need more exposure to?
Answering these questions will help you understand where your program currently stands and where it needs to go. But how to go about it? Assessments are key. Regular assessments not only allow you to adjust your program from year to year, but also to alter courseware or provide remedial training midway through the year, which could mean saving your users valuable time and strengthening weak spots before they cause a problem.
Mix it Up
As with any kind of education, variety is key. If your training load is looking heavy, consider mixing courses with gamified content and simulations for extra reinforcement. As an example, an anti-phishing course first gives users basic information and instruction, and the subsequent simulation enhances that knowledge by putting it to the (very realistic) test. Elements like games serve a similar purpose--they work to cement material by engaging different parts of the brain and reinforcing concepts through different pathways.
Coming back to our physical fitness metaphor, one session at the gym won’t yield lasting results, and neither will a single security awareness training course. To achieve meaningful outcomes, it will take a variety of exercises, repetition and a willingness to honestly measure progress. Listen to my recent webinar for more information on building your security awareness strength training program.
For ideas on how to strengthen and reinvigorate your annual program, please contact us. Our dedicated Solutions Architects would be more than happy to work with you.