Fifosys - Social Engineering Awareness Training

SEAT - Fifosys Social Engineering Awareness Training

Cyber-crime is an epidemic and it’s on the rise!

It can be highly profitable for criminals and often they don’t discriminate. In the past, larger organisations were much more at risk. However, the rise of systems like the dark web have opened up cyber-crime to the “part-time hacker”.

As a result, attacks such as spear-phishing and ransomware are becoming the most popular method of cyber-crime. These types of attack often pray on the human factor rather than attempt to defeat intelligent security hardware or exploit vulnerabilities in systems.

Helping organisations protect against the human factor

The most sophisticated home security system in the world will not protect your home if you give your keys and alarm codes to someone unscrupulous. The same applies with IT and company data. Significant investment can be made in perimeter security, anti-virus and anti-spam measures or proactive threat monitoring - but if a user is tricked in to giving their details away or downloading infected files - you are opening your doors up to your systems and data.

According to CompTIA’s recent Trends in Information Security study, human error accounts for around 52% of security and data breaches.

It’s more difficult to control human behaviour and mitigate error as people inherently want to trust. It is difficult to define as error comes in many forms. Typically, it involves situations in which certain actions, decisions or behaviours threaten business security and can seriously jeapordise the security of your sensitive data.

Cyber criminals are experts at hijacking identities. Some accomplish this by compromising an employee system via malware or phishing attacks; some leverage stolen credentials, especially by gleaning data from social networks/websites. In many cases, once an attacker has made their way into your systems, they can increase the privileges of a hacked account within a system and access your more sensitive information.

How can this risk be mitigated?

Fifosys have a comprehensive social engineering awareness training program designed to reduce threats associated with social engineering attacks. We evaluate the knowledge level of your current staff by testing them against several social engineering campaigns. We then run through results, working with you to prioritise training activities. Training can take the form of short 'bite-size' training videos, online assessments, face to face training or a combination of all three. We will also provide continuous engagement to maximise uptake and ensure staff are kept up to date with the latest threats.

SEAT - Fifosys Social Engineering Awareness Training

How does the service work?

  • STAGE 1 – Assess current skill levels

The 1st step is understanding what level of knowledge your staff currently have towards phishing and malware-laden emails. We call this a simulated phishing campaign. Users will receive several emails over a set period of time (normally a few weeks) which are designed to mimic legitimate sites and services such as Office365, Dropbox, SAP etc, and trick the user into entering login details or running a simulated Malware file (these files are safe and pose no threat to your organisation).

  • STAGE 2 – Review Results

Once the initial campaign has ran, all of the results will be presented and discussed with you. A dashboard is available showing which users interacted with the simulated emails and what level of interaction they had (i.e. did they click on the link, did they then enter details, how often did they click on the email etc.).

To give you an idea, the click rate in some industries is as high at 30% and in others as low as 10%, however if you are an organisation of 200 users and 20 of them are at risk of handing over their details or infecting your network with malware/ransomware then this poses a significant risk to your organisation.

  • STAGE 3 – Training / Education

Training modules can be rolled out automatically. These can take the form of simple, 'bite-size' educational videos or if there are persistent offenders - more advanced on-line videos, where further testing can be rolled out.

As an alternative to online training, we can provide face-to-face training with security experts or a combination of training methods can be used to tailor to the unique needs of your organisation.

  • STAGE 3 – Users Educated / Ongoing engagement

Once your staff have been educated, the overall risk to your organisation should be reduced. However, this success needs to be measured. In addition to this, the cyber security landscape is always evolving and new threats are continuously being released. Therefore, this service is an on-going engagement where we will 're-run' campaigns periodically throughout the year, measuring your success and educating users on new threats as they arise.

James Moss

Technical Director

James Moss