Security Awareness Training

• Detect and fend off phishing & ransomware
• Detect and fend off social engineering
• Understanding viruses & Trojans
• Secure handling of passwords
• Secure handling of mobile devices
• Approved and forbidden cloud services
• Dealing with sensitive information (information classification)
• Dealing with visitors
• Secure workplace (clean desk, clear screen, etc.)
• Working securely in the home office

• Incident reporting procedures

   

For users, the immediate impact on everyday work is not dramatic. Locking the computer, reporting suspicious emails via the reporting button or throwing documents into a data container instead of the trash... all these are only a few seconds of additional effort.

That's why security awareness training for users can often be tool-supported via e-learning or phishing simulations.
Security awareness trainings for users are usually designed over several years and therefore integrated into a security awareness campaign.

Security awareness training for users and managers

Managers are also users. Therefore, they basically receive all content for users.

However, executives are also information owners, decision makers and role models. Therefore, they need additional messages in a security awareness training:

• How does cyber security work in the company? Including an overview of the ISMS rules and regulations.
• What is the role and responsibility of an information owner (risk assessment, information classification, control obligations)?

• What influence does the role model function have on the behavior of users and thus on the security of the company? 

   

The pure user topics are, as with all users, just moderately annoying, even for executives. These are usually trained accordingly on a tool basis.

However, it is much more difficult to convey to a manager his or her responsibility as an information owner. A risk analysis of the own area, regular controls of permissions... such topics cannot be done in passing. And since managers usually cannot complain about a lack of workload, such additional tasks are emotionally quite unpopular.

A simple "You're in charge" understandably often leads to a "Yes, yes, keep talking" reaction. Security is associated in a correspondingly negative way, which leads in turn to a very negative impact on the role model function.  

Leaders need to experience personal involvement and insight in order to understand their role and responsibility. Therefore, we are convinced that security awareness trainings for executives only work face-to-face (in presence or virtually).

Security Awareness Training for users and managers

• The fundamental importance of hardening and patching for effective protection.
• Understanding the "Defense in Depth" approach, with security zones and role-based access.
• Secure handling of privileged accounts.
• Sense and benefit of Vulnerability Management.
• The importance of central logging for the detection of attacks.
• The importance of error messages for the detection of attacks.

• Which system anomalies indicate an attack.
  How to behave in incident response.

   

"What? One or even several accounts for each system, depending on the use case? And each account has its own password? And patching within days? Are you guys nuts? Do you even know how I work?"

IT administrators have a massive impact on a company's cyber security with their behaviour. Due to their privileged accounts even more than users. However, they are usually not even aware of the correlation between successful cyber attacks and their own behaviour. In addition, this target group is increasingly exposed to "dangerous security half-knowledge" from IT forums and communities, which cements this behaviour and makes it much more difficult to initiate change.

Changing this behaviour, however, has a very large impact on everyday work. It becomes more complicated. Security awareness training for IT administrators must therefore first create understanding and insight for this change in behaviour, otherwise the appeals will not be heard. Cyber Security LAB E-Learnings create exactly this basis.

Security Awareness Training for Administrators

• The objectives and principles of cyber security
• The phases of the Secure Development Lifecycle
• The benefits of threat modeling in the design phase
• Common mistakes in implementation:
  • Input validation
  • Authorization
  • Authentication
  • Handling secrets in development
  • Logging
• The benefit of code reviews and penetration tests in the validation phase
• The importance of secure configuration and clarification of responsibilities

• Measures for the secure de-commissioning of software

   

Secure Development and Secure Coding means a significant change for software developers. Developers prefer to write code and security hinders them in doing so. Starting with design topics such as risk assessment and threat modeling is not exactly "sexy" in their eyes and slows down the development process. The same applies to code analysis and fixing pentest findings.

On the other hand, developers can create serious vulnerabilities through bugs in their software that can be exploited for global attacks (Solarwinds, Kaseya, Log4shell, the list is long).

Secure Development changes the daily work for developers as massively as Secure Administration does for administrators. There are things coming up that you haven't exactly been waiting for. Security awareness training for software developers must therefore first create understanding and insight for a change in behaviour, otherwise the appeals will go unheard and the vulnerabilities will remain. Cyber Security LAB E-Learnings create exactly this basis.

Security Awareness Trainings for Developers