Training & Awareness

IDS, IPS, NIPS, HIPS. Acronyms for hardware and software in the field of information security can be listed all day long without repeat; however, this does not address the greatest security risk to an organization.

In a 2021 study jointly conducted by Stanford University and firm Tessian (link), participants cited that 9 in 10 data breach incidents were caused by human error.

Breaking down the subset of this population further, it was found that over 50 Percent of staff between the ages of 18 to 30 make mistakes in the workplace, as compared to ages 50+ where approximately 10 Percent make make mistakes.

This troubling statistic is a top concern of organizations as millennials account for the largest generation in the workforce (link).

To account and attempt to reduce this threat impacting an organization, training is pivotal.

Some compliance authorities require such training, to include:

HIPAA (Privacy Rule 45 CFR §164.530) – required for entities with PHI.

A covered entity must train all members of its  workforce on the policies and procedures with respect to  protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

PCI DSS (Requirement 12.6) – required for entities storing, processing OR transmitting credit card information.

Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.

Insurance Data Security Law (Section 3.D.5) – required for insurance companies in states adopting the NAIC Insurance Data Security Model Law.

Provide its personnel with cybersecurity awareness training that is updated as necessary to reflect risks identified by the Licensee in the Risk Assessment.

Latest Security Headlines from Krebs on Security:

  • A Day in the Life of a Prolific Voice Phishing Crew
    by BrianKrebs
    Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety […]
  • U.S. Army Soldier Arrested in AT&T, Verizon Extortions
    by BrianKrebs
    Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South […]
  • Happy 15th Anniversary, KrebsOnSecurity!
    by BrianKrebs
    KrebsOnSecurity.com turns 15 years old today! Maybe it's indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024's most engrossing security stories were about bad things happening to bad guys. It's also an occasion to note that despite my publishing fewer stories than ever this past […]
  • Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm
    by BrianKrebs
    Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology […]
  • How to Lose a Fortune with Just One Bad Click
    by BrianKrebs
    Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to […]