Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

Security Awareness Automation

Easily Automate Security Awareness Training, Phishing And Policies In Minutes

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

Security Awareness Training Best Practices for Privileged Users

Privileged users

about the author

Share this post

The privileged user on a network is so-called because they can access sensitive and often highly confidential resources. If a cybercriminal can compromise the account of a privileged user, they have the keys to the corporate castle.

Research by FINN Partners and Centrify found that in 74% of cases of a data breach, the attack began at the door of a privileged user. Analyst firm, Forrester, sets the rate even higher at 80% of data breaches being associated with privileged credentials.

No matter which stat is the more precise, the point is that privileged access leads to data breaches. Therefore, Security Awareness Training for privileged users is vital.

Here are the best practices to ensure that this training is successful.

Why Privileged User Access Must be Protected Using Security Awareness Training

Privileged users bring a unique level of risk to an organisation. This risk level justifies focusing on this group and building a security awareness campaign that considers the role of the privileged user in a cyber attack.

Cybercriminals target privileged users because of their access rights. But privileged users need these access rights to carry out their work: this conundrum is a perfect scenario that enables spear-phishing and other social engineering scams.

A single mishap by a privileged user, and bang! The hacker is in the system. Once in the corporate network, attackers can use various techniques and technologies to move across the network, even enhancing access rights, (lateral movement) to locate data and/or install malware such as ransomware.

The attacks against privileged user accounts often involve a large amount of surveillance. The gathered intelligence is used to create tailored, highly believable, spear-phishing emails. Hybrid work has exacerbated the issue, according to the FBI in a recent notice. The notice contains details of scams that involve multi-part cyber attacks against privileged users, cybercriminals using reconnaissance, voice phishing via phone (Vishing), and spoof web pages that are then used to steal second-factor authentication codes, and circumvent security measures such as VPNs.

This complex mix of clever cybercriminal tactics means that technology alone cannot prevent a cyber attack against a privileged account user. Security awareness is a must have to ensure that these users do not inadvertently hand over the corporate keys.

Three Important Best Practices In Privileged User Security Awareness Training

The following three baselines for best practises are used when developing a Security Awareness Training package for privileged users:

Recognise Privileged Users as a Superuser Role

Role-based Security Awareness Training is a framework to provide tailored training based on a role type in an organisation. Why is role-based training a good idea? Cybercriminals adjust their tactics to reflect an enterprise role or target certain corporate jobs for certain types of cyber attacks and scams.

For example, someone in accounts payable is an attractive proposition for a cybercriminal wanting to carry out a Business Email Compromise (BEC) scam that tricks an employee into transferring money to the fraudster’s bank account. Someone with privileged access in HR may be targeted to obtain employee information for tax scams.

Privileged users should be seen as a ‘superuser role’ and Security Awareness Training campaigns should be designed to reflect this. From here, you can then develop a tailored package of phishing and social engineering awareness that fits the types of attacks that focus on privileged access users.

Include Social Engineering in Your Security Awareness Training

Social engineering is used to build up the profile of an organisation and a targeted privileged user to make a cyber attack successful. The recent Lapsus$ group ransomware attacks against multiple companies used social engineering. A post from Microsoft that analyses the attacks explains the importance of social engineering:

(the Lapsus$ group) ​​focused their social engineering efforts to gather knowledge about their target’s business operations. Such information includes intimate knowledge about employees, team structures, help desks, crisis response workflows, and supply chain relationships. Examples of these social engineering tactics include spamming a target user with multifactor authentication (MFA) prompts and calling the organization’s help desk to reset a target’s credentials.”

Social engineering scams will take any form that the cybercriminal needs to gather this intelligence. This includes the use of social media, calls to a help desk, and general office calls that help form a relationship; even visits to an office could be used to build up the necessary information to carry out an attack. Social engineering attempts may take months of work to build up the profile of a privileged user, in readiness to carry out a successful attack. 

Ensure your privileged users understand the levels that a cybercriminal will go to, in order to make their spear-phishing emails and spoof websites believable.

Spear-Phishing Awareness

Know what types of threats will focus on the superuser role. Typically, those with privileged access will be targeted for that access. However, this may also mean that they are part of a wider, more complex, attack chain.

Usually, spear-phishing or spear-vishing (voice-based phishing) is used to steal the login credentials of this group of users. The intelligence gathered by the cybercriminals during social engineering helps to create believable scenarios, emails, and spoof websites to trick the privileged user.

Provide tailored, role-based phishing simulation exercises to educate employees about the tricks used by scammers.

Closing The Door on Privileged Account Compromise

An organisation needs to give certain users privileged access; in fact, creating a hierarchy of access is an important part of identity and access management. But privilege is also a potential vulnerability in an organisation’s armour; a fact not lost on cybercriminals. By using a baseline of best practices in Security Awareness Training for privileged users, you can harden this armour and control privilege.

Security Awareness Training for Third-Party Vendor

Other Articles on Cyber Security Awareness Training You Might Find Interesting

duckduckgo vs google EN

DuckDuckGo vs Google – 5 reasons why you should give up using Google!

You were not aware that DuckDuckGo is a search engine? Well, now you know. Since its founding in 2008, DuckDuckGo has made it its mission to develop a search engine that does not store or share personal data, quite unlike Google. Google’s business model is based less on data protection and more on personalised advertising. Without the storage of personal data, Google would virtually lose the air it breathes. However, Google is still the most used search engine, and there are reasons for that. Google does have one weakness, however, and that is data protection.
Read More »
dataprotection vs informationsecurity EN

Information Security vs Data Protection

Is this an issue for our ISO or our DPO, or is it much the same in either case? Who exactly is responsible for this incident, and is there a need to report it at all? In order to discuss the similarities and differences between information security and data protection, the first step is to define the two areas.
Read More »