Table of Contents

What’s the importance of security awareness training?

In this guide, we’ll review 10 reasons every organization should consider implementing security awareness training. 

We’ll also tell you why training alone isn’t foolproof (hint: it has something to do with the amount of employee personal information available online) and the additional steps you can take to empower your “human firewall.” 

10 Reasons for Security Awareness Training 

Below are 10 reasons security awareness training makes sense for every organization. 

1. Most breaches start with humans

No matter how advanced your network security controls are, a human being can jeopardize your organization in a few seconds. 

About three-quarters (74%) of breaches involve the human factor. Think employees making errors, misusing their account privileges, having their credentials stolen, or falling victim to social engineering attacks.

A lot of the time, it’s simple mistakes, like employees reusing passwords across work and home devices (44% do this) or not changing credentials after a data breach (45% admit to this), that expose your organization to unnecessary risk. 

It’s not getting any better, either – the number of people reporting password reuse is growing, not shrinking. 

2. There are more attacks targeting humans 

Even with decent security strategies, companies are at risk due to the sheer volume of attacks their employees are experiencing. In 2023, phishing attacks were the top cause of reported data breaches. 

The average organization receives up to five targeted phishing attacks every day, putting employees on the front lines of determining whether an email is legitimate.

3. Threat actors (and the tools they have) are getting more sophisticated 

AI-driven password crackers can now crack the most common passwords in under a minute, and deepfake AI can create deepfakes that are so convincing that employees have reportedly paid out $25 million to criminals. 

By regularly training employees, you can help them stay current with the latest threats and teach them how to recognize and respond to them.

4. Security awareness training can be part of compliance requirements 

Many industries have regulations that necessitate organizations to maintain certain security standards, including regularly educating their workforce about security. 

Training helps comply with laws such as HIPAA that mandate data protection and privacy.

5. Consumers care about their privacy 

When customers know that a company trains its employees in security practices, they may have more trust and confidence in that company’s ability to protect their sensitive data. 

Unfortunately, most companies seem to fall short – 70% of consumers think that companies aren’t doing enough to protect their data. 

6. A strong security culture doesn’t happen by accident 

It’s not just the IT department’s job to ensure security; every employee plays a part. The problem is, they might not know it. 

• 71% of employees say they took a risky action, and 96% did so knowingly, according to the State of the Phish survey. 
• Just 41% of users said they know they are responsible for cybersecurity at their workplace. 7% said they’re not responsible at all, and 52% weren’t sure. 

One of the main reasons employees take risky actions is because they’re not sure who is accountable for security. 

What’s particularly worrying is that there appears to be a disconnect between what employees believe and what security professionals think. More than 8 in 10 security professionals think most employees know they’re responsible for cybersecurity. 

Security awareness training helps build a strong security culture where security becomes a shared responsibility. 

7. IT and security teams can have a lighter load

Well-trained employees reduce the workload on IT departments by minimizing preventable security incidents. 

For example, an employee who is able to spot a targeted phishing attack won’t share sensitive information with criminals or enable ransomware. This allows IT professionals to spend more time on strategic initiatives, including implementing preventative measures.

8. Knowing what an attack looks like can help reduce response times 

Trained employees are more likely to spot and report security incidents quickly, reducing the potential damage and aiding in rapid response and mitigation.

9. Aware employees = a network of security advocates 

Employees who are well-versed in security practices can advocate for security within their teams, promoting good practices among their peers and contributing to the security culture of the organization.

10. A deeper understanding of cyber attacks on the business 

Through training, employees better understand how their actions impact business continuity. 

For example, they can learn why it’s crucial to follow procedures for data backup, secure remote access, and proper handling of sensitive information.

Why Security Awareness Training Is Not Enough 

Even though security awareness training can improve employees’ ability to spot and stop attacks, it’s not enough to completely prevent data breaches. 

This is partly due to human psychology. Even after receiving training, employees are likely to use easy-to-remember passwords (that are just as easily decoded) and fall for phishing scams.

Another part of the problem is that attacks can come from multiple directions, and businesses aren’t adequately preparing their workforce for it. 

73% of organizations reported a Business Email Compromise (BEC) attack in the past year, but only 29% are teaching their users about it. Similarly, only 23% of organizations train their users on how to recognize and prevent telephone-oriented attacks, even though reports of these have risen in the recent past.

Reducing the Risk of Personal Information Attacks

Attackers are increasingly using employees’ personal information to:

• Tailor their phishing campaigns (whether email, text, or phone call) to their targets.
• Impersonate them to their colleagues.
• Access their accounts by guessing their passwords and security questions.

Educate your employees about the importance of shrinking their online footprints to reduce your human attack surface.

The less information exists about employees online, the less cyber criminals will have to work with when guessing passwords or creating targeted spear phishing attacks. 

Ideally, you should train your employees on the importance of keeping their online presence private. This includes limiting the amount of personal information they share publicly on social media and removing personally identifying information from blogs, forums, and other online accounts. 

You should also enroll them in a data broker removal service. 

According to leaked internal chat transcripts from cybercriminal groups, data brokers are one of the biggest sources of employee information. 

Data brokers are companies that collect public information into single profiles and then sell them to any parties willing to pay a small fee. 

Profiles can include details like employees’ names, phone numbers, email addresses, family information, employment history, education, and organizational charts. In short, everything a criminal needs to plan and execute an attack. 

While it is possible to manually opt out of data brokers, doing so at scale and continuously is difficult (data brokers relist people as soon as they find more data on them). 

As a result, many organizations choose to subscribe their employees to a data broker removal service such as DeleteMe. 

Table of Contents

In this guide, we’ll explain what end user security awareness training is and what it looks like for a typical organization. 

We’ll also discuss why training alone isn’t effective and what companies can do to reduce the likelihood that their end users will be targeted in attacks. 

What Is End User Security Awareness Training?

End-user security awareness training is a training program that educates “end users” (typically company employees or organization members) about security. 

The goal is to inform users about cyber threats and teach them how to protect themselves and their organization. 

Why Is End User Security Awareness Training Important?

By educating their workforce about their role in cybersecurity, organizations can significantly mitigate the risk posed by human error, which is one of the biggest sources of data breaches. 

While some security incidents happen due to negligence, like employees sending sensitive emails to the wrong recipient, criminals also use psychological manipulation to get end users to make security mistakes or share confidential information.  

These manipulations often come in the form of phishing and business email compromise (BEC) attacks. In 2023, 73% of companies were targeted by BEC attacks, and 74% were targeted by spear phishing emails. 

When employees receive these often convincing communications, it can be difficult to determine if they’re real or fraudulent. 

That’s where security awareness training comes into play – it can teach employees how to recognize fraudulent messages and potentially malware- or ransomware-laden attachments, along with techniques for improving their overall security, like using strong passwords and backing up data.  

What Does End User Security Awareness Training Look Like? 

End user security awareness training is often conducted through a mixture of online courses, quizzes, workshops, regular updates, and practical exercises. 

The specific type of training and the formats involved differ depending on the needs and vulnerabilities of the organization.

For example, some companies provide security advice daily through platforms regularly used by employees (such as Slack or Teams). According to CybSafe, 79% of office workers responded favorably to this delivery method, while a full 90% prefer to receive reminders through instant messaging apps. Using this method of frequent reminders (either daily or weekly) can double employees’ retention of their security training compared to those who receive it less frequently. 

Your organization may make the training role appropriate by highlighting the risks affecting specific teams or departments. This is especially important if your organization handles sensitive data, as some team members will need more targeted training to learn the policies behind information security.

To determine what kind of training is appropriate for each department, ask yourself what technologies are used by employees within the department on a day-to-day basis and what threats or scams they’re likely to face. 

If you make training relevant to what they’re doing, employees will be more likely to retain the information.

Key Aspects of End User Security Awareness Training 

While specific components of a cybersecurity awareness training program will vary, common training modules will likely overlap for all involved.

With many people reusing previously compromised passwords, password security is a critical module to include. At the very least, it should teach employees how to create strong passwords that don’t contain easy-to-remember words, encourage everyone to change compromised credentials and enable multi-factor authentication.

Social engineering/phishing training is another important component, as phishing attacks are among the most common causes of data breaches. This module can cover everything from mass phishing campaigns to spear phishing and BEC attacks. 

Other common training topics include physical security, sensitive information handling, mobile device security, remote work security, and incident reporting.

Why End User Security Awareness Training Is Not Foolproof 

Regardless of how well you design your end user security awareness training program (or how often you provide it), remember that employee training is not foolproof.

Part of it comes down to convenience. Last year, 71% of trained employees admitted to taking risky actions, and 96% of them were fully aware that their actions were risky. 

Even knowing that what they’re doing is potentially dangerous isn’t always enough to stop employees from carrying out that action anyway. It’s one thing knowing you need to stop using weak credentials. It’s quite another to start creating strong passwords you probably won’t remember. 

Psychologist Bec McKeown acknowledges this, writing: 

“What people don’t realize is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.”

You also can’t train against everything. Given how tailored social engineering attacks can be, it can be impossible for employees to make a connection between a phishing simulation and a real-world spear-phishing attack. 

Organizations looking to minimize the possibility of data breaches and cybercrime should consider going beyond training programs.

How to Reduce the Risk of Personal Information Attacks

Cybercriminals use employee personal information to personalize their phishing emails, guess their account credentials, and impersonate them in BEC attacks. 

Security awareness training can educate employees about these personal information threats, but it can’t guarantee that employees will be able to spot them in real time. 

Rather than expecting employees to be able to catch these kinds of threats, it’s better to reduce the amount of ammunition (employee data) criminals can get their hands on. The best way to do that is through online footprint reduction. 

Shrinking your online footprint generally involves several steps, including changing privacy settings on social media, limiting the amount of information posted on any public channel, and opting out of data brokers.

Data brokers, in particular, are a growing concern. They are companies that collect information about people and then sell it in the form of comprehensive profiles to anyone who wants them. Cybercriminals use data brokers to find targets and contacts to “name drop” in social engineering attacks.

While it is possible to manually opt out of data brokers, employees would need to opt out of multiple brokers and do so repeatedly (brokers reactivate profiles when they find more information). 

Alternatively, organizations can sign their employees to a data broker removal service such as DeleteMe, leaving the opting-out process in the hands of data professionals. 

Table of Contents

The simple answer to “How often should security awareness training be conducted?” is: At least twice a year. 

For a more granular answer (including why yearly training is insufficient and whether there’s such a thing as “too much” training), read the guide below. 

We also explain why security awareness training alone is not enough and what other steps organizations can take to prevent employees from falling for spear phishing and other attacks. 

How Often Should Security Awareness Training Be Conducted? 

As a basic guideline, security awareness training should be conducted at least every 4 to 6 months, according to ISACA, an association focused on IT governance. 

Studies have found that employees continue to retain the ability to recognize phishing attempts four months after training, but after six months, they begin to forget what they’ve learned.

After the 6 to 8-month window passes, employees’ skills are no longer much better than before the training. 

Inside of the 4 to 6-month window, the exact frequency that will best suit your organization will depend on factors like:

• Size of your organization
• Complexity of your organization
• Compliance requirements
• Level of risk you face. 

In any case, yearly training is not enough. Security awareness training should take place at least twice a year. 

Can You Have Too Much Security Training? 

Some experts believe you can have too much security training. 

For example, employees who are overtrained in spotting spear phishing may lose productivity, according to Zinaida Benenson of the IT Security Infrastructures Lab at the University of Erlangen-Nuremberg, as per a CSOOnline article. 

She says, “People’s work effectiveness may decrease, as they will have to be suspicious of practically every message they receive.” 

Not everyone agrees, though. 

Kevin Mitnick, once the world’s foremost hacker and now the head of Mitnick Security Consulting, strongly disagrees with that viewpoint. 

“That would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly. You wouldn’t blame the manufacturer if someone left his keys in the car and a thief drove off with the vehicle. The driver would be responsible,” he says. 

The level of suspicion that you want your employees to utilize during their daily work will depend on your organization and your data security needs. 

Lanze Spitzner, director of SANS Securing the Human, pointed out the need for balance. 

“Not enough [suspicion] and bad guys get through. Too much and definitely trust and the ability to work together breaks apart,” he said. 

As a rule of thumb, stick to whatever feels appropriate for your organization when it comes to training frequency – but focus on teaching employees to be skeptical when more scrutiny and distrust is essential, like when someone sends them a link (even if it’s someone they know) or if the company is going through a time of change or a significant financial event, like a merger and acquisition. 

Security Training Is Important, But Not Something You Can Rely On 100% 

While training is important, it should be just one of many tools in your utility belt to stop data breaches and other security incidents. 

Even after receiving security awareness training, 44% of respondents in one survey admitted to reusing passwords across accounts and devices. Another survey found that only 45% of people change their passwords after data breaches occur.

People make mistakes, and they will keep making them out of habit.

Cybercriminals know this, too. 74% of all data breaches involve humans in some capacity, illustrating how easy it is for bad actors to get login credentials and how effective targeted spear phishing attacks can be.

Reducing the Risk of Personal Information Attacks

To improve their chances of success, criminals are increasingly researching their targets. 

They use the information they find online to:

• Personalize their phishing campaigns. 
• Impersonate executives and other employees in business email compromise attacks to trick victims into sharing sensitive information or clicking on malicious files.
• Guess passwords and security questions to corporate accounts. 

In addition to offering regular security awareness training programs, it’s essential to give employees guidance on how to reduce their online footprint. Doing so will shrink the amount of information about them online, making it more difficult for criminals to execute the kind of personalized attacks mentioned above. 

Consider educating employees on the importance of changing social media settings from public to private, limiting the amount of information they share on websites and forums, and opting out of data brokers.

Data brokers, in particular, represent a major vulnerability when it comes to employee data security. They are companies that collect public information about people and then sell this information to anyone willing to pay a small fee. 

By obtaining data broker profiles (whether through buying them or hacking data broker databases), criminals can (and do) find a significant amount of information about employees in your organization. This can include data on their family (criminals now send phishing messages to employees’ family members) and who they report to within their organization (crucial for BEC attacks). 

It is possible to opt out of data brokers, but employees will need to opt out of every data broker manually. They’ll also need to be diligent and repeat the process with the same data brokers whenever their profiles are reactivated (which occurs when new data is found online). 

A better solution is for organizations to subscribe their employees to a data broker removal service such as DeleteMe, which can handle the data broker opt-out process on employees’ behalf. 

Table of Contents

HIPAA security awareness training gives employees an understanding of policies and procedures for preserving patient privacy.

Training employees about patient privacy is mandatory for entities handling protected health information (PHI) and their business associates.

In this guide, we’ll explain who HIPAA security awareness training applies to, what it entails, and why training alone isn’t enough to keep patient data safe. 

What Is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal US law. It is a series of standards that any organization dealing with people’s health data needs to have in place.

HIPAA was designed to protect health information and prevent it from being disclosed to third parties without authorization.

What Is HIPAA Security Awareness Training?

All healthcare providers, health plans, and clearing houses dealing with patient data (“covered entities”) and their associates must provide their workforce with a HIPAA-compliant security awareness training program.

The training involved depends on the role of the organization. In the case of covered entities, both HIPAA’s Privacy Rule training standard and the Security Rule training standard apply. Meanwhile, business associates of covered entities are only bound by the Security Rule training standard.

The Privacy Rule training standard requires employees with access to PHI to receive regular training in their organization’s data handling policies and procedures. 

The Security Rule, more broadly, requires implementing a security awareness and training program. 

There are no particular guidelines related to the length of HIPAA security awareness training, meaning organizations have some flexibility in how it is administered.

Organizations can face significant financial penalties for HIPAA violations. The severity of the penalty is generally based on the nature of complaints levied against the organization. If the HHS’s Office for Civil Rights (OCR) conducts an audit on the training course and finds noncompliance, no complaint is necessary for a fine to be imposed. 

HIPAA Privacy Rule training requirements

According to HIPAA’s Privacy Rule training requirements, covered entities must provide training to their workforce on the security policies and procedures for handling patient medical data and reporting breaches.

New employees must receive their initial privacy training “within a reasonable period of time” to avoid being out of compliance. 

Tenured employees must also receive training whenever their “functions are affected by a material change in policies and procedures” per HIPAA regulations. 

Additional training may be required “as necessary and appropriate” for proper compliance.

HIPAA Security Rule training requirements 

According to HIPAA’s Security Rule training standard, all members of the workforce of both covered entities and their business associates must have a security awareness and training program. 

Information security awareness and training programs are designed to give employees a better understanding of safety techniques when using computer networks, including how to spot phishing threats, avoid malware, and implement strong passwords. 

These training programs are essential for anyone who handles patient data, whether directly or indirectly. Once cybercriminals gain access to a network, they can potentially access any data within it.

Along with the basics of cybersecurity awareness, employee training should go over the entity’s HIPAA-compliant policies and procedures. These generally include additional physical, technical, and administrative safeguards.

There are no requirements as to the length or frequency of HIPAA training under the Security Rule.

HIPAA Awareness Training Modules 

There are no specific guidelines for what topics should be covered in HIPAA compliance training. Instead, the program should be developed following a risk assessment within each organization. 

The HIPAA Journal has a list of recommended modules divided into basic and advanced categories. 

Basic modules include:

• HIPAA overview.
• HIPAA patient rights.
• HIPAA disclosure rules.

Advanced modules include:

• Computer safety rules.
• HIPAA and social media.
• Recent HIPAA updates. 

The Importance of Phishing Training 

One particular module to pay attention to is phishing training. While it’s not mandatory under HIPAA security awareness training, the healthcare industry is particularly susceptible to social engineering attacks like business email compromise (BEC).

According to the Department of Health and Human Services, there were 4,419 reported breaches of medical data between October 1, 2009 and December 31, 2021. Of those breaches, 18% were caused by a phishing attempt or a hacked email account. 

Phishing attempts often lead to the most significant data breaches in healthcare, with 57% of respondents reporting as such in the 2021 HIMSS Healthcare Cybersecurity Survey. In 2023, the HHS’ Office for Civil Rights (OCR) imposed the first HIPAA penalty in a phishing attack investigation.

Phishing training should educate healthcare workers on how phishing attacks happen and highlight red flags to watch out for, like strange senders’ addresses, spelling and grammar mistakes, and a sense of urgency. Although phishing emails are particularly common, employees and other stakeholders need to be made aware that phishing can take other forms, including texts and social media messages. 

In addition to theoretical training, covered entities should also provide phishing tests and simulations, including those relevant to particular employees or groups of employees (for example, phishing tests targeting the HR department.) 

Going Beyond Security Awareness Training 

Security awareness training is important for HIPAA compliance but doesn’t necessarily diminish the risk of cyber attacks and breaches. 

As Bec McKeown, founder and principal psychologist at Mind Science, put it: 

“What people don’t realize is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.”

Not only can’t security awareness training change bad habits, but cybercriminals are also becoming more sophisticated, using the information they find about employees online to craft more convincing phishing emails and guess their passwords. 

To quote Jeff Hancock, Harry and Norman Chandler Professor of Communication at Stanford University: 

“Attacks are becoming more sophisticated because there is so much information about ourselves online now.” 

It’s not just public social media profiles that put employees and other healthcare stakeholders at risk of personalized attacks. Data brokers – companies that compile information about individuals and then sell it to anyone who wants it – are another common source of information for cybercriminals. 

Data broker profiles include information like names, email addresses (corporate and personal), phone numbers, education history, employment history, family details, and more. Here’s an example: 

Healthcare organizations can reduce the risk of these kinds of attacks by educating employees about their digital footprints and the necessity to shrink them as much as possible. Besides lowering an organization’s cyber risks, shrinking employees’ digital footprints can protect them against harassment, stalking, doxxing, and identity theft. 

Train employees on safe social media usage and consider enrolling at-risk employee groups in a data broker removal service like DeleteMe. 

Table of Contents

Among the many reasons why security awareness training fails, two in particular stand out to us: 

• There’s no link between security awareness training and behavioral change.
• Personalized attacks are hard to spot and stop, even when individuals are trained to avoid phishing attacks. 

In this guide, we’ll explain what security awareness training is and why it doesn’t always work as companies expect it to. We’ll also share some tips on how to minimize the risk of data breaches that exploit the human element. 

What Is Security Awareness Training? 

Security awareness training refers to information security programs within organizations that are designed to teach employees and other relevant stakeholders how to recognize cyber threats. 

Training can consist of any number of modules, with common topics including email security (which may involve phishing simulations and malware-focused training), terminal security (including locking desktops that aren’t in use), and password strengthening. 

The purpose of security awareness training programs is to prevent cyber attacks (social engineering, ransomware, etc.) from succeeding. 

Why Security Awareness Training Fails 

Teaching employees how to recognize phishing techniques and create strong passwords (among other things) should (theoretically) make the organizations they work for safer.

However, the reality is that most employees aren’t security experts, even trained ones. 

Training scenarios take place in safe and controlled environments, and employees are generally passive participants. Meanwhile, actual cyber attacks are active and dynamic. 

According to researchers, even after robust security training:

• 85% of employees continue to reuse passwords across business applications. 
• 1 in 5 employees still fall for phishing scams. 

Bec McKeown, founder and principal psychologist at Mind Science, says: 

“What people don’t realize is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.”

Part of the problem is that employees typically only receive cybersecurity training once or twice a year, meaning that security isn’t at the forefront of their minds at any given moment. 

Many employees also say the security awareness training they receive is outdated, too general, and too slow/not issued in real-time. 

On the other hand, cybercriminals are constantly working to develop new techniques. 

Besides utilizing new technical approaches, cybercriminals invest a significant amount of time working on ways to get employees to give them access to the company network. 

This means cybercriminals are spending more time in the reconnaissance stage, researching employees through sources like data brokers. As a result, attacks are more likely to slip through email filters and employees’ own filters for what is expected to be a phishing attack. 

Personal Information Attacks Require More Than Security Awareness Training 

Let’s take a look at how cybercriminals use personal information in spear phishing and account takeover attacks. 

Spear phishing 

Most phishing attempts are relatively easy to spot due to unusual senders’ addresses or generic lures. These emails are sent out in the millions and have low chances of success. 

That’s not the case for personalized phishing emails engineered to fool a particular employee or group of employees. In these cases, cybercriminals dive deep into their targets, acquiring personally identifiable information (PII) from anywhere they can find it. Emails of this nature can address employees by their first name and even reference superiors in the organization to build credibility. 

One of the top sources for PII is data brokers. Data brokers collect publicly available information about individuals and then sell this information as comprehensive profiles to anyone willing to pay a small fee. 

One particularly notorious group of cybercriminals, Conti, is known for using data brokers to identify their spear phishing targets and determine whose name they should drop in the email to make it more convincing.

Some cybercriminals are also using data brokers to identify targets’ family members and use them as a way into corporate networks. 

Personalized attacks can be very convincing, even to those who have received significant amounts of training – just ask senior Whitehouse cybersecurity advisors. 

Account takeover 

Once someone knows an employee’s background, it’s easy for them to start guessing passwords. 

Most passwords are absurdly easy to guess, anyway. As NordPass’s annual password survey shows, the vast majority of people (including high-ranking executives) continue to use weak passwords like “123456,” “admin,” and “password.”

However, even when people try to create more complex login credentials, many end up leaning on their personally identifiable information (PII), whether it’s a birth date or a spouse’s name. But this kind of information is easy to find on a data broker profile. 

All a cybercriminal has to do is acquire PII about an employee, load it into a password-cracking program, and then allow the program to try to guess their password over and over again until it gets it right.

How to Combat Personal Information-Based Attacks 

Although security awareness training is important, organizations can’t rely on it alone to reduce their human attack surface, especially when it comes to personalized attacks against employees. 

Besides fostering a security culture, organizations should also take steps to reduce their employees’ digital footprints. Potential measures include educating employees about the risks of over-sharing online and enrolling at-risk stakeholders in data broker removal services such as DeleteMe. 

Table of Contents

Organizations around the world utilize security awareness training to make cyberattacks less likely.

In this guide, we’ll explain what security awareness training is, why it’s important, what it involves, and its limitations.

What Is Security Awareness Training?

Security awareness training is the process of educating employees, contractors, partners, and other stakeholders about why cybersecurity matters and how to avoid doing anything that might cause data breaches and other security incidents. 

Like any training activity, the goal is for the participants to learn new knowledge and behaviors. You want employees to better understand their role in keeping their organizations’ assets safe and improve their ability to recognize potential threats online, such as phishing emails. 

Cyber awareness training can also be legally necessary. Conducting security awareness training is a compliance requirement for organizations that need to follow industry and government regulations, like HIPAA or PCI. 

Depending on the company, a cybersecurity awareness training program could be created and conducted internally, or a third-party provider may be brought in to help. 

Why Is Security Awareness Training Important?

It’s hard to understate how frequently human error causes cyber attacks. Security awareness training does not take away human error, but it can do a lot to make employees less likely to enable attacks. 

What Does Security Awareness Training Look Like?

Your company’s cybersecurity training program will be unique to your company’s operations.

However, there are some best security training practices you should follow. A core one is to train people often. Ideally, in small doses.

It’s generally agreed that annual in-person training and long-form computer-based security awareness sessions are ineffective in changing user behavior. 

Instead, there should be frequent sessions throughout the year split into small modules that don’t overwhelm employees and combine different learning activities and formats, like on-demand courses, quizzes, and simulations, paired with actionable steps. 

That way, it’s easier for employees to digest and retain the information and for cybersecurity and data privacy to remain top of mind at all times rather than just once a year. 

Security Awareness Training Common Topics 

Common topics for security awareness training programs include: 

• Email security, for example, spear phishing simulations that teach employees how to spot suspicious emails requesting sensitive information or attachments that may contain ransomware or malware. Since phishing tactics are constantly evolving, phishing awareness training needs to continuously adapt to and highlight new cyber threats. To measure progress, it’s a good idea to do a baseline phishing test before you train people to see what the open rates for untrained individuals are like. 

• Password hygiene, like educating end users about the dangers of password reuse and other bad habits such as writing passwords on sticky notes. Consider also setting mandatory password lengths, banning default passwords, and leveraging two-factor authentication. 
• Physical security, such as training employees not to allow unauthorized persons into the building or office and reporting suspicious persons. 
• Safe social media usage, including teaching employees not to overshare on social media. 
• Remote work, like sharing information on how to make remote work environments secure. 
• Desktop security, which focuses on locking terminals that aren’t in use and avoiding using unauthorized external devices.
• Wireless network security, including the do’s and don’ts when connecting to wireless networks, to minimize security threats.

Security Awareness Training Is Important, But Not Something You Can Rely On

Even frequent security awareness training sessions can’t completely eliminate human risk. 

This is due to a few factors. First, there isn’t necessarily a link between awareness and behavior change. Studies show that employees still use easy-to-remember passwords even after they receive training. They also still fall for phishing scams. 

Bec McKeown, founder and principal psychologist at Mind Science, says: 

“What people don’t realize is that psychologically there is no direct link between awareness and behavior change. Most people believe that if you make people aware, they will do something about it. That is not true.” 

Second, it’s impossible to cover all possible risk scenarios, especially those personalized to an individual or group of employees. 

For example, with social engineering campaigns, it’s easy to spot “Nigerian prince” emails but much more difficult to tell if an email or text that references your personal details and seems to come from someone you know is real or fraudulent. 

When it comes to passwords, employees may learn to use unique login credentials for corporate accounts but wind up including their personal information (like their spouse’s name or date of birth) in their passwords. 

When that happens, the account is not actually secure. Cybercriminals can easily find employees’ personal information through various OSINT tools, including social media profiles, public records, and data brokers. 

Data brokers, in particular, are worth a mention since they offer a lot of information in one place. 

These companies gather people’s personal information from various sources, compile it into profiles, and sell these profiles to more or less anyone willing to pay for them. 

Profiles can include employee names, email addresses (personal and professional), phone numbers, education and employment history, and family details. 

How to Combat Personal Information-Based Attacks 

There’s a secondary measure that can help ensure employees aren’t as vulnerable to cyber attacks: Digital footprint reduction. 

Many cyber attacks utilize personal information, such as employee names, positions, emails, and so on. 

Reducing the amount of information available about employees online can reduce the chances they’ll be targeted. If nothing else, it can limit the number of phishing attacks employees are exposed to. 

To reduce employees’ online footprint, consider the following steps:

• Enrolling employees in a data broker removal service like DeleteMe. Internal chat transcripts from cybercriminal groups like Conti confirm that threat actors use data brokers for intelligence gathering.
• Educating employees about the risks of sharing personal details on social media and elsewhere online. 
• Revisiting employees’ public biographies on company sites and social media accounts. 

Table of Contents

Hello again – after a hiatus in June, we’re back again with our monthly update on happenings in the privacy space relevant to businesses.

In this edition, you’ll find our take on:

• California’s ‘Delete Act’, and federal ‘Fourth Amendment Not For Sale Acts’
• The MOVEit Data Breach may be the largest data breach event in recent years 
• The COPPA rules expansion against Big Tech

Regulatory Update: Significant data broker regulations like California’s ‘Delete Act’, and federal ‘Fourth Amendment Not For Sale Acts’ show real momentum

California’s ‘Delete Act’ has advanced quickly through the state Senate and relevant committees over past months and could soon become state law.  The regulatory template – which requires companies that collect and sell consumer data to register with state AG’s office, and provide a one-stop-shop ‘opt-out’ mechanism for California citizens – was originally proposed in congress last year (albeit with the FTC managing registry and enforcement), and has been reintroduced in the current session. Passage in California would put pressure on Feds to make the framework a national norm.  It could give consumers significantly more control over how data brokers handle personal data.

The ‘Fourth Amendment Not For Sale Act’ was a 2021 congressional bill that proposed barring government agencies from buying commercial surveillance data on Americans that bypass normal search warrant requirements.  It was recently inserted to a Section 702 surveillance reform bill that has bipartisan support, which makes its prospects for passage much stronger than when originally introduced.

Our take:

The Wild West days of the data broker industry may not be over, but we might be beginning the last act.

There have been no significant data broker regulations passed in decades. But pressure to introduce new ones has never been higher.  Piecemeal laws that address key components of the sprawling industry have greater near-term prospects for success than omnibus national consumer privacy laws like the federal ADDPA, which try to do everything at once.

The Delete Act framework has been compared to the FCC’s “Do Not Call” list, which has historically been a toothless gesture by consumers to try and limit unwanted robocalls and spam, because there are no practical means of monitoring and enforcement.  But companies like DeleteMe, that came into being because of consumer needs for data control, are in an excellent position to provide exactly that capability, and we see these laws as a positive development that give us greater relevance to ensure companies are honoring consumer privacy demands.

Cybersecurity Update: MOVEit may turn out to be the biggest data breach event in recent years

The compromise of the MOVEit file transfer system has hit more than 420 organizations over the past two months, of which nearly 300 are American businesses, universities, and government agencies. The number/amount of compromised employee and consumer information remains imperfectly accounted for, but it is certain to continue to grow.  

Our take:

Early in 2023, researchers were suggesting there was a downtrend in cybersecurity risk relative to 2022, but, as the recent events show, successful attacks on a single, widely-used vendor can have massive impact.  The most at-risk institutions continue to be public sector and healthcare service providers who remain behind the curve in terms of limiting exposure to 3rd party vendor risk.

Enforcement updates: FTC expanding application of COPPA rules against Big Tech; CA AG interested in CCPA employee privacy compliance

Over the past months, both Amazon and Microsoft were charged with Children’s Online Privacy Protection (COPPA) rule violations and each paid $20M+ fines. FTC has recently taken an expansive and aggressive approach to interpreting COPPA as part of a growing Federal interest in focusing on Children’s privacy online.  ‘Age verification’ requirements for online services remains a complex and problematic issue, and its unclear how companies can easily offer flexible services to users without potentially coming in conflict with the vague application of legacy children’s privacy laws.

California Attorney General Rob Bonta recently sent inquiry letters to many of California’s largest employers to learn how they’re approaching CCPA compliance with employee data privacy rules, which affect how companies treat information about their workforce and job applicants.  California is one of the only states whose privacy law currently addresses workforce data, and provides an early warning of the kind of frameworks that may emerge in other states in the future.

Our take:

The biggest problem with many existing privacy laws is the lack of clarity about what compliance really means.  Many companies take a ‘wait and see’ approach to see what will be enforced, and rely on test-cases to demonstrate what the limits are.  ‘Kids Privacy’ is a current danger-zone for some businesses (specifically in social media, gaming, and other areas with high youth presence); workforce privacy rules is a potential future area of risk given recent White House interest in the status-quo of workforce surveillance.

Check Out Our Latest Blog Posts

• FL and TX Pass Comprehensive Consumer Data Privacy Bills
• Data Broker Hearings, CISA ‘Secure by Design’ Standards, and Telegram Bots
• Open Data, Hidden Risk: Publicly Available Employee Data & Cyber Risk [+ Breach Prevention Tips]

DeleteMe in the News

• Check out our running log of DeleteMe in the news in 2023.

Table of Contents

In the first two weeks of May:

• Florida passed Senate Bill 262, the Florida Digital Bill of Rights.
• The Texas Senate approved HB 4, the Texas Data Privacy and Security Act.
• Washington State Governor Inslee signed the My Health, My Data Act into law.

Florida, Texas and Washington All Pass Consumer Privacy Bills

The Washington law is particularly notable. It includes broad definitions of covered entities and sensitive data types, as well as a strong private right of action. The combination of these features may make it the most significant new privacy law in the country. 

Washington State now joins Iowa, Indiana, and Tennessee, who have all signed new privacy legislation into law this year. California, Colorado, Connecticut, Utah, and Virginia have passed similar laws in the past few years. The Montana legislature also passed a comprehensive privacy law in April.

Our take: 

Washington’s My Health, My Data Act is likely to be a significant source of concern for many companies. The Act is similar to Illinois’ Biometric Information Privacy Act (BIPA), which has led to billions of dollars lost in class action settlements over the last few years, but imposes more operationally challenging obligations and has fewer limitations on applicability. 

Cybersecurity Update: Municipal Agencies, Healthcare Networks Under Fire

Cybersecurity researchers are pointing to a growing trend of ransomware attackers targeting municipalities. Since the beginning of 2023, there have been major disruptions in Oakland, CA, Dallas, TX, and Washington, DC, as well as smaller cities like Lowell, MA, and the suburbs of Detroit, MI. This month also saw attacks on the Federal Department of Transportation and the DC Metro system, highlighting growing cyber risks to public infrastructure.

The healthcare sector has also become the exclusive target of some well-resourced ransomware groups like CLOP and LockBit. Attacks in this sector peaked at a record high in April. A recent breach of PharMerica, a pharmacy services provider, is one of the largest this year so far, exposing the data of over six million patients.

Our Take: 

With large ransomware payouts in decline, Russian cyber gangs appear to be dividing efforts between “disruption for disruption’s sake” and exfiltrating the most lucrative, sellable data. The public sector is ideal for the former and the healthcare industry for the latter.

Workforce Surveillance Receiving Greater Federal Scrutiny

The White House Office of Science and Technology Policy released a public request for information on employer use of workforce monitoring technologies. This is usually an early indication of forthcoming policy proposals.

Recent research indicates that even though pandemic-driven remote work opportunities have decreased, the use of employee surveillance tools has grown since 2021. The types of technologies used have also become more invasive.

Our Take

Few new state privacy laws (other than the CCPA) have included employee data protections so far. Still, it’s possible that workforce surveillance – like Children’s  Data, Health Data, and Location Data – may become an area where the FTC applies broader interpretations of its own regulatory mandate in the near future. 

Check Out Our Latest Blog Posts

• Data Broker Hearings, CISA ‘Secure by Design’ Standards, and Telegram Bots
• How Cybercriminals Use Data Brokers for Executive Phishing

DeleteMe in the News

• Check out our running log of DeleteMe in the news in 2023.

Table of Contents

Privacy Law Developments in Iowa, Indiana, Washington, Arkansas, Montana  

Iowa and Indiana have become the sixth and seventh states to pass comprehensive consumer online privacy laws; others are expected to follow later this year.  Both new laws largely track the approach of the “WPA Model” shared by CO, CT, and VA and are considered generally weaker than California’s CCPA framework.  A comparison of existing state privacy law details is available here.

The Washington state legislature recently passed the My Health, My Data Act, which includes a private right of action similar to the IL Biometric Information Privacy Act (BIPA) and broadly defines both ‘health data’ and covered entities. This will be one to pay attention to.

Additionally, Arkansas has joined Utah in passing age-verification restrictions on social media use, and the Montana legislature advanced a complete ban on TikTok, which now awaits the Governor’s approval.  Social media age-verification proposals are also quickly advancing in other states, including Ohio, Connecticut, and Minnesota.

Our Take

While more states are passing relatively weak, cookie-cutter privacy legislation, we still see it as a welcome trend. It provides a foot in the door for future improvement and will pressure Congress to meet a higher standard with any eventual Federal privacy laws.  

By contrast, we think the current ‘age-verification’ regulations are negative developments for online privacy, as well as likely to eventually end up facing constitutional challenges.  

Including the private right of action in Washington’s Health Data bill is notable and may prompt similar me-too legislation elsewhere.

House Data Broker Hearing, CISA Publishes ‘Secure By Design’ Standards 

The House Oversight and Investigations Subcommittee will hold a hearing on “The Role of Data Brokers in the Digital Economy,” scheduled for April 19th [view recording].  As described by committee members:

“This hearing will give our members a chance to shine a light on the role of data brokers and educate Americans on unchecked collection of their sensitive personal information. It will also highlight the further need for a strong national data privacy standard.”

Also this month: CISA, the US Cyber Defense Agency, published a “Secure by Design, Secure by Default” set of recommendations for software developers to improve base-level privacy and security standards as part of Biden’s recently proposed National Cybersecurity Strategy.

While the standards have no regulatory force, they represent, according to the Washington Post, “a potentially contentious multiyear effort that aims to shift the way software makers secure their products.”

Our Take

The recent congressional data breach might motivate a few members to take consumer data privacy regulation more seriously. Still, we have low expectations for new developments in Federal data broker oversight or hardening enforcement around cybersecurity standards. 

The Growth of Automated Social Engineering via Telegram 

Kapersky Labs reports that hackers increasingly provide ‘how-to guides’ and software toolkits to automate the data collection and targeting processes of social engineering attacks, and they’re doing so via automated bots on platforms like Telegram. A report from Cofence noted in January that the use of Telegram bots for credential phishing grew 800% in 2022 over 2021.

Our Take

While phishing toolkits are nothing new, the use of relatively low-tech, mainstream platforms like Telegram indicates the growing maturity of the industry and the relative ease with which aspiring hackers can begin launching attacks at scale.

Interesting Reading from the IAPP [B2C Companies, Take Note!]

The International Association of Privacy Professionals just held its Global Privacy Summit in Washington DC and in case you didn’t attend, here is a good summary of takeaways from the event.

Also, their Privacy and Consumer Trust Infographic provides some insights from their recent global consumer survey which highlights, among other interesting facts, that cybersecurity incidents do impact which companies consumers are willing to buy goods/services from.

Check Out Our Latest Blog Posts

• Open Data, Hidden Risk: Publicly Available Employee Data & Cyber Risk [+ Breach Prevention Tips]
• How Cybercriminals Use Data Brokers for Executive Phishing
• Why Data Broker Opt-Outs Are Crucial for Executive Cybersecurity Protection

DeleteMe in the News

• Check out our running log of DeleteMe in the news in 2023.

Events & Webinars

• We’ll be at RSA Conference 2023 on April 24-27 in San Francisco. See you there?

Table of Contents

Firewalls, sandboxing, email filtering, you name it. Your organization can have the best security controls in place and still get hacked. How? Via your employees, specifically through malicious use of their personal information. 

Cybercriminals don’t need access to the dark web or advanced tools to infiltrate corporate systems. A lot of the time, a well-crafted spear phishing email will do the trick. And when it doesn’t, there are plenty of other ways to exploit an attack vector that is extremely difficult to secure: humans. 

Worst of all, the data that cybercriminals need to exploit employees isn’t hard to find. In fact, it’s publicly accessible on the open web. All a threat actor needs to do is perform open-source intelligence (OSINT). 

Here are some OSINT sources threat actors use and examples of how they use them. We also show real-world examples of OSINT actions and the steps you can take for breach prevention.

Publicly Available Data Sources

The first thing to understand is where attackers get the employee information they need for OSINT.

There’s no shortage of OSINT sources threat actors can use to find all the data they need to manipulate employees and gain access to your systems. 

To quote the ethical hacker Rachel Tobac, with whom DeleteMe’s CEO Rob Shavell spoke in a recent webinar, “I’m able to find new things almost every day for people that are asking me to do this OSINT, this open-source intelligence on them. And people will often think, “Oh, is this like dark web stuff we’re talking about?” No. It’s just the clearnet, regular internet that you and I are all using.” 

Watch the full webinar, where Rachel and Rob discuss the role of personal data in social engineering attacks. Or, read our blog post summarizing some of the key points from the webinar.

Here are some of the most common OSINT sources: 

• Employer websites. Company websites are a great source of executive personal information, including corporate email addresses and professional social media pages. 

• Social media sites. Whether personal or professional, social networking accounts can provide threat actors with a ton of data, including education, work history, professional connections, interests and hobbies, upcoming trips, and family and friend information. 
• Public records. Public record data can include marriage licenses, voter registrations, bankruptcy records, arrest records, and more. 
• Crowdfunding platforms. Platforms like GoFundMe can give criminals an indication of causes an employee is interested in and can appear on search engine results pages for an employee’s name.

• Forums. Depending on how privacy-focused they are, employees may inadvertently expose their identities when participating in forums like Reddit or Quora. 
• Public gift wish lists. Public wish lists on sites like Amazon, Crate and Barrel, Etsy, and others can make it easier for threat actors to figure out what brands to impersonate to get employees to click on malicious links or share sensitive details.
• B2B data brokers. B2B data brokers gather information from a variety of sources, compiling a person’s professional information in one place. These data brokers can also include org charts, affiliations and memberships, and employee quotes from press releases. 

People search sites. Whereas B2B data brokers focus on professional data, people search sites include more personal information, like details on a person’s family, address history, and links to personal social media accounts. 

How Threat Actors Use Publicly Available Employee Data + Real-World Examples

Below are some of the ways cybercriminals use publicly available data sources to compromise corporate systems.

Social Engineering 

Social engineering is one of cybercriminals’ favorite tactics for conning employees into taking fraudulent actions like downloading malware, sharing sensitive information, and authorizing wire transfers.

Below are some of the more popular social engineering techniques. 

Phishing emails

Mass phishing emails haven’t gone away. Threat actors still use large email lists to mass phish individuals and employees across numerous organizations and sectors. 

Both personal and professional emails are valuable. For example, because many people reuse passwords, an employee who clicks on a phishing scam in their personal inbox and shares login details for a personal account may inadvertently expose their corporate credentials. 

Information needed: Employee email addresses (personal or professional).

OSINT available: Employer websites, B2B data brokers, and people search sites. 

Real-world example:

Last year, a phishing scam that looked like it came from Amazon harvested individuals’ and companies’ credit card details and phone numbers.

Spear phishing emails

Spear phishing attacks are more targeted than your typical phishing scam. Threat actors need specific email addresses, names, job titles, and other personal information to spear phish someone.

Learn more: How cybercriminals use data brokers for executive phishing

Threat actors will use someone’s personal and professional email addresses for this purpose. Some cybercriminal groups even favor personal accounts as a way to circumvent security controls on corporate networks.

Information needed: Employee email addresses (personal or professional), plus other personal information, like their hobbies, affiliations, family members, etc.

OSINT available: Employer websites, social media sites like LinkedIn, Facebook, and Pinterest, crowdfunding platforms, forums, public gift wish lists, B2B data brokers, and people search sites.

Real-world examples: 

• In 2022, Chinese hackers targeted the personal Gmail accounts of government employees rather than their professional email addresses. 
• A Belgian MP’s personal email was targeted with a spear phishing attack from a non-existent news organization saying they could provide information on human rights abuses in China. This was following his public resolution to spread the word of alleged government abuses in China. 
• Earlier this year, scammers went after Microsoft Office 365 email accounts with a DocuSign scam.  

Whaling

Also known as “CEO fraud” and “business email compromise,” whaling attacks are spear-phishing campaigns that target high-ranking employees. Members of the C-suite or individuals with access to data and funds, like the financial staff, are attractive targets. 

One of the more important pieces of information threat actors look for when preparing for a whaling attack is a company’s org chart, which can be found on business data broker sites. 

Information needed: Executive email addresses (personal or professional), the company’s org chart, plus other personal information, like the executive’s hobbies, affiliations, family members, etc. 

OSINT available: Employer websites, social media sites like LinkedIn, Facebook, and Pinterest, crowdfunding platforms, forums, public gift wish lists, B2B data brokers, and people search sites. 

Real-world example: 

Several years back, cybercriminals scammed an agriculture company out of $17 million after sending its controller targeted emails that impersonated the company’s CEO. 

What made these emails particularly believable was that they referenced the target company’s accounting firm and asked the controller to contact it for wire instructions. The criminals even included a (fake) phone number for an actual employee within the accounting firm and had someone impersonate them. 

Smishing

SMS phishing, aka “smishing,” attacks happen through mobile phones and, more specifically, via text messages. They are often used to bypass 2FA systems that rely on text message prompts.

Information needed: Employee phone numbers. 

OSINT available: Employer websites, social media, B2B data brokers, and people search sites. 

Real-world examples: 

• The Uber hack of 2022 was carried out by an 18-year-old who gained access to Uber’s systems by texting the company’s corporate information technology person and convincing them to send them their password. 
• Last year, Cloudflare employees received phishing texts on their work and personal phones. Employee family members were also targeted. 
• The Cloudflare scam was part of a larger campaign known as “0ktapus” that affected more than 100 organizations and involved MFA bypass attacks where attackers tricked victims into sharing credentials and MFA codes via a fraudulent Okta authentication page. Analysis of the attack revealed that the threat group first made curated lists of employers, employees, and phone numbers.

Vishing

Like smishing, vishing happens over the phone. However, instead of text messages, it involves hackers calling employees or leaving voicemails rather than sending fraudulent texts. 

Information needed: Employee phone numbers. 

OSINT available: Employer websites, social media, B2B data brokers, and people search sites. 

Real-world example: 

The Twitter hack from a few years ago, which resulted in criminals taking over celebrity accounts, is widely attributed to vishing. It is believed that threat actors found Twitter staff phone numbers and convinced them to share their usernames and passwords. 

Insider threats 

Insider threats come from individuals with legitimate access to an organization, including employees, contractors, partners, and third-party vendors. Insiders often misuse that access, whether maliciously or accidentally, and create security risks. 

Information needed: Employee email addresses, phone numbers, social media handles, and other personal information. 

OSINT available: Employer websites, social media, B2B data brokers, and people search sites. 

Real-world examples: 

• Ransomware groups have been known to email employees directly, asking them to help facilitate attacks and promising a portion of any ransom paid by the employer. 
• Some cybercriminal groups offer to pay employees/business partners/suppliers at target companies for access to login details or for MFA approval. 
• In one instance, a threat actor connected with an employee on LinkedIn and, under the pretext of a job offer, conned them into sharing confidential documents and clicking on a malware-infected link.  

Credential stuffing 

The classic example of credential stuffing is brute forcing someone’s login details until something eventually works, but not all credential-stuffing attacks are “dumb.” 

Learn more: 3 ways data brokers enable corporate account takeover

Threat actors increasingly use people’s personal information to narrow down lists of likely passwords and break into accounts. Despite years of repeated warnings against passwords like date of birth or pet’s name, research shows that people continue using password components based on personal information. 

Information needed: Employee email addresses (personal or professional) and other personal information that might be used as part of a password, like their date of birth, partner’s name, street name, etc. 

OSINT available: Employer websites, social media, public records, B2B data brokers, and people search sites. 

Real-world example:

1 in 4 business leaders has a birthday as part of their password.

Impersonation

Impersonation scams typically involve criminals pretending to be employees to help desk support to reset account credentials. 

Information needed: Employee email addresses and other personal information that might be used as answers to recovery prompts. 

OSINT available: Employer websites, social media, public records, data brokers, and people search sites.

Real-world example: 

Threat groups like LAPSUS$ are known to call target company’s help desk staff to try and persuade them to reset a privileged account’s credentials. Common actions here include answering recovery prompts such as “mother’s maiden name” or “first street you lived on.” 

Counter OSINT: Steps Organizations Can Take to Mitigate Human Vulnerabilities for Breach Prevention

Employee information on the open web is putting companies at a real risk of data breaches. 

Removing this data will not necessarily prevent organizations from getting hacked, but it will strengthen their overall security posture. 

To improve employee privacy and corporate security, organizations should:

• Audit their company site for employee personal information and, where possible, remove it. 
• Educate employees about the risks of oversharing on the internet. 
• Offer employees data broker removal services that opt them out of some of the most popular data broker sources. 

The easier it is to access company and employee data on the internet, the higher the chances that bad actors will target them with malicious campaigns. The opposite is also true. If getting company and employee data is difficult and time-intensive, threat actors will likely move onto a different target—one that is more exposed. In short, an ounce of breach prevention is worth a pound of cure!