An organization’s employees are one of the biggest risks to its cybersecurity. In fact, human error is considered the leading cause of data breaches.
However, an organization’s employees can also be a huge asset for an organization’s cybersecurity. If employees are provided with the knowledge they require to identify cyber threats — through an effective and engaging security awareness training — they can act as another line of defense for an organization.
When designing your best security awareness training program, it’s important to ensure that it covers the cyber threats that an organization is most likely to face. This article outlines the ten most important security awareness topics to be included in a security awareness program.
1. Email scams
Phishing attacks are the most common method that cybercriminals use to gain access to an organization’s network. They take advantage of human nature to trick their target into falling for the scam by offering some incentive (free stuff, a business opportunity and so on) or creating a sense of urgency.
Phishing awareness should be a component of any organization’s security training program. This should include examples of common and relevant phishing emails and tips for identifying attempted attacks, including:
- Do not trust unsolicited emails
- Do not send any funds to people who request them by email, especially not before checking with leadership
- Always filter spam
- Configure your email client properly
- Install antivirus and firewall program and keep them up to date
- Do not click on unknown links in email messages
- Beware of email attachments. Verify any unsolicited attachments with the alleged sender (via phone or other medium) before opening it
- Remember that phishing attacks can occur over any medium (including email, SMS, enterprise collaboration platforms and so on)
Malware is malicious software that cybercriminals use to steal sensitive data (user credentials, financial information and so on) or cause damage to an organization’s systems (e.g., ransomware and wiper malware). It can be delivered to an organization in a number of different ways, including phishing emails, drive-by downloads and malicious removable media.
Employee security awareness training on malware should cover common delivery methods, threats and impacts to the organization. Important tips include:
- Be suspicious of files in emails, websites and other places
- Don’t install unauthorized software
- Keep antivirus running and up to date
- Contact IT/security team if you may have a malware infection
3. Password security
Passwords are the most common and easiest-to-use authentication system in existence. Most employees have dozens of online accounts that are accessed by providing a username (often their email address) and a password.
Poor password security is one of the biggest threats to modern enterprise security. Some important password security tips to include in training content:
- Always use a unique password for each online account
- Passwords should be randomly generated
- Passwords should contain a mix of letters, numbers and symbols
- Use a password manager to generate and store strong passwords for each account
- Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password
4. Removable media
Removable media (such as USBs, CDs and so on) are a useful tool for cybercriminals since they enable malware to bypass an organization’s network-based security defenses. Malware can be installed on the media and configured to execute automatically with Autorun or have an enticing filename to trick employees into clicking. Malicious removable media can steal data, install ransomware or even destroy the computer they’re inserted into.
Malicious removable media can be distributed by being dropped in parking lots and common areas or being handed out at conferences and other public events. Employees should be trained to properly manage untrusted removable media:
- Never plug untrusted removable media into a computer
- Bring all untrusted removable media to IT/security for scanning
- Disable autorun on all computers
5. Safe internet habits
Almost every worker, especially in tech, has access to the internet. For this reason, the secure usage of the internet is of paramount importance for companies.
Security training programs should incorporate safe internet habits that prevent attackers from penetrating your corporate network. Some important content to include in training:
- The ability to recognize suspicious and spoofed domains (like yahooo.com instead of yahoo.com)
- The differences between HTTP and HTTPS and how to identify an insecure connection
- The dangers of downloading untrusted or suspicious software off the internet
- The risks of entering credentials or login information into untrusted or risks websites (including spoofed and phishing pages)
- Watering hole attacks, drive-by downloads and other threats of browsing suspicious sites
6. Social networking dangers
Enterprises use social networking as a powerful tool to build a brand (either locally or globally) and generate online sales. Unfortunately, cybercriminals also use social media for attacks that put an organization’s systems and reputation at risk.
To prevent the loss of critical data, the enterprise must have a viable social networking training program that should limit the use of social networking and inform employees of the threats of social media:
- Phishing attacks can occur on social media as well as over email
- Cybercriminals impersonating trusted brands can steal data or push malware
- Information published on social media can be used to craft spearphishing emails
7. Physical security and environmental controls
Security awareness isn’t just about what resides in your company’s computers or handheld devices. Employees should be aware of potential security risks in physical aspects of the workplace, such as:
- Visitors or new hires watching as employees type in passwords (known as “shoulder surfing”)
- Letting in visitors claiming to be inspectors, exterminators or other uncommon guests who might be looking to get into the system (called “impersonation”)
- Allowing someone to follow you through a door into a restricted area (called “tailgating”)
- Leaving passwords on pieces of paper on one’s desk
- Leaving one’s computer on and not password-protected when leaving work for the night
- Leaving an office-issued phone or device out in plain sight
- Physical security controls (doors, locks and so on) malfunctioning
8. Clean desk policy
Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands and seen by prying eyes. A clean desk policy should state that information visible on a desk should be limited to what is currently necessary. Before leaving the workspace for any reason, all sensitive and confidential information should be securely stored.
9. Data management and privacy
Most organizations collect, store and process a great deal of sensitive information. This includes customer data, employee records, business strategies and other data important to the proper operation of the business. If any of this data is publicly exposed or accessible to a competitor or cybercriminal, then the organization may face significant regulatory penalties, damage to consumer relationships and a loss of competitive advantage.
Employees within an organization need to be trained on how to properly manage the businesses’ sensitive data to protect data security and customer privacy. Important training content includes:
- The business’s data classification strategy and how to identify and protect data at each level
- Regulatory requirements that could impact an employee’s day-to-day operations
- Approved storage locations for sensitive data on the enterprise network
- Use a strong password and MFA for accounts with access to sensitive data
10. Bring-your-own-device (BYOD) policy
BYOD policies enable employees to use their personal devices in the workplace. While this can improve efficiency — by enabling employees to use the devices that they are most comfortable with — it also creates potential security risks.
BYOD policies and employee security awareness training should include the following tips:
- All devices used in the workplace should be secured with a strong password to protect against theft
- Enable full-disk encryption for BYOD devices
- Use a VPN on devices when working from untrusted Wi-Fi
- BYOD-approved devices should be running a company-approved antivirus
- Only download applications from major app stores or directly from the manufacturer’s website
Employees play a crucial role in running a successful business. An untrained and negligent workforce can put your enterprise in danger of multiple data breaches. Therefore, organizations must adopt a viable security training program that should encompass the essential guidelines needed to thwart imminent cyber-incidents.
Your organization should also set monthly training meetings, provide frequent reminders, train all new personnel on new policies as they arrive, make training material available and implement creative incentives to reward employees for being proactive in ensuring the security of the organization.
- The Human Factor in IT Security: How Employees are Making Businesses Vulnerable from Within, Kaspersky Lab Daily
- Mobile Threat Report: The Next Ten Years, McAfee
- Avoiding World Cup scams, Federal Trade Commission