A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises.
However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees.
The goal of this post is to discuss some of the more common Security Awareness Training program topics.
I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”.
Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.
- Passwords should be randomly generated
- Always use a different, unique password for each online account
- Passwords should contain a combination of letters, numbers, and symbols
- To make managing all of these accounts easier, use a password manager
- When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords
Safe Internet Habits
Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors.
- Ability to spot, and recognize spoofed domain names
- What the difference between HTTP and HTTPS is and why it is important
- The potential dangers of downloading software from untrusted or suspicious websites
- The inherent risks and dangers or entering login credentials into suspicious or untrusted websites
Social Networking Risks
More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.
An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.
Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.
- Inform employees to never plug or insert untrusted removable media into a computer
- Take any untrusted device to IT or Security Team for scanning and approval
- IT/Security Team should disable autorun on all computers
Clean Desk Policy
Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored.
Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.
- Employees should be made aware of what “shoulder surfing” is, and how to counteract it
- Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
- Informing employees to not leave passwords written on pieces of paper on one’s desk
- Leaving company issued devices out in the open
- Not locking or logging off of company issued computers when leaving one’s desk