So your organisation has decided to implement a security awareness training strategy. Congratulations! Educating the people within your organisation about online threats is the one of the best things that you can do to protect your digital infrastructure.
Whether you’re developing your own internal training solution, or you’ve decided to go to market to purchase one that’s ready made, I’d like to share with you what I believe to be ..
7 Essential Security Awareness Training Topics
1. Email Security
So let’s begin with email. You’re probably aware that email is the primary method that attackers will use in order to target your organisation. They’ll do this via targeted phishing emails, malicious URLs or even email attachments containing malware. Learning to spot these emails and distinguish them from legitimate communication is an essential skill for your employees to have.
Other email related topics should include spear phishing and business email compromise attacks. It’s important that staff are aware that the source of emails can be spoofed, and that communication isn’t necessarily from the person that it claims to be.
Make sure that staff are familiar with the difference between the CC and BCC email fields. More importantly, every security awareness training program should promote the use of encrypted email for sensitive communications.
2. Web Security
Cybercrime is rampant on the web today. There’s identity theft, organized fraud, malicious hacking and even political hacktivism. It’s now estimated that around 1 in 10 web pages contains some kind of malicious code. The primary motivation for these cyber criminals is financial – and financial crimes makes up a significant majority of threat landscape.
It’s now an industry that’s estimated to be worth $113 billion US dollars. That’s enough money to host the London 2012 Olympics almost ten times over – or more than the global black market in marijuana, cocaine and heroin combined.
We need to keep our staff up to date with the latest web based attacks, and stress the importance of keeping software up to date. We must provide education and training around how to recognise malicious web pages, and spot websites which aren’t using HTTPS to process personal data securely.
We need more education around password security, and the importance of two-factor authentication when it comes to securing our accounts. We also need to highlight awareness around common internet scams, and train users to be suspicious of unknown internet downloads.
I may even be a great idea to include some information regarding online payments, to ensure that financial data is handled and processed correctly.
3. Mobile Security
We’re living in the information age of cloud-based platforms, where we require data on demand, and increasingly use mobile devices to enable our businesses. Field based teams use tablets, laptops and mobile phones to access the resources they need to do their jobs, and to stay in touch with their teams.
These devices store more sensitive information than ever, and in many cases utilise VPN connections back to our company head-quarters. The digital perimeter used to be within the physical confines of our premises, but today it extends across the globe.
Each mobile device represents a potential point of compromise, so it’s critical to our security that we take steps to secure these devices.
This includes training on mobile application security – including information about best app installation practices. It should also include information about public Wi-Fi hotspots, and the importance of VPN usage when using new or unknown networks.
Additionally, it’s important to educate staff about PIN & passcode security, and the importance of encrypting the data on their devices. Make sure that you have a policy for lost & stolen devices, and communicate that out to your staff.
You may also want to include information that will help staff to detect and avoid newer SMS style phishing attacks (often referred to as smishing).
4. Data Protection
The majority of developed countries have data protection legislation, which govern the protection of personal information. This legislation often covers the collection and processing, transfer and security of personal data. In many cases the legislation also outlines the penalties for cases where data has been mishandled.
You may also have to comply with regulations and standards that govern your particular industry, for example medical practices in the United States have to maintain HIPPA compliance. These standards often include strict guidelines on handling personal information, and failure to comply can again result in heavy sanctions.
Providing adequate training to employees around data protection is critical. Employees all have a legal duty to protect and safeguard the information and data that they handle, particularly Sensitive PII.
Employees should be educated around topics such as data protection legislation, industry compliance obligations, personally identifiable information, secure data destruction, data classification and breach notification procedures.
5. Environmental Security
Environmental security concerns the systems and controls that we use to restrict access to sensitive information or resources. Environmental security controls include CCTV cameras, ID cards and access control systems.
Without physical security controls, our digital defences could be rendered completely useless. For example, if attackers had physical access to our servers they could install a key-logger to gather password information.
Security awareness training is essential to preventing physical security attacks such as tailgating and shoulder surfing. We should be educating employees about best security practices such as workstation locking, visitor policies and the importance of a clear desk.
Malware is one of the most serious threats to any organisation – particularly with the introduction of new ransomware style attacks. Malware has gone from becoming a nuisance to a legitimate threat to the confidentiality, integrity and availability of your data.
This is a particular problem when malware attacks are combined with other techniques such as phishing. Anti-spam filters are often unable to detect and prevent these emails from making it through, and anti-virus solutions are unable to detect the malware using signature-based matching.
Employees should be educated about malware and the risks that it poses. It’s important that your security awareness program includes information on what malware is, how exactly it behaves, how to recognise it and what to do if you become infected.
Your security awareness training can include information about common attack vectors such as ZIP files and macro-enabled Office documents. It’s important to educate staff about the importance of backing up their files, particularly any email archives that they might have saved to their local disk.
7. Social Engineering
The single greatest threat to your security today is an attacker that’s skilled in manipulating human relationships. These attackers will attempt to gain the trust of somebody within your organisation in order to obtain information or access they otherwise wouldn’t have.
Scams such as business email compromise rely upon social engineering in order to be successful. Other social engineering pretexts may call unsuspecting employees and pose at the IT department. Social engineering is the #1 method that attackers will use to bypass your expensive firewall equipment.
To combat these threats our awareness training needs to educate employees about the nature of the risk and how it affects them. It’s important that they understand a little bit about the psychology of influence (for example scarcity, reciprocity and urgency) so that they can better combat these attacks.
What do YOU think is important when it comes to security awareness training?
I’d love to hear YOUR comments!