The Most Vulnerable Information System – People
Why you need Security Awareness Training? Because no matter how robust your IT security systems and anti-virus software are, your company can still be vulnerable to cyber-attacks. Why? The answer is simple: people. Even though you may think your team is too smart to be fooled by scams or other attack methods, the truth of the matter is that 93% of successful security breaches start with phishing and 28% of employees lack confidence when it comes to identifying a phishing email. So even if you think your security is airtight, one wrong click could bring your whole IT system down.
What Is Security Awareness Training?
Security awareness training is the process of teaching your team about IT and security best practices. The best training programs involve everyone in your organization even if their only interaction with the company’s IT system is sending and receiving emails. A solid security awareness training program decreases the risk of breaches and other cyber incidents, reduces costs, protects the organization, and increases the overall cybersecurity investment.
What Should be Included in Security Awareness Training?
The best security awareness training programs are comprehensive in nature. They don’t just address identifying malware or how to spot a dangerous link in an email. A complete program will address every aspect of your employees’ work-life while they are in the office or working remotely. Many programs also incorporate personal security training as well to keep employees safe while on personal devices. Here is a list of the topics a solid training program should include:
Educating your staff on what malware is, how to spot signs of infection, and when to notify the proper people on your IT staff can help your organization avoid a disaster. You may or may not want to include training on how to contain an infection as this could be a bit advanced for those on your team who don’t have a background in IT.
The main pathway for malware to get into your system is through phishing. Phishing methods include voice, text, and email and they can be well disguised. This part of the training should include how to spot a phishing attempt and avoid falling prey to it. You can even include phishing simulations in your protocol so your team can see how adept they are at spotting and avoiding these attempted attacks.
Training on Devices
Gone are the days when all your employees were in the office, working on desktop computers owned and maintained by you. Now most employees are allowed to bring their own devices to work or they are using mobile devices as they travel from work to home to remote sites. This is why all your employees need to be trained on mobile security including safe app installation, using public Wi-Fi, and using PIN/passwords to control phone access.
Being Safe Online
It’s likely that the majority of your employees are on social media both at your office and at home. It’s also likely they’re sharing information on their social media pages that can open them (and you) up for cyber-attacks. One part of your training program should focus on the appropriate and safe use of social media and how to keep themselves safe online.
Keeping Private Information Private
There are many ways for your employees to leak private information. In addition to knowing how to avoid phishing scams and other forms of malware, you team also needs to understand how easy it is for information to get into the wrong hands. You’ll cover information such as closing computers down when not in use (in some cases, even when leaving their desk to visit the restroom), keeping passwords safe, and not leaving printouts on the printer or visible on their desks.
We’ve talked about the importance of choosing and maintaining strong passwords. This is an important topic and one that must be included in your training. Train your staff on your security policy around passwords as well as guidelines on password keepers and when (or if) to change passwords. This section should also include the principles of multi-factor authentication. Educate your staff on why it’s important so they won’t push back when they have to implement this added layer of security.
Vulnerability in the code of a program is an invitation for malware. The way to protect against this is to keep an eye out for patches from the vendors. This part of training should include the expectation that installation of these patches is mandatory and should be done as soon as they are received. If they are not involved in the direct patching of software, they should at least be trained on knowing when a reboot is necessary to complete an update.
Depending on the industry you’re in, your security awareness training program may include more points than the above. However, this is a good place to start for most businesses. Have questions about creating a security awareness training program for your business? Please reach out! The pros at Elkhorn Services now ECS Technology Solutions would love to help!