In this article, information security expert Suzanne Gorman delves into the key content for effective security awareness training, including the elements of a successful program and what the leadership in organizations must be aware of about their security risks.
When designing a training program, it’s imperative to cover all potential threats your organization faces. But first, do you know where your vulnerabilities lie within your organization? Does your IT department work to lock down as many risk vectors as possible?
Employees are the weakest link in every organization. This is a sad but true reality. It really is amazing that nearly daily there is a headline news story that covers how organizations are falling prey to hackers, and employees still fall for the silliest scams. They rarely think about the words “if it is too good to be true it probably is.”
But before we throw in the towel, we should also know that employees can be trained to be our strongest asset. Arming your employees with critical content for effective security awareness training is the key to your success.
Let’s dive into the important topics that must be considered and factored into your security awareness program.
1. Social Engineering and Phishing Scams
Phishing scams are the most common social engineering method used by cyber criminals to target an organization. All employees receive emails, in fact, copious amounts of email daily. Many employees open them up and never give a second thought about if the email is dangerous or not. Hackers take advantage of the lackadaisical attitude that employees have, making them a perfect target vector for attacks.
When developing content for effective security awareness training, organizations should focus on a few key messages regarding email security. Here are a few of our favorites:
- Organizations’ IT departments MUST always filter spam
- Organizations’ IT departments MUST securely configure email clients
- Employees MUST be trained to never trust unsolicited emails
- Employees MUST be trained to never send personal or organizational financial information (without permission) – PERIOD!
- Employees MUST be trained on how to hover over links
- Employees MUST be trained to never click on suspicious links and email addresses
- Employees MUST be trained to never open email attachments unless you are expecting them from someone you trust
- Employees MUST be trained to never to never fall prey … so if it sounds too good to be true, it probably is
- Employees MUST be trained on how to identify social engineering attacks
- Employees MUST be trained to report any suspicious activities immediately
Malware is malicious software used by cybercriminals for stealing sensitive information, such as your user IDs and passwords and other personal information. It is one of the biggest threats to your computer and all of your personal devices. The use of malware has grown exponentially in the past few years, and now we read about how organizations have fallen victim to ransomware, where your files are encrypted and no longer accessible until your organization pays the ransom. Even payment does not always guarantee that access to your files will be granted.
Malware can be delivered in a number of ways, with phishing emails continuing to be the #1 vector for the cyber criminals to use.
Content for effective security awareness training should cover the malware aspect and include common ways of delivery, threat potential and impact on your data. Along with other detailed information, but you can make organizational changes and include these tips:
- Organizations’ IT departments MUST block the installation of software
- Organizations’ IT departments MUST always keep antivirus software up-to-date
- Organizations’ IT departments MUST always use firewalls
- Employees MUST be trained to never download any unknown files through email or websites
- Employees MUST be trained to never click on links
- Employees MUST be trained to report suspicious activity immediately.
3. Password Security
After decades in the information security field, we are still talking about passwords. And we still have a conundrum. Passwords remain the most common method of authentication. Many employees have dozens of passwords for the various systems they have access to, unless your organization has mastered single sign-on. So how do you wrestle this beast?
We recommend that you allow employees to utilize a password manager, and teach them how to create good passwords for each of their accounts whether in the office or at home.
We like the fact that some of our device companies, like Apple, Dell, etc., are looking for our passwords on the darkweb and sending out notifications if they have been found. Be sure to add that information into your awareness program, advising your users to pay attention to those alerts at home and change their passwords to something more difficult to break.
The following are some good password guidelines:
- Organizations’ IT departments MUST put into place password guidelines and rules to enforce them
- Employees MUST be trained to use a different password for every online account
- Employees MUST be trained to use a password manager that generates and stores unique, strong passwords for every account
- Employees MUST be trained to use multi-factor authentication wherever possible, to lessen the impact of a compromised password
- Employees MUST be trained to NEVER recycle passwords
- Employees MUST be trained to use passphrases that you will remember
Employees MUST be trained to NEVER share their password with anyone – even with their executive assistant!
4. Privacy and Data Management
Organizations, no matter how large or small, must deal with privacy matters because of recent laws. Some organizations have customer data they collect and store, and/or they process sensitive information that has a higher expectation of privacy. This could include customer information, business plans, employee data, mergers and acquisitions. If this type of data were exposed to the public, a cybercriminal or a competitor, your organization could face penalties and reputation damage that could impact your bottom line.
Employees must be trained on how to manage confidential business data and protect their customer privacy and data security.
Data privacy is important content for effective security awareness training and should include:
- Employees MUST be trained to understand the data classification strategy of the organization and how data should be handled
- Employees MUST be trained to understand regulatory requirements affecting routine operations of an employee
- Employees MUST be trained to understand approved and unapproved locations for storing sensitive data on an enterprise’s network
- Employees MUST be trained to use strong security practices for accounts that hold sensitive data
5. Developers and Secure Code
One sure way to stop a breach in it’s tracks is by addressing security problems that are within the code. We need to all step back and think about the fact that developers are trained to develop code, but they have never been trained on how to develop secure code. If you doubt this, take a look at your latest penetration test. And if it is too technical, please make sure you have someone you trust explain it.
Each and every time we see third-party penetration tests results, numerous vulnerabilities are identified. We also see glazed looks on the faces of the executive staff, not understanding one thing the pentesters were saying to them. This is not a criticism of the executives; they have their MBAs and were never trained in computer science, especially at this level.
Developers need to be trained in ways unlike the rest of your organization. Gamification and silly videos will not work for them. Make sure you train them the way they think. Global Learning Systems has partnered with Kontra Security to make learning fun and interesting for your development team. Together, we have taken real-life security incidents and turned them into scenarios where the developer gets put right into the code to identify where the issue is and how to resolve it.
GLS works with organizations to reach their development staff, providing the following training and support:
- Accelerating application security training and software security education through interactive learning
- Delivering training that dives directly into the code, allowing your developers to think like a hacker, analyze attack surfaces in your applications and recreate their steps
- Presenting software security issues visually by tracking a vulnerability from the UI to the source
- Enabling interaction with vulnerable components and business logic of real-world examples
- Facilitating understanding and application of security code fixes to remediate vulnerabilities
Key takeaways to ensure strong content for effective security awareness training
Employees are your most valuable asset, and each one plays a vital role in the success of your business. You need to ensure that your employees are trained properly and that they can truly act as your last line of defense when your security controls fail.
Information security must become part of every organization’s mantra and woven into your corporation’s framework. It goes well beyond annual training. Think about embracing more frequent and shorter training sessions. Use materials such as posters as visual reminders and newsletters or security sheets that employees can take home to share with their loved ones. And make usre of your reception area and breakroom monitors that are perfect for short training modules that have no words, just powerful visuals to fully round out your security awareness journey.