Employees are the #1 threat to organizations. One wrong click could leave your entire company open to a cyber-attack. The way to protect yourself and your organization’s data is to keep cybersecurity top of mind. Here are ways to implement IT security awareness training for employees.
What Topics Should I Cover in Security Awareness Training?
If you use technology, you are a target for cybercriminals.
It doesn’t matter if you have a Fortune 500 company or a little shop on Main St. In fact, small businesses are more attractive to hackers because they know your defenses are not built like the bigger companies.
Here are the topics that need to be included in security awareness training.
Security Awareness Training Topic #1: Email
Email is one of the primary ways we communicate, making it a perfect method for attackers.
Attachments & Links
Threats often have attachments that are infected. Links can also be dangerous, sending users to a phishing site or having users download and open an infected file. Your employees should never click on a link, attachment, or reply with the requested information if they feel like something is not quite right.
Instead, they should inform the IT team or managed services provider (MSP). If it’s a legitimate scam, informing the right people and passing along that knowledge may help prevent it from spreading company-wide.
The reason phishing and other social engineering attacks are so successful is that they’re disguised to look like they come from credible, trustworthy sources—forcing a sense of falsified trust. Most attacks against humans are based on some form of social engineering—the act of deceiving users or administrators into divulging information. Phishing—an attempt to acquire sensitive information from an individual through email, chat, or other means—is a common type of social engineering attack.
Questions to Consider
Employees should ask themselves these questions when evaluating the authenticity of an email:
- Are there any misspelled words?
- What information shows up when you hover over a link?
- Were you expecting to receive an attachment?
- Does the message sound too urgent?
- Is the email asking for risky business?
Tips on Sending Emails
You can also give these tips to your employees to help them send emails that don’t look suspicious.
- Don’t CC too many people.
- Add a note about your attachment.
- Don’t use your personal email.
- Use encryption for sensitive emails.
Security Awareness Training Topic #2: Social Media
Remember social engineering? Some attacks aim to fool users by simply asking for information or money. They may succeed when they already have knowledge about the user that was offered up unintentionally.
The more information that is readily available about a user, the easier it is for cybercriminals to acquire specific data they can use to try to hack accounts or appear credible. It’s important to remind employees to avoid posting any identifying information or personal details that might allow a hacker to guess security questions or passwords—or communicate as if they know the user.
Social media can also be an easy way for cybercriminals to share phishing links with unsuspecting users. Your employees should be cautious of any deals or promotions that include links and look too good to be true. In addition to infected links, scammers will try to acquire credit card information through fake websites.
When a social media account is hacked, posts appearing to be from the user go out to trusted friends. Instruct your employee to use caution if suspicious posts pop up from one of their friends’ accounts. They should call to confirm the post is legitimate—not reply or comment.
Security Awareness Training Topic #3: Passwords
There are a few basic rules for managing passwords that most end-users are aware of.
- Don’t share your password with others.
- Don’t use the same password everywhere.
- Don’t write your password down on paper.
- If someone asks for a password, assume it’s a threat.
- Put a passcode on your mobile device.
However, having your employees use passphrases and password managers can make your cybersecurity even stronger.
A passphrase is four or more random words grouped together and used as a password. A longer password relying on simpler words will make it easier for you to remember and harder to crack – even if it doesn’t have any special characters.
Providing a password management tool is often overlooked, but it can be an easy protection measure. Giving people a tool to store their passwords gives them security, and they can avoid password recycling.
Security Awareness Training Topic #4: Internet Access & Use
If your employees are working remotely, they need to protect their homes from bad actors. They can do this by changing the default password on their home WiFi router and any other device that connects to the internet.
As for usage, there are tips your employees can follow for safe surfing.
- Keep browsers updated. Always having the latest version is one of the best ways to help secure your browser and your system. Teach end-users how to check if their browser is updated and how to enable automatic updating.
- Minimize plugins. The more plugins (or add-ons) a browser has installed, the greater the attack surface and the more likely a threat can find a vulnerability. In fact, most browser-based attacks do not target the browser itself; instead, they target plugins.
- Check URLs. Teach users the basics of reading a domain name. New browsers make this much simpler by highlighting just the domain that people visit. If something looks suspicious, sometimes browsers will highlight the URL in red.
- Take download precautions. One of the easiest ways for malware and spyware to access your computer is through downloads. Download only from trusted sites and avoid free software.
Security Awareness Training Topic #5: Physical Security
Finally, here’s some advice on how employees can physically secure computers and other devices.
- Lock their computer if they leave it.
- Clear off their desk throughout the day.
- Properly discard paper documents.
- Check their surroundings.
How Security Awareness Training Can Protect Your Business
Now you know how to implement IT security awareness training for employees so they keep cybersecurity top of mind and protect your organization.
Teaching end-users best practices for email, social media, passwords, internet, and physical security is the best way to defend your business against hackers and attackers.
WorkSmart offers security awareness training to ensure you are protected from cyber-threats. Contact us today to learn more about our ongoing program.