4 Pillars of Security Awareness Training
According to a recent study, 85% of cyberattacks are caused by human error. Knowing that it’s people causing this significant weakness, it’s vital to educate and empower your employees to prepare for, recognize, and prevent cyberattacks through security awareness training.
Any robust cybersecurity awareness training program should cover the following:
- Phishing and social engineering
- Access, passwords, and connection
- Device security
- Physical security
Let’s take a deeper look at these important pillars of robust cybersecurity education.
Phishing and social engineering
Social engineering is a malicious attack on a user or administrator by deceiving them into divulging information to a bad actor. Phishing is a common social engineering tactic where attackers attempt to get sensitive information like passwords and credit card information by masquerading as a trustworthy source.
Common phishing attempts often require the victim to click on a link, open an attachment, send sensitive information, wire money, or take other actions that leave them and their information vulnerable.
As threat actors continue to create new methods and schemes, their tactics are even more challenging to detect, especially when it looks like it’s coming from a credible source like your CEO or coworker. However, these deceiving attacks often offer a few tell-tale signs, including:
- Content errors. Incorrect spelling, typos, and links containing random numbers and letters are red flags.
- A sense of urgency. An unusual sense of urgency with an immediate request for money or sensitive information indicates the email may be a phishing attack.
- Incorrect emails. An easy giveaway to phishing is when the email sender has a questionable email address. It’s essential to verify the email address before taking any action.
A robust security awareness training program will teach your employees to recognize these phishing red flags through simulated attacks.
Access, passwords, and connection
Cybersecurity training is an excellent time to discuss different aspects of the network, such as access privileges, passwords, and the network connection itself. Generally, users with privileged access perform administrative-level functions or access sensitive data. All employees should know if they’re general or privileged users, so they understand what information, applications, or processes are accessible to them.
Similarly, employees should be using best practices regarding the passwords they create, especially those used to access IT environments. In general, secure passwords should:
- Be unique to each app/site
- Have at least eight characters
- Contain letters and special characters
- Stay away from obvious information like names and birthdays
Additionally, passwords should be updated or changed about every six months.
While it may be less obvious, employees should also be wary of network connections outside their homes or workplaces. Employees need to be aware of vulnerabilities in public networks and how they could potentially be putting all data exchanged on that network at risk. Security awareness training can encourage end users only to use trusted network connections or a VPN to ensure a secure connection.
Device security
When a mobile or personal device enters the workplace, it connects to the corporate network and accesses all company data. Every device creates more endpoints and opportunities for attackers to capitalize on. Without a secure connection, any mobile device could compromise the corporate network. Therefore, securing these devices is imperative to prevent a business catastrophe.
The same threats to company desktops and laptops also apply to personal mobile devices. Tablets and smartphones may be even less secure because they don’t have pre-installed endpoint protection. To protect the company and its data, users should be mindful of the websites they browse, the apps they install, and the links they click.
Physical security
It’s easy to mistakenly leave a mobile device or computer unattended—it happens to all of us. However, if someone swipes an employee’s unattended phone or logs in to their computer, their data will immediately be at risk.
The best way to protect your employees is through awareness. Your employees can increase their physical security in and out of the office by:
- Locking up all devices. Get in the habit of doing this every time you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press control, shift, and eject (or the power key) simultaneously.
- Locking your documents. Store all your documents in a locked cabinet rather than leaving sensitive information hanging around your desk. Before leaving for the day, stow essential documents in a safe or locked cabinet.
- Discarding information properly. When throwing away or removing documents and files, ensure you’re shredding them and discarding them appropriately.
Create a Culture of Vigilance
With knowledge, people can shift from vulnerabilities to the front line of defense against cyberattacks. Comprehensive cybersecurity training is the path that drives this change. By promoting vigilance, responsibility, and discernment, organizations can mold their workforce into a united defense against cyber threats, ultimately eliminating human error as the weak point in cybersecurity.
Looking to build your human firewall? Get started with Yeo & Yeo Technology’s security awareness training solutions.