How Auditors Assess Cyber Risks
Blog

Cybersecurity Awareness Training Basics

Technology


Print Friendly, PDF & Email

According to a recent study, 85% of cyberattacks are caused by human error. Knowing that it’s people causing this significant weakness, it’s the responsibility of organizations to educate and empower their employees to prepare for, recognize, and prevent cyberattacks.

Any robust cybersecurity awareness training program should cover the following:

  • Phishing and social engineering
  • Access, passwords, and connection
  • Device security
  • Physical security 

Phishing and social engineering

Social engineering is a malicious attack on a user or administrator by deceiving them into divulging information to a bad actor. Phishing is a common social engineering tactic where attackers attempt to get sensitive information like passwords and credit card information by masquerading as a trustworthy source.

Common phishing attempts often require the victim to click on a link, open an attachment, send sensitive information, wire money, or take other actions that leave them and their information vulnerable. 

As threat actors continue to create new methods and schemes, their tactics are even more challenging to detect, especially when it looks like it’s coming from a credible source like your CEO or coworker. However, these deceiving attacks often offer a few tell-tale signs, including:

  • Content errors. Incorrect spelling, typos, and links containing random numbers and letters are red flags. 
  • A sense of urgency. An unusual sense of urgency with an immediate request for money or sensitive information indicates the email may be a phishing attack.
  • Incorrect emails. An easy giveaway to phishing is when the email sender has a questionable email address. It’s essential to verify the email address before taking any action. 

If your people inevitably click on a phishing email, taking immediate action is crucial. Some steps you can take right away are:

  • Informing IT and your technology partner as soon as possible. Telling the right person or department is critical in preventing a phishing scam from spreading company-wide.
  • Resetting passwords. To avoid additional data loss, change passwords on professional and personal accounts to minimize damage.

Access, passwords, and connection

Generally, users with privileged access perform administrative-level functions or access sensitive data. All employees should know if they’re general or privileged users so they understand what information, applications, or processes are accessible to them. 

Similarly, employees should be using best practices regarding the passwords they create, especially those used to access IT environments. In general, secure passwords should: 

  • Be unique to each app/site
  • Have at least eight characters
  • Contain letters and special characters
  • Stay away from obvious information like names and birthdays

Additionally, passwords should be updated or changed about every six months. 

While it may be less obvious, employees should also be wary of network connections outside their homes or workplaces. Even if data on their device is encrypted, it’s not required that a connected network transfers that data in an encrypted format, which opens the door to many different vulnerabilities.

Employees need to be aware of vulnerabilities in public networks and how they could potentially be putting all data exchanged on that network at risk. Encourage end users to use only trusted network connections or a VPN to ensure a secure connection. 

Device security

When a mobile or personal device enters the workplace, it connects to the corporate network and accesses all company data. Every device creates more endpoints and opportunities for attackers to capitalize on. Without a secure connection, any mobile device could compromise the corporate network. Therefore, securing these devices is imperative to prevent a business catastrophe.  

The same threats to company desktops and laptops also apply to personal mobile devices. Tablets and smartphones may be even less secure because they don’t have pre-installed endpoint protection. To protect the company and its data, users should be mindful of the websites they browse, the apps they install, and the links they click. 

Physical security

Unfortunately, digital cyber threats are not the only risks your employees should know about. Physical security also plays a key role in keeping sensitive information protected.

It’s easy to mistakenly leave a mobile device or computer unattended—it happens to all of us. However, if someone swipes an employee’s unattended phone or logs in to their computer, their data will immediately be at risk. 

The best way to protect your employees is through awareness. You can increase physical security in and out of the office by:

  • Locking up all devices. Get in the habit of doing this every time you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press control, shift, and eject (or the power key) simultaneously.
  • Locking your documents. Store all your documents in a locked cabinet rather than leaving sensitive information hanging around your desk.
  • Discarding information properly. When throwing away or removing documents and files, shred and discard them appropriately. 

Build your human firewall with Yeo & Yeo Technology

YYTECH is committed to supporting your organization’s journey to enhance cybersecurity awareness. Our tailored training programs equip your employees with the knowledge and skills to fortify your organization’s security posture. By partnering with YYTECH, you invest in a safer digital future where a well-informed workforce becomes a crucial line of defense. Contact us to learn more.

Want To Learn More?

Connect with one of our professionals today.