8 Topics To Include In Employee Security Training
Cybercriminals have taken their game to a whole new level. Forget about the hacker that used to send your company the occasional virus. The cybercriminal of today has an arsenal of malware in their hands and advanced social skills. Don’t be so surprised—they need those to pull off their social engineering scams. Talk about a combination of hard and soft skills, right?
Raising cybersecurity awareness can effectively protect your business from data breaches and financial loss. Security training for employees should focus on identifying common threats and taking precautionary measures.
Don’t know where to start? Here are 8 security awareness topics for employees to cover in your first security training:
1. Email Security
Email is not just one of your company’s major communication channels. It’s also a cybercriminal’s favorite method of attack. Malicious links and attachments can infect your IT system and cause data leaks. The damage won’t necessarily stop within your company.
For example, your sales team talks to customers through email. If your system is hacked, then your customers might get spam from you. This can harm your reputation and your brand image. Therefore, proper email usage is one of the most important topics to address in your corporate security training.
Teach employees the basics, starting with how they should always have their spam filter on. They must also verify the domain URL links too by hovering over it. And, if the sender of the email is unknown, opening the attached files is a no-go.
2. Social Engineering
Employee security training should place extra focus on social engineering scams. Phishing emails have notoriously deprived companies of significant financial assets and data.
Show employees how to spot suspicious emails. Impersonalized greetings, misspellings, high sense of urgency, and requests for sensitive information (such as credit card info) are all indicative of a phishing email.
Business Email Compromise (BEC) is the masterpiece of phishing scams. In this case, the attacker has the actual email address of a high-level executive or another collaborator. They impersonate them and find a plausible pretext to ask for an urgent money transfer. Make it clear that employees are by no means to approve any transaction or reveal sensitive information without verifying the identity of the email sender.
Cybercriminals initially approach their victims over email. But, it’s not uncommon to later place a phone call to add pressure and urgency. You can still keep ahead of them by enhancing your training with clever branching scenarios. These will prepare employees for any trick that comes their way so that no scammer catches them off guard.
3. Physical Security
Data breaches and malware spread don’t always start online. Leaving the computer screen unlocked during a coffee break can pose a security threat, too. Therefore, physical security awareness deserves a spot in security training for employees.
A clean desk policy is vital to prevent data leakage, which may even get you into legal trouble. Employees must make sure they don’t leave work without turning their computers off. Just like they shouldn’t write passwords or email addresses on notes and leave them on their desks for everyone to see.
Take healthcare employees, for example. They are entrusted with patient information that is protected by law. Even accidental disclosure or leakage of this data can have severe repercussions.
Physical access is also an issue. Employees should be aware of individuals that may try to sneak in behind them. Others may find a legitimate excuse to enter the building. That’s why larger companies must employ professional security personnel and front office staff. In any case, it’s always best to be careful around visitors and not reveal any sensitive company information.
4. Malware Awareness
You can’t deploy cybersecurity training for employees without educating them on the mother of all (cyber) evil: malware.
All employees must be familiar with common types of malware and warning signs of infection. For example, a computer that runs slower than usual, crashes, or displays error messages, has probably been infected. But, it’s not just computers that get attacked.
In the manufacturing industry, malware infection can affect operational systems, disrupting the production process and causing significant financial losses. Manufacturing is also the victim of industrial espionage attacks, which makes IT security training a top priority.
Unauthorized software is a common source of viruses that corrupt company data. So make sure employees download authorized software, for business purposes only.
Authorized software is not completely safe from malware, either. But as soon as software vendors spot a security vulnerability, they release security updates, also known as patches. The catch here is that at the same time hackers start looking for unpatched systems to attack. To exclude your company from their pool of victims, employees should turn automatic updates on.
5. Social Media
Social media is not exactly a place to keep secrets and sensitive data. Everybody knows that. What your employees may not know is that social media is a common lurking spot for cybercriminals.
Inevitably, job postings and public company profiles feed cybercriminals with some basic company information. There’s not much you can do about it. What you can do is ask employees to be cautious about what they share on social media, especially on their personal profiles. Oversharing increases their chances of being the target or facilitates the impersonation. In any case, it works in the scammer’s favor. They should also know how to set their privacy settings and how to spot suspicious profiles.
Employees need to understand that anyone can fall prey to cybercrime. Create videos featuring real-world examples of social engineering scams pulled through social media. Point out the shared information that made the criminal’s job easier, as well as the warning signs and the consequences.
6. BYOD And Mobile Security
Bring Your Own Device (BYOD) has become a common practice among companies, mostly as a means to reduce operational costs. Allowing employees to work using their devices has significant risks, though. To minimize security breaches due to irresponsible behavior, information security training for employees should expand on mobile security as well.
First of all, make sure all employees know that public wi-fi networks are not to be blindly trusted. If they must send sensitive information while on public wi-fi, they should at least use a VPN service. The most secure type of wireless connection is through mobile providers.
Explain to your employees why they should never leave their mobile devices unattended or unlocked. It seems obvious that the rule applies to public places. But the same is true of their homes, too. It’s highly unlikely that your employee’s kid will maliciously steal your company data. But downloading a game from an untrusted site sounds like a realistic scenario.
You can never rule out the possibility of theft or loss, of course. Strong passwords and data encryption can successfully protect sensitive data. To make sure that no work is lost either, encourage employees to have a backup system in place, like an external hard disk and a cloud service.
7. Passwords And Authentication
If teaching employees safe password practices sounds redundant, wait until you hear this. In a recent study conducted by Yubiko, 51% of respondents admitted to being “guilty” of reusing passwords across personal and business accounts. Even more alarmingly, another 69% share their passwords with colleagues.
During security awareness training employees should familiarize themselves with safe password practices. A complex, unique password for each account is a good start. Use a password manager to avoid the scribble-it-down-on-a-note situation. As an extra precaution, employees should renew their passwords every few months. For accounts with very sensitive or confidential data, consider two-factor authentication.
Sharing a password may seem harmless when everyone is still in the company. But what happens when someone leaves the company and departs with other employees’ login information?
Speaking of authentication, how is your LMS doing on that front? If you are to run a security training course, it makes sense to set a good example and use an LMS with strong security features like TalentLMS.
8. Safe Internet Browsing
Security awareness training would be incomplete without some guidance on safe internet browsing. Most browser safety tools are readily accessible, but some employees may be unaware of them.
Start by demonstrating security settings available on the browser, like the options to deny access to the computer’s camera or to block pop-ups. An easy trick to verify the safety of a website is to check the address. If it is http (instead of https), that means the data it sends is not encrypted and can be easily compromised.
Conclusion
Online security awareness training for employees is not the type of training you only have to deploy once. Cybercriminals come up with new tricks every so often, and so must you.
Create your course on an LMS so that you can easily add new material. Use reminder notifications to prompt employees to revisit the course whenever there’s an important update. And because the training is demanding, consider adding an extra incentive, like a certification.