In a world where technology is rapidly evolving and cybercriminals are constantly looking for new ways to steal data from unsuspecting victims, cybersecurity awareness has never been more important. You never know when your employees will come across phishing or malware attacks, so it's a good idea to regularly conduct security training sessions. This keeps employees aware of what they should look out for.
But what topics should your cybersecurity awareness training session include? Here are a few ideas:
#1. Existing data security policies and protections
Review all data security policy highlights with your staff. Explain why these rules are in place and give examples of what could happen if they are not utilized. Understanding why a phone should not be “jailbroken”, how important keeping operating systems up to date, not using public Wi-Fi, and a whole myriad of other end user protections should be a foundation of building security awareness with your employees.
Also, without a proper BYOD policy, you’ll expose your organization to potential data loss and breaches. For instance, one of your employees might be using a laptop that’s not connected to your IT infrastructure. While it might help get work done more efficiently, the device isn’t covered by your backup and disaster recovery procedures (BDRP). Should any disaster happen, data on this device might be lost.
Your employees might not be aware of the risks of using their own devices, so talk to your them about its potential consequences, such as data theft caused by phishing, malware, and distributed denial-of-service (DDoS) attacks. Make them aware that cybercriminals are always waiting for their next victim, and the stolen information could be used for financial and identity fraud.
Also, come up with rules on using personal devices for work. Set a time and place where employees are allowed to access company data using their own devices. For instance, they can only modify confidential information while on the office premises, and when they leave for the day, their access must be revoked for security.
#2. Removable media policy
Removable media such as thumb drives and external hard drives make file sharing in the office easy. I once heard a security seminar where the speaker said “unmanaged USB drives are the hypodermic needle for computer networks” You don't know where they have been, who is using them and what virus they may have on it.
As soon as removable drives are plugged in to a company PC, your files can be compromised. Some malware can even spread to other computers on your network. Unauthorized removable media may also cause hardware failure, copyright infringement, and data theft.
Educate your staff about these repercussions of plugging in removable media. Consequently, disable this function on your office computers so even if employee plug in a thumb drive or an external hard disk, your files will stay protected from disasters.
#3. Safe internet habits
A lot of businesses today rely on the internet to improve productivity and output. That’s why your security awareness training program should incorporate safe internet habits that prevent hackers from infiltrating your IT network. Here are just some examples:
- Don’t install software programs or download files from unknown sources. A significant number of websites are malware-infected, and visiting them could compromise your data’s safety.
- Refrain from opening suspicious-looking email attachments or links. These may be phishing baits to steal login credentials, which can lead to financial and identity theft.
- Use passphrases instead of passwords. Passphrases such as “tearmelongthemedicineborder” or “chickenburgersandwichesandfries2314” are much easier to remember for the user and harder to guess for hackers.
- Enable multifactor authentication (MFA). Aside from passwords, MFA also uses multiple user verification methods such as a one-time code sent to a mobile number, smartphone prompt, or fingerprint scan. This way, even if hackers get a hold of a user’s password, they won’t be able to access the account and steal data without fulfilling the other security steps.
- Utilize phishing campaigns with your staff. This is to identify people that might be more susceptible to falling for this incident.
- Encrypt laptops. An unencrypted laptop can have its data stolen once it gets lost or taken by a cybercriminal.
#4. Social networking
Most employees are on social networking sites such as Facebook, Twitter, Instagram, or LinkedIn. Businesses utilize these services as well to build a brand and generate online sales. Social networking, however, also opens the floodgates for phishing attacks. For instance, Facebook shared its users’ data without their permission to third-party app developer Cambridge Analytica. It was later found that Twitter did the same thing.
One common phishing method on social media are spam comments. These are usually part of an intricate botnet, and contain links that will lead to phishing sites that try to trick users into handing out their information, such as usernames and passwords to online accounts.
To prevent confidential data from leaking, your organization must have an effective social networking training program that limits the use of Facebook, Twitter, and other websites. Your training should also guide employees on what to do during phishing attacks.
Warn your employees about sketchy and spoof websites. For example, cybercriminals can create a www.faceboook.com website and make it look like the authentic Facebook website at www.facebook.com so unsuspecting users will be enticed to enter their information.
#5. Physical security controls
Employees should also be aware of potential physical security issues.
That’s why you should train employees to be wary when letting unknown people inside the office. These include allowing visitors to connect to the office Wi-Fi, letting unanticipated or unknown visitors in, leaving handwritten login credentials on one’s desk, or leaving a computer unlocked for the night. These issues could lead to data theft.
A technique known as tailgating occurs when an employee uses their keycard and opens the door but is unaware that someone else has snuck in behind them before the door closes. Piggybacking, on the other hand, is when an intruder enters with the help of an employee who has a keycard. Teach staff to be aware of their surroundings and the people around them so they can ensure data safety.
Your employees can become advocates for your cybersecurity, much like F1 Solutions. Our comprehensive IT management services ensure that you’re protected 24/7/365 so you can focus on what matters most: growing your business. Give us a call today to learn more.