hfng - Fotolia
When organizations decide to shore up their employee security awareness efforts, the security awareness training topics they address may be broader than they originally expected. They should cover universal concepts, as well as unique situations exclusive to the organization itself.
The training methods and material they use may be tailored differently depending on the audience. For example, the accounting department may require specialized security awareness training on the accounting software they use. Alternatively, the sales department may need more extensive training that covers security awareness when traveling for work.
Let's look at the main topics security awareness training should include.
Social engineering is the number one threat to the enterprise and relies heavily on human interaction to gain access to networks, physical locations and systems. Social engineering includes a wide range of attacks that trick employees into bypassing security best practices and procedures to share information on a corporate network. Many hackers have honed their social engineering skills into a fine art. If employees aren't properly informed and trained about common tactics, they can be easy targets.
Social engineering scams can take on many forms. The most common is a spear phishing attack, which is launched with an email that looks legitimate. A phishing email is designed to trick recipients into clicking on a malicious link or to deceive them into sharing sensitive information. Other tactics include posing as trusted individuals over the phone, social networks or instant messaging services. With each attack, the goal is to lower the target's guard through impersonation or confusion, or by offering the allure of getting something for nothing.
Understanding the importance of physical security can help prevent unauthorized access to secure buildings -- or secure areas within a building. This can include topics such as proper badge access use, door-holding etiquette, securing or hiding sensitive documents, and methods to alert security staff of an incident.
Daily computing protections
Employees will encounter plenty of situations throughout the workday where security awareness comes into play. These include circumstances such as strong password creation; identifying and protecting sensitive data; proper data sharing techniques; email, phone, IM and video conference best practices; and what to do when a potential incident occurs.
Companies should present real-world examples of malware, phishing scams and demonstrations of other common threats users can encounter.
Remote computing protections
The risk of a security incident escalates when employees work outside the security protections on the corporate LAN. Additional security awareness training topics IT should cover include working in public or unsecured locations, leveraging VPNs and encryption for increased protection, securing home networks, remote access procedures, using mobile devices to handle sensitive information, and safely traveling abroad.
The bottom line is that organizations have plenty of security awareness training topics and material to cover. Unfortunately, the amount of time required to sufficiently teach end users about all of this is far greater than many companies allocate. The typical 30- to 60-minute session is not nearly enough. If you truly value the importance of data security, be sure to allocate sufficient time to properly train and inform users.
Dig Deeper on Risk management
Related Q&A from Andrew Froehlich
Prevention is the only line of defense against an extortionware attack. Learn how extortionware works and why it can be more damaging than ransomware. Continue Reading
SMS is being supplanted by RCS to let carriers compete against WhatsApp and Messenger and open new avenues to business messaging. Learn the ... Continue Reading
Networking describes how devices interconnect to share resources with each other. Telecom, which includes networking, broadly refers to the exchange ... Continue Reading