Welcome
 | 
My Account
Welcome
 | 
My Account
Welcome
 | 
My Account

CyberHealth

Security Awareness Training - Key Elements for Success

May 2, 2022
Click image to view gallery

Critical Elements of any Cyber Awareness Program

Cybersecurity awareness training has been identified as one of the most key actions that companies can take in order to prevent cyber attacks. Employees using computers to do their jobs every day are the first line of defense against cyberattacks. Since the pandemic began, the number of floor manufacturing staff with access to corporate e-mail, applications, and networks has risen sharply with many of these employees having never had access to these systems previously. It is essential that every company establish a security awareness training program to regularly keep its employees apprised of common threats and new attack vectors, and most importantly, how to spot them in order to keep your systems safe.

Any effective cybersecurity awareness training program must incorporate these six elements in order to be successful:

  1. Scam Awareness – Provide education to employees on common types of internet and e-mail scams, including what they are targeting, how to spot them, what to do if they receive them, and who to tell if they fall victim to an attack. At a minimum, curriculum should include the following topics:
  2. Phishing – E-mail pretending to be a service or a frequently used vendor that directs you to a fraudulent page to steal credentials or information
  3. Vishing – A fraudulent phone call pretending to be a service or vendor you frequently use attempting to get passwords, account numbers, or information from you verbally
  4. Smishing – A fraudulent text message pretending to be a service or vendor you frequently use containing a link to either malware or a fraudulent page to steal information
  5. Spear Phishing & Social Engineering – Targeted phishing e-mail made to look more familiar by using your name or organization’s name to trick you into clicking on the link or opening the attachment
  6. Executive Spoofing – Targeted e-mail impersonating an executive at your company encouraging you to take urgent action and break normal procedure, typically for monetary gain such as gift cards or payment diversion
  7. Vendor / Payroll Fraud – Fraudulent e-mail containing updated bank account or payment details attempting to divert funds from their legitimate target to the fraudster’s account.
  8. Passwords - Provide guidance to employees on the use of good password hygiene on all corporate systems and user accounts, as well as what their organization’s minimum password requirements are as a matter of policy.  Some examples of generally accepted password practices include:
  9. Passwords must be long and have a minimum length of 12 - 15 characters
  10. Passwords must be complex and include both lower and upper case letters as well as numbers and symbols
  11. Passwords should expire a minimum of once per year or more frequently
  12. Passwords should not be re-used for the previous 5 - 10 times
  13. Passwords should not include words that are company related and easily guessed
  14. Passwords should never be written down or stored in an unsecure location like a text file or spreadsheet.  Encourage the use of a password vault or safe that securely stores credentials.
  15. Multi-Factor Authentication - Educate employees on the use of multi-factor authentication, what it is and why it is a good idea to implement it on as many of your user accounts as possible.
  16. Protecting confidential data – Educate employees on what confidential data and Personally Identifiable Information (PII) are. Identify for them what your “crown jewels” are in terms of data and what they can do to help protect them. Train employees on how to properly work with, store, and securely transfer confidential information so that it is not susceptible to breach of theft.
  17. Malware & Ransomware – Educate employees on what malware and in particular what Ransomware is, how it works, how to spot it, and most importantly, how to avoid it.
  18. Mobile – Cyber attacks look quite different when you’re looking at a full-on computer screen vs. when you’re looking at a mobile phone or tablet. With an increasingly large mobile and remote workforce, mobile devices are now more than ever part of the workplace. Teach your employees the differences in how to spot scams, potentially harmful links, or software/apps on a mobile device vs. a desktop computer.

Consider additional topics that may be important to your organization, such as compliance for HIPAA, PCI, and GDPR or other data privacy laws, dark web monitoring/identity protection, insider threat management, and general technology risk management.