People make mistakes. Whether that’s clicking a suspicious link or plugging in a random USB drive they found, errors in judgment can have major consequences. And all too often, work-related mistakes lead to cybersecurity incidents, with 74% of breaches involving a human element. Cybersecurity awareness training is critical for helping users learn more about the importance of cybersecurity and how they can protect your organization. We’ll break down some of the most pressing topics to cover in cybersecurity training 101.
You don’t need to be an established cybersecurity expert to set up an in-house training program. Then again, continuing your own cybersecurity education never hurts. Take that cybersecurity training course. Get that cybersecurity certification. Just remember that a professional development budget might pay for a cybersecurity course for you, so check with your boss.
Social engineering
Social engineering leverages psychology to trick users into performing a desired action. Essentially, it’s hacking humans in order to ultimately hack computers. While there are several types of social engineering (pretexting, baiting, tailgating, etc.), phishing is by far the most widespread.
In fact, phishing is the most common attack vector in general, serving as the main entry point in around 16% of reported breaches. It’s also the second most expensive, averaging $4.76 million per data breach. Other forms of social engineering are somewhat less frequent and costly, though they also tend to take slightly longer to identify and contain.
To protect your business from phishing attacks and other social engineering methods, users need to be familiar with potential threats. Teach them what to look for and what to do if they spot something suspicious. And maybe throw in the occasional phishing test to keep them on their toes and determine who needs more training.
Physical security
Threat actors can devastate your environment remotely from across the world, but gaining physical access makes their jobs that much easier. Even within the presumed safety of the office, users can never be too careful. Many of us picture cybercriminals as hooded figures lurking in darkened rooms. But a quarter-zip-pullover-wearing colleague in the next room could be an insider threat.
Here are a few good physical security habits to instill in your users:
Lock your devices when you’re not actively using them.
Don’t write down passwords.
Be aware of your surroundings and anyone who might see your screen.
Avoid leaving laptops and other mobile devices unattended.
Removable media
Removable media is super convenient, but it’s also incredibly easy to lose. Teach your users when it is and isn’t appropriate to use USB sticks, SD cards, and CDs for work-related purposes (which is probably never).
Also, remind users not to let their curiosity get the better of them if they find removable media. While it may be tempting to take a peek, that USB drive is probably more likely to contain malware than Bitcoin. In fact, USB-based attacks increased significantly in early 2023. So that’s fun.
BYOD
Regardless of whether you have an official bring your own device (BYOD) policy, some users are probably occasionally checking in at work from a personal device. But BYOD presents unique challenges, chief among them security.
While users probably wouldn’t like it if you tried to govern their personal devices, it’s at least worth teaching them how their habits affect both them and the business. After all, it’s in everyone’s best interest to keep your users’ personal devices secure. Just one security incident could jeopardize your business — and completely decimate their TikTok algorithm. Looks like it’s all slime tutorials from here on out, pal.
Social media use
Some users get their kicks sharing their lives on social media. Try not to judge them. But do try to educate them. Threat actors could leverage any information they share for a social engineering attack against them or an unsuspecting coworker. Encourage users to implement strong privacy settings and avoid posting about work. Also, mandate that they post more pet pics. That’s not for security reasons — just everyone’s emotional well-being.
Ransomware and malware
Obviously, ransomware and malware overlap pretty much every other area of security awareness training. But they still deserve their own category because they’re that special.
Malware cyberattacks rose by 2% in 2022, and IoT malware nearly doubled. While ransomware dropped a lovely 21% in volume, ransomware and malware are still a gruesome twosome no one wants to mess with.
Since users often let malware into your environment, they should also be your first line of defense in preventing it. It’s only fair. But to do that, they need to know the basics, like common attack vectors, types of malware, prevention methods, and the potential consequences of a successful attack.
Passwords and authentication
Chances are you already have a password policy in place. Good work. Now, the trick is to make sure users understand that policy and why they need to follow it. The reasons behind password complexity and length requirements may seem obvious to you, but never assume that every user has common sense.
If you use a password manager, it’s also worth emphasizing how it makes life easier for your users while enhancing the security of your environment. And since everyone wins, it shouldn’t be too hard to get users on board.
Incident response
Your information technology team handles the burden of incident response, but the average user should still know the basics. Understanding what to report and how to report it can lead to swifter action if an incident occurs. And getting on top of that more quickly can save you time, money, and infinite headaches.
Secure remote access
Secure remote access enables users to connect from outside locations while limiting cybersecurity threats to your environment. Gone are the days when you can expect every employee to work exclusively from your office. They work from home. They travel for business. They set up shop in a café to take liberal advantage of the free refill policy.
If you equip users with the cybersecurity skills, knowledge, and resources to connect securely, your security posture benefits. But we’re not going to lie: There’s a lot to cover on this topic:
Use VPN.
Avoid public Wi-Fi and public charging stations.
Be aware of your surroundings.
Lock devices when not in use.
Keep devices with you.
Information security
Information is everything. Between sensitive data, proprietary information, employee and customer details, and financial records, you have a lot to protect. Security training should emphasize the importance of data security, confidentiality, and integrity. Every employee should understand appropriate methods for storing, using, sharing, and disposing of sensitive information — and the legal and regulatory consequences of failure.
Browser security
Since a web browser is a user’s main gateway to the internet, they should understand potential security threats and how to avoid risky behavior. Here are some guidelines users should be familiar with:
Block third-party cookies when possible.
Avoid downloads from untrusted sites.
Install only reputable extensions and add-ons.
Look for HTTPS.
Don’t click suspicious links or pop-ups.
Beware: Even if something seems obvious to you, it probably comes as a shock to at least one of your users. While you can’t anticipate and prevent every mistake they’ll make, you can at least reduce risk by teaching them the cybersecurity basics.
And while you’re in risk-busting mode, you might as well check out PDQ Connect and PDQ Deploy & Inventory to organize your assets and automate software deployment. Improved visibility and up-to-date machines enhance your security posture and make even the surliest boss happy. At least one corner of your boss’s lips may even rise slightly when you show them your free trial of PDQ Connect or PDQ Deploy & Inventory.
