The basics of cybersecurity training for end users
There’s a big misconception about cybersecurity. Clients think that once they’ve hired a technology solution provider (TSP) to manage their security, they’re completely protected and no longer at risk. However, the biggest risk to an organization’s information security is the inaction of employees.
What this means is that human error is a major point of weakness. Reports have shown that as much as 90% of cyberattacks are caused by human behavior. That being said, all businesses must employ some sort of cybersecurity training for team members to understand their responsibilities, learn how to protect sensitive information, and recognize signs of malicious threats.
As a TSP hired to protect your clients, you’ll likely be tasked with providing that security education, training, and guidance on policies to be created. Keep reading to learn which essential elements to cover during security awareness training.
Any robust security awareness training program should cover:
- Phishing and social engineering
- Access, passwords, and connection
- Device security
- Physical security
Let’s explore the best ways to educate your clients and end users on these topics.
Phishing and social engineering
Social engineering is an attack that happens when a user or administrator is deceived into divulging information. Phishing, which is an attempt to get sensitive information like passwords and credit cards from someone through email or chat, is a common social engineering attack.
Why are phishing and other social engineering attacks so successful? Because they appear to come from a credible source, deceiving the end user into thinking it’s a piece of communication they can trust. Tell-tale signs of a phishing attempt include typos, links containing a string of random numbers and letters, an odd sense of urgency, or just generally something feeling off about the information being requested.
Tip: Watch for these seven red flags!
Avoiding phishing and social engineering attacks
What should clients do if they’ve been involved in a phishing attack?
- Never click! If end users feel like something isn’t quite right, they should never click on a link or attachment or give out sensitive information.
- Tell IT or your TSP. Informing the right person or department in a timely manner is critical in preventing a phishing scam from spreading company-wide. Always encourage your clients to ask you to investigate or provide next steps.
Access, passwords, and connection
Cybersecurity training is a good time to go over different aspects of the network, such as access privileges, passwords, and the network connection itself.
Your clients should know who general users are versus privileged users who have more elevated rights. In general, privileged access is granted to users who need to perform administrative-level functions or access sensitive data. All your client’s employees should know what type of user they are so that they understand what information, applications, or functions are accessible to them.
Similarly, employees should be using best practices when it comes to passwords they’re creating, especially for passwords used to access IT environments. In general, passwords should be unique to each app/site, at least eight characters, contain letters and special characters, and stay away from obvious information like names and birthdays. It’s also a good idea to change and/or update passwords about every six months. A password manager—like 1Password—can help with all of this.
This may be less obvious to employees, but they should be wary of network connections used outside of their home or work. Even if data on their device is encrypted, it’s not necessary that a connected network transfers that data in an encrypted format, which opens the door to many different vulnerabilities. Plus, public networks may be tapped, which puts all data exchanged on that network at risk. Encourage end users to only use trusted network connections or secure the connection with appropriate VPN settings.
We’re living in a time where it’s popular to Bring Your Own Device (BYOD), meaning more and more mobile or personal devices are entering the workplace, connecting to the corporate network, and accessing company data. This creates more entry points for threats to happen, so all mobile devices must also be securely connected to the corporate network and always in the employee’s possession.
The same threats posed to company desktops and laptops also apply to personal mobile devices. Tablets and smartphones may be even less secure because they don’t have pre-installed endpoint protection. Users should always be mindful of websites they’re browsing, apps they’re installing, and links they’re clicking on.
Cyberthreats aren’t the only risks employees need to be mindful of. Physical security also plays a role in keeping sensitive information protected. How often and easily do you mistakenly leave a mobile device or computer unattended? It happens to all of us. But, if someone were to swipe an employee’s unattended phone or log in to their computer, all of their data would immediately be at risk.
Here’s how your clients can increase their physical security in and out of the office:
- Lock all devices. Get in the habit of doing this every time you leave your desk. For Windows users, press and hold the Windows key, then press the “L” key. For Mac users, press Control + Shift + Eject (or the Power key) at the same time.
- Lock your docs. Store all of your documents in a locked cabinet, rather than leaving sensitive information hanging around your desk. Before leaving for the day, stow important documents into a safe or locked cabinet.
- Properly discard info. When you’re throwing away or getting rid of documents and files, make sure you’re shredding them and discarding them appropriately.