The following security awareness training topics should be covered in your cyber security awareness training program. Each security awareness topic should discuss an overview of the topic, why it is important, and the risk to your organization. All of your employees should have a basic understanding of these topics, but also be trained to use critical thinking and apply this knowledge in your organization. Delivering these cyber security awareness topics should be prioritized to identify the biggest risks to your organization. Use these security awareness training topics as a guide to help build a strategy for your program.
The majority of cyber attacks against an organization will come through phishing attacks.
Phishing is when an email is sent to an employee requesting them to click a link to update or enter their password. The employees password is then sent to the hacker and used to compromise their online accounts. Employees need to understand how to identify a phishing attack and defend against not clicking suspicious links.
Passwords are an integral part of our online accounts and aren’t going away anytime soon.
Employees should understand how to create strong passwords and learn why passwords are so important in protecting their online accounts. They should also understand the risk of password reuse between personal and corporate accounts.
Information security is the act of protecting digital information assets.
Employees should understand that accessing information is a privilege and need to know access should be practiced at all times. Sharing sensitive data outside of the organization should be taken very seriously and employees should know your organization’s policy for protecting information.
Ransomware is malicious software that encrypts data on a computer until a sum of money is paid to the hacker.
Employees should be aware that ransomware is one of the most popular threats targeting businesses across the world. If the ransom is not paid, your computer and all of its data is unrecoverable. The best way to defend against ransomware is to prevent it from happening in the first place.
Removable media such as USB drives, external hard drives, and other portable storage devices can be a major risk for your organization.
Employees should be aware of these risks and how quickly plugging one of these devices into a computer system can impact their organization. Employees should also be aware of protecting sensitive information when using removable media.
Social engineering uses social interactions to manipulate someone into undesired actions.
Employees need to understand when and how to identify a social engineering attack. They need to be aware to slow down when being requested sensitive information and trained to not disclose, fall out of line or be manipulated to break company procedures.
Physical security is protecting secure areas that require privileged access.
Employees should understand the risks of propping doors and protecting secure areas. Terms such as piggybacking and tailgating should be easily identifiable for employees as well as knowing where to report such activities.
Browsing websites on the Internet is a privilege and secure browsing techniques should be practiced.
Employees should be aware of how to identify a suspicious website and why these websites can be a major risk for your organization. They should also understand the importance of keeping browsers up to date and secured.
If your organization experiences a cyber security incident, your organization should have a plan on how to respond to the incident.
Employees must be aware of their role in responding to an incident. Your organization should practice responding to mock incidents at least annually and discuss steps on which roles, procedures, and plans are needed to respond to cyber incidents.
We are all connected to our mobile devices more than ever before and that makes mobile devices a huge vulnerability in our organizations.
Employees should be aware of what risks mobile devices introduce and how that affects their organization. Physically securing mobile devices is important to protect against unauthorized use or stolen devices. These devices can unlock sensitive information and must be protected by your employees with strong passcodes.
Business Email Compromise
BEC attacks are when an email is hacked, then used to transfer money outside of an organization.
Employees should be aware of how to identify a BEC attack and what characteristics make a request suspicious. They should be trained to follow processes and procedures for authorizing transactions within your organization.
Sensitive information can fall into the wrong hands if left unattended or in plain view.
Employees should be aware of best practices to prevent sensitive information from being viewed by unauthorized sources. This would include locking computers when unattended, keeping sensitive files in a locked cabinet when not in use, and being aware of your surroundings when working on sensitive data.
Wifi is everywhere we go, but employees should realize that not all wifi networks are safe.
Employees should be aware of safe wifi practices and understand the concept of using a VPN. Wifi will continue to be a major threat towards mobile employees and they should be trained on how to defend against wifi threats when working remote.
Multi-factor secures online accounts by verifying 2 different forms of identification for a user to access a service or application.
Employees should be aware of the concept of multi-factor authentication and why it is useful for them at work and in their personal lives. They should be trained to use multi-factor authentication when available and understand how it protects their online accounts.