User Error: Training Your Organization Around Basic Security Threats

With October recognized as cybersecurity awareness month, we have been giving some thoughts to the areas of cybersecurity where events and training can make a big difference. One area that jumped to mind was general cybersecurity awareness training for all members of your organization.

In talking about "insider threat" most people think of the recent Snowden/NSA case where a credentialed and background cleared employee knowingly leaked data  he rightfully had access to. But insider threat is more than that. It is also accidental data leaks, breeches, and security violations. You may have great virus protection, firewall technology, even continuous monitoring devices, but one errant click by an employee can bring your IT system to its knees.

In large organizations, there is a wide range of computer-savvy within the employee population. Creating fun and innovative training programs, whether in-person or virtual will go a long way in educating the entire workforce and preventing accidental security issues. Topics addressed should include:

• Education around phishing schemes - talk about what legitimate companies will or will not ask for over email. Point out things to look for in official messages from a company (logos, address lines, etc.). Also include some details on what official emails look like from your organization (some hackers have been known to falsify official emails to trick people into thinking it's a legit message).
• Talk about home computer use - say a high-level computer savvy official is using his work computer at home. He has taken all of the right measures to securely log in to systems. Downstairs his mother-in-law is on the family computer and clicks on a link from a bogus email. Hackers now have access to all computers on that wi-fi connection, including his. Educating employees on these real risks and arming them with educational material to take home is a key step.
• Describe security protocol - what should employees do if they accidentally get access to data or systems they know they are not supposed to have. What is the chain of command for reporting? What do you do if you leave your laptop on the metro or forget your smart phone in a cab?

Creating training and events that speak to the range of computer experience and access can be tricky. You do not want to bore the computer-savvy users and don't want to go over the heads of technology novices. Breaking up employees into different groups based on technology acumen and access is one way to ensure people are getting the right information. If that is not possible or feels exclusionary, framing the presentation as a story about security with a lot of real-world examples will keep the interest and make an impact on all employees (you may want to check out these videos for some inspiration).

What kind of training have you organized or attended that made an impact on how you look at daily security threats? Let us know in the comments.

Image courtesy of: https://zonefox.com/free-live-webinar-5-key-lessons-insider-threat/