No matter what role an employee plays in an organization, they should understand essential security awareness topics and how to protect the company (and themselves) from potential cyber-attacks and security breaches. Here are a few of the most critical topics to cover in 2021.
Employees should know how to identify potentially dangerous websites and understand the risks of compromised browser security. They should also know how to keep their browser updated to the latest version, as well as how to avoid connections to unsafe Wi-Fi networks.
Business Email Compromise
Business email compromise, or BEC attacks, happen when an email address is compromised and then used to steal money from a company or individual. Employees should understand how to identify phishing scams and recognize when an email request is suspicious. They should also know how to report a possible BEC attack and the company’s approved processes for authorizing monetary transactions.
Employees should not only understand how to create and maintain strong device passwords, but they should also know basic best practices for keeping devices secure. Unlocked and unattended devices put companies at high risk. Removable devices are also a potential source of risk. Educate employees on which media sources are appropriate for use on company devices and how to protect them.
Stealing private data and threatening to expose it or blocking company access to data are two methods attackers use to extort money from companies. Ransomware is profitable and, because of that, is becoming more and more common. Many companies pay the ransom and it is never reported; statistics we have on ransomware are underreported, we just do not know by how much.
No matter how careful an organization is about security, it’s likely that a data compromise will occur at some point. Make employees aware of the steps to report and mitigate an incident. Time is of the essence when security is breached, and a company-wide understanding of incident response policies will help control potential damages.
Access to company information is a privilege and one that should be taken seriously. Information security protects digital assets from compromise and benefits all employees, as well as the business. Employees should read, understand and acknowledge the official Information Security policy and pledge to help keep data protected.
With the proliferation of mobile devices and remote work, employees have constant access to sensitive company information. Unfortunately, if a device is stolen, hackers and scammers can launch an attack. Teach employees how to set strong passcodes and protect devices from theft and compromise.
Multi-factor authentication, or MFA, uses a multi-step verification process to identify users before they are granted access to applications or services. Ensure that employees understand how to set up and use MFA and its benefits in keeping their accounts and information safe.
While many security topics revolve around passwords, it’s worth holding a separate session to equip employees with the right strategies to create strong passwords. They should also understand how often to change passwords and basic policies for password privacy. Password hygiene is quickly evolving so this topic should be revisited regularly.
Phishing scams are becoming increasingly sophisticated and harder to identify. These scams occur when an email that looks legitimate is sent to an employee, and they unwittingly click on a link, enter a password, or open an attachment that allows a scammer to access information, launch ransomware, or install another harmful virus. Make sure employees know what clues to look for with phishing and how to defend against it. And, phishing attacks are moving beyond email; Slack phishing attacks are becoming more common.
In addition to device and password security, and assuming you still have an office, employees know how to protect the physical office location from entry by unauthorized individuals. If the office requires a badge to enter, make sure employees understand the policy for holding doors open, propping open entryways, and how to report any suspicious activity in the event someone enters the office without appropriate security clearance. If employees work remotely, they should understand how to secure their physical devices when working from home or shared locations (coffee shops, libraries, hotels, etc).
Security Awareness for Remote work
Having remote employees should impact every one of the above topics. At the very least, each of these topics should give special consideration to remote work. In-office, physical security awareness posters have no impact when employees are not in offices. And in-person security awareness training sessions go away with remote work. Ensure your entire workforce, whether in office or at home or across the globe, has relevant security awareness training.