Employees’ risky IT behavior can open the floodgates of cybersecurity threats and attacks. As cybersecurity threats continue to evolve, protecting Personally Identifiable Information (PII) and safeguarding sensitive data is more important than ever. Human error is the single biggest cause of data breaches. According to Cybint, a global cyber education company, “95% of cybersecurity breaches are due to human error.”
The recent WannaCry ransomware attack demonstrated that the human factor had played a key role in making global organizations vulnerable. According to Kaspersky, employees with local administrator rights disabled security tools on their PCs. The ransomware then penetrated the entire organization’s network from that system in what’s called a lateral attack.
Intentional or accidental sharing of data can lead to data breaches that can further cause financial losses, reputational damage, and compliance issues. For example, GDPR imposes huge penalties on the perpetrators. Noncompliant organizations will have to bear the brunt of 4% of their annual revenue or the higher amount of €20,0000,000.
To thwart cybersecurity threats and attacks and avoid compliance issues, cybersecurity awareness training has fast become a requirement for employees, and many regulatory standards such as GDPR, SOX, PCI, HIPAA, SHIELD and CCPA codify this in their regulations.
Here are the top 7 cybersecurity awareness training tips, taking NIST Employees Awareness into consideration.
- Protect Your Sensitive Information and Data
You must be aware of unsolicited emails, phone calls, instant messages, or text messages. Scammers use these malicious channels to compromise your PII, like your credit card number or social security number. Moreover, fraudsters create email addresses and websites that look legitimate. They use phishing attacks to trick you into entering private data. In fact, they offer incentives such as free stuff, gifts, business opportunities, and so forth.
To avoid an online scam, you should not share your or your company’s data with anyone other than legitimate sources; if you’re not sure it’s legitimate, call and verify – when I doubt, give a shout out! Use spam filters and never enter your personal information in response to pop-up web pages.
- Be Aware of the Dangers of Removable Media
Removable media must only be inserted or plugged into your computer if you trust the source. For instance, if you find a USB flash drive near your office, it would probably not an accident. Instead, hackers may plant it there. The USB may contain a preinstalled malware. No sooner do you connect it to your computer than attackers can gain initial network access, deliver malware, steal credentials or company secrets, perform data exfiltration, or destroy data.
Preventive measures include disabling autorun on all computers, disallowing use of removable media, encrypting information on removable media, applying strong password policies, using an antivirus program, and reporting missing removable media immediately.
- Use Strong Password and Authentication
You are recommended to use passwords that are strong, long, and difficult for hackers to guess. The strong password thwarts password attacks such as a rainbow table, dictionary attack, and brute-force attack. When creating a password, never use your personal information such as name, country name, birthday, or vehicle number. The following image shows the top 10 weakest passwords.Create a password that is at least 12 characters long. Use a mix of at keast 3 character types such as uppercase and lowercase letters, numbers, and symbols. Never use the same password for more than one account.
Use multifactor authentication for the accessing sensitive or personal accounts. In fact, multifactor authentication would add an additional layer of security to all of your accounts.
- Adhere to Clean Desk Policy
In the previous section, we have mentioned that employees often leave their passwords on the desk. The Clean Desk Policy states that passwords and other critical information on the desk should be limited to what is currently necessary. When you leave the office, you must securely store all confidential and private information.
- Ensure Physical Security
Employees often leave their passwords on sticky notes on their desks. The prying eyes may thieve your password and this method is known as “Shoulder Surfing.” Letting someone follow you through a door into a restricted area can also be dangerous and this technique is referred to as “Tailgating.”
Physical security is ensured through hardware locks (e.g., biometric lock, finger or retina scanner, smart cards or PIN locks), mantraps, proper lighting, proximity readers, fencing, video surveillance, barricades, guards, alarms, and motion detectors.
- Comply With Bring-Your-Own-Device (BYOD) Policy
Data leakage, malware, and hacking are the biggest BYOD security risks. Personal devices aren’t a part of your company’s IT infrastructure. Therefore, these devices aren’t protected by your company’s security systems and firewalls.
BYOD policy helps you how to use your personal device in the workspace. Typically, this policy involves the following tips:
- Encrypt on BYOD devices.
- Use a VPN when working from public WiFi
- Employ your company-approved antivirus on your BYOD device.
- Download applications either from the manufacturer’s website or from major app stores.
- Keep Your Security Software Up-to-date and Backup Your Files
Outdated antivirus programs, IDS, IPS, firewalls, endpoint protection, SIEM, and SOAR can lead to data breaches. If you don’t back up your critical files, you would lose them forever in the event of a cyber-attack. Therefore, you must keep your antivirus, firewalls, operating system, SOC platform, or other security tools up-to-date to avoid future cyber disasters. Moreover, you also need to create a backup of your sensitive data either on the cloud or on the external hard drive. A data backup plan is like putting your data in a vault. You can easily and quickly access such data in an emergency situation.
The Bottom Line (Conclusion)
Cybersecurity awareness training is indispensable for employees to steer clear of phishing attempts and other social engineering attacks such as baiting, pretexting, vishing and smishing, quid pro quo, tailgating, and piggybacking. It is also a terrific tool to learn to help spot malware behaviors, following company IT policies and best practices, reporting cybersecurity threats, and adhering to regulatory standards such HIPAA, PCI DSS, GDPR, and so on.
Along with the security awareness training topics that have been discussed in this article, a great complimenting article to read is the SANS Institute 2021 Security Awareness Report™: Managing Human Cyber Risk.