Security Awareness Training is an activity that aims at making users understand their role in preventing attacks.
The Security Awareness Training activity focuses on the weakest link ever in cybersecurity: people. Mistakes made by users are in fact the biggest cause of security incidents, so making sure they understand their role in preventing attacks is critical.
This activity includes staff training regarding:
- What is the correct cyber hygiene
- What are the risks associated with their actions
- How to identify attacks that may, for example, occur via email or the web
Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information or to deploy malicious software on the victim’s infrastructure like ransomware. Although it is typically associated with emails, they are not the only way a phishing attack can happen. In fact, it can be also carried out through SMS (smishing), voice calls (vishing) and social media. Those messages may be specifically tailored to target different members of your organization that can also be high-ranking executives (like the CEO) and whose compromise could permit the attacker to gain access to more sensitive data than what hacking a low-level employee could guarantee. This means that every member of the organization should be aware of these types of attacks.
Passwords are the most used authentication method and this is the reason why most of the attacks are focused on compromising them. Users tend to use passwords that are not strong or secure enough in order to make them be easy to remember. This puts at risk not only their personal data, but also the data of the entire organization. The entire staff needs to be trained to use a password policy that allows to mitigate the risk of password compromise. This can include a minimum password complexity but also instructions on how to use the password itself, like avoiding the use of the same password for different accounts.
As of today, data is the most valuable asset of an organization. Unfortunately, employees often do not pay enough attention on how they treat these data and this can cause an information disclosure or, even worse, the complete compromise of the organization. Some examples are represented by employees who deal with confidential data through their personal accounts or devices which can be hacked, or by employees that simply do not secure that confidential data enough. Training on what are the best practices to follow to avoid these problems is hence needed.
Physical security is often overlooked, but it is actually just as important as digital security. A computer screen left unlocked or a Wi-Fi password written on a sticky note on the desk are only two of the endless examples that can be made of bad office hygiene that can lead to the complete compromise of an organization. Even if your organization does not let strangers in, an insider could potentially take advantage of this unsecured information. This means that training on how to ensure an high level of physical security is absolutely required.
and many more
Those were only some of the topics that are covered during the training. There are many more subjects to pay attention to, like insider threats, removable media, mobile devices, smart working and social media usage.