With human mistakes playing a key part in a considerable percentage of cybersecurity breaches, many of them coming from common employees, (which does not mean the responsibility relies on them at all) managing employee cyber risk is essential for business to help mitigate and reduce an attack surface and to demonstrate a certain degree of regulatory compliance.
One core component of a strong human management program is security awareness training that educates end-users on how to identify and combat modern threats, as well as best practices for staying up to date.
But deciding to launch this type of training comes with some common questions, one of them is deciding on the security awareness training topics you should be including.
In this article, I will briefly describe five topics that should be included in the core security awareness training schema for 2022, as well as how you can start educating your staff on these topics in a nutshell.
1. Phishing
Phishing is basically the entry point for cybercriminals. One major factor is due to how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick users into compromising sensitive data or downloading malicious attachments, for example, a business email compromise is a common form of phishing that uses prior research on a specific individual, in order to create an attack that can be incredibly difficult to distinguish from a real email.
People need regular training on how the spot phishing attacks that use modern techniques, as well as how to report a phishing attack as soon as they believe they have been targeted.
2. Passwords and authentication
A very simple element that can help security, in general, is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your accounts. Using simple passwords, or having recognisable password patterns can make it simple for cyber-criminals to access a large range of accounts.
Implementing randomised passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Several Password Manager solutions can be useful here.
3. Mobile device security
The changing environment of IT technologies has improved the ability for flexible working environments, and along with it a wide range of security attacks. With many people now having the option to work using mobile devices, this increased connectivity has come with several treats.
The safe use of personal devices is necessary training for any person who works on their own devices.
4. Social media use
We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to use this information into a more complex attack chain starting with this gathering.
Educating users on protecting the privacy settings of their social media accounts, and preventing the spread of public information of a company will reduce the risk of the potential leverage that hackers can gain.
5. Social engineering
Social engineering is a common technique malicious actors use to gain the trust of people, offering valuable lures or using impersonation to gain access to valuable personal information. People need to be educated on security awareness topics that cover the most common social engineering techniques and the psychology of influence (for instance: scarcity, urgency, and reciprocity), in order to combat these threats.