Every corporate environment is unique, so a “one size fits all” approach to employee cybersecurity training is typically a flawed strategy. For example, a company that encourages employees to utilize personal devices for work should focus on BYOD best practices education, while a medical facility might want to concentrate primarily on HIPAA compliance training.
Some information security precepts, however, are important for workers in any organization to learn:
- Best practices for password creation: Creating strong passwords that use eight or more characters and alphanumeric variation can be inconvenient for employees, but it is essential for information security. Talk to users about creating cryptic passwords unrelated to information that would be easy to guess, like birthdays or names of family members. For those employees who want to write passwords down (because they are concerned about forgetting and spending time retrieving them), consider offering them a secure space in the office to store the information.
- Phishing identification: Phishing attacks—or emails requesting personal information under false pretenses—are among the oldest tricks in the book. Unfortunately, they remain among the most common and successful as well. Phishing attacks cost organizations $4.5 billion globally in 2014, according to research from security consulting firm CynergisTek. The firm also found that 74 percent of those employees victimized by phishing attacks clicked on a link that usually either prompted the individual to reveal information or released malicious software. As such, the first priority for phishing education should be emphasizing that links from unfamiliar senders should only be opened after extremely careful examination. For instance, employees should be trained to mouse over a link to ensure that the real URL matches the address typed into the message.
- Knowledge of software policy: If you play a prominent role in your company’s security strategy, the last thing you want to hear is that an employee downloaded a fun new game or program—too often that is a recipe for disaster in the form of malware. Make sure employees understand the company’s policies on software downloads—even if that means making them take and pass tests on those guidelines.
Employee education is a crucial piece of an information security plan, but as a CIO or CISO, you understand you need other layers of protection as well. Learn about how a security automation and orchestration platform can bolster your defenses.