IT professionals employ a variety of techniques and tools to protect their company’s important and sensitive data, yet one of the most important security methods that is often overlooked is Security Awareness Training. Antivirus, firewalls, and backups all play key, behind the scenes, roles in the IT security spectrum, but ultimately, educated and prepared employees can help defend your security perimeter and keep your IT team from spending countless, painstaking hours battling viruses, closing security gaps, and restoring files. Below are 6 tips in the form of proverbs for conducting Security Awareness Training for your organization:
Embrace the Dark side. One way to make sure employees pay attention to security is to scare the crap out of them. Explain the risks of not obeying security practices, which include possible termination and even criminal fines and penalties. During Security Awareness Training, share corporate horror stories with you organization to relay the effects of poor security practices. People are likely to relate to big names as well, so share stories with your team on recent big security breaches, such as Drop Box, Eddie Bauer, Sage, Home Depot, PlayStation and more. Here is a good site that shows how scary security breaches can be. Also, when educating your team, use examples that can affect them personally. Employees may be more likely to increase their good security habits if they feel that their personal banking and credit card information may be at risk.
Knowing is Half (more like ¾) the Battle. Knowledge is never a bad thing. IT teams can run short educational campaigns, such as emails or lunch and learns, to inform employees on company security concepts like ransomware vs. malware and how to identify social engineering attempts. Social engineering tricks people into divulging confidential information. Similar to fraud or a con (confidence trick), the term applies to the use of deception to gain information, commit fraud, or access computer systems. Employees generally cause security breaches through ignorance, so by taking that off the table and running a “Security 101” course, you will significantly reduce employee induced security issues. Here is a great article about preparing your team for hacking attempts.
When it doubt, throw it out. A core concept of any security awareness training is to educate your employees on not opening suspicious links or downloading strange files. Whether you send regular security awareness emails, or you conduct training sessions, you should always repeat and enforce this core idea…DON’T OPEN WEIRD STUFF. Employees should never open an unexpected attachment or link. This includes attachments or links from an unknown source, or even from a known source that seems strange. Ask yourself, “Am I expecting this person to send me a file or link?” Another commonly overlooked Security Awareness Training item is to educate employees to not use strange USB keys or storage drives. Data thieves have been known to leave USBs in public places that are loaded with viruses aimed at stealing information. Also, USBs are small and super easy to lose. Think, how many times have you left a USB in a publicly used computer at a hotel business center, library, or university computer lab? When it comes to USBs and file sharing, the best way IT teams can support their teams and prevent data leaks is to establish a secure File Sharing application, such as Microsoft One Drive or Citrix ShareFile. Also, check out this article we published last year on identifying phishing scams.
Tell, Don’t Hide. If you are one of the unfortunate souls to inadvertently infect your company’s network with viruses or malware, make sure you speak up as soon as possible. Employees that introduce harm to the network are often embarrassed. However, introducing a virus or contributing to a company data leak is usually a mistake, not a malicious act, so there is no reason to hide. If you believe that you may have become victim to a phishing scam or downloaded a virus, act quick. Let you’re IT team know right away, and gather as much information as you can to assist, such as the website you were on, who sent the malicious link, etc. Here are a few ways to know if you have become victim to a system compromise:
- Unexplained system slowness. Don’t always blame the network. If your machine has slowed to a crawl after opening a link, visiting a new site, or downloading a file, let someone know immediately.
- Strange Popups. A strange system popup that wants you to click accept, ignore, or some other affirmation/deny combination should be reported. If you are unsure, ask. It could save your IT team hours and hours of work.
- Disk Space Disappears. Is there a sudden lack or storage space on your PC or a huge increase in a short amount of time?
- New or unexplained files or icons. Is there a new file or icon on your desktop? It could be a harmless new app that your IT team has rolled out, or could be the result of a malicious attack. There is only one way to find out…ask someone!
- Ending up on a strange site when browsing. Did your browser take you somewhere you didn’t want to go?
- Unexplained Network/Browser Activity. New favorites in your browser, or unusual network activity are big signs of a potential breach.
Keep the machine clean. Your company probably has clear cut rules on what you can and cannot install and access on your company computer, but are those rules effectively communicated? Don’t assume employees know not to access torrent sites or download game emulators on their work machines. Makes sure they know the rules. Post the rules clearly on your company intranet or send frequent Security Awareness Training emails that relay the important security points as clearly as possible. Also, don’t rely on network policies that require admin access to download and install applications. A motivated employee will find a way around it, which is generally a harmless notion such as wanting a different video player or installing new fonts.
Avoid the Avoidables. While employees are likely to ignore or skim a long email from their IT Team, they are more likely to skim a quick list of security related things to avoid. Here is a quick, easy to read list on common things to avoid from a security standpoint:
- Public Wi-Fi. Generally not secure and can even be a fake network designed to steal your files.
- Reused or simple passwords. Sadly, most people still use the same password for multiple sites, or passwords that are super easy to figure out (I bet your password is your pet’s name and your favorite number…go ahead…change it. It’s the right thing to do.) This is a problem because if your Dropbox password has been compromised, then it is likely that your email and banking passwords have been compromised as well.
- Bluetooth. Bluetooth is often not as secure as Wi-Fi and can be easy to hack.
- Leaving your machine unlocked when away…duh.
- Leaving documents on the Printer for a long time. This one can be missed a lot. Check out this article we wrote on the benefits of managed, secure printing.
- USB keys. Avoid them like the plague. Well, they aren’t that bad, but still, don’t use them.
- Strange links or attachments. See above.
- Traveling and leaving your laptop unattended. Corporate espionage often targets business folks who travel abroad and try to install malware on laptops or flat out steal it. When abroad, keep your machine on you at all times, or make sure it is securely locked and safe.
- Unsecure browsing for sensitive issues (online banking, etc.) Make sure the site url starts with https when banking or filling out personal information online.
To sum it up, IT teams do tons of behind the scenes work to keep you and your company safe, yet, strong security habits can really take things to the next level. As the American proverb goes, “Distrust and caution are the parents of security.”
Want to learn more about IT Security Awareness Training? Check out our IT Security eBook for more security knowledge and best practices.