Cybersecurity awareness programs typically fail to provide end users with meaningful experiences that help them truly learn better practices. Employees often find the technical controls barriers to their daily work routines, thus creating resistance and frustrating security practitioners. But when security teams explain to employees how their work reinforces cyber-awareness training, they help build meaningful educational experiences rooted in best practices.
Here are a few examples.
Understand User Behavior
While employees may know best practices, they may not have insight into how their activities can affect the organization's security posture.
Generally, awareness training will teach end users about avoiding risky behaviors through:
- Password protection: Strong password best practices, sharing risks, storing options
- Multifactor authorization (MFA): Definitions, importance, usage best practices
- Identification of sensitive information: Names, birth dates, addresses, Social Security numbers, emails
- Safe data sharing: Sharing with a link, setting access in shared drives, downloading information
Whether accidentally or maliciously, employees sometimes deviate from best practices. Further, organizations often have trouble limiting access according to the principle of least privilege. Users moving from one department to another often take their historic access with them.
Security teams can support best practices by explaining how they set user behavior baselines and gain visibility into anomalous behavior by:
- Forcing character requirements
- Disallowing reuse of recent passwords
- Monitoring for failed logins
- Reviewing user access to systems and applications that store, process, or transmit sensitive data
- Setting alerts for out-of-band attributes like anomalous IP addresses, geographic locations, or times of day
Focus on Ransomware
With the increase in ransomware attacks, organizations need to focus on them as part of a strong security awareness program.
A company's security awareness program most likely focuses on teaching employees how to spot phishing attacks. Often, these trainings include:
- Suspicious email detection: Fake email addresses, spelling errors, embedded hyperlinks
- Phishing simulations: Fake phishing emails that send reports when users click the link
- Safety precautions: Never click a link, never download a file, beware of fake share file (like Google Drive or SharePoint) links
Explaining how the security team aggregates and correlates risks supports these training initiatives. Monitoring and setting alerts for the following can help reinforce ransomware training:
- Outdated antivirus/anti-malware on devices
- Email and Web application server monitoring
- Packet loss or network congestion indicating command and control server communications
Securing endpoints goes beyond monitoring for and mitigating the risk of ransomware or malware. Often, endpoint security risks include activities like updating software or using personal devices.
Cybersecurity awareness training focuses on the types of risks that employees bring with them, including:
- Physical device security: Password-protecting devices, potential device theft or loss
- Security patches: Installing on personal devices
- Maintaining factory settings: Not using "jailbroken" phones on corporate systems
- Removable media: Risky USBs or charging cords that can plug into devices
To help support end users, security professionals can explain and show how they monitor networks for devices connecting to them. Enhancing endpoint security through examples might include showing how the security team monitors:
- Software versioning
- Secure configurations like security technical implementation guides (STIGs) or CIS baselines
- Recent security patch installations
- Alerts from intrusion detection systems (IDS)
Safe Internet Habits
With more people working remotely, cybersecurity awareness training around safe Internet habits has become even more important. To protect remote workforces, companies need to drive home the importance of risks arising from "work from anywhere" models.
Generally, cybersecurity awareness training focuses end users on:
- Public Wi-Fi use: Limiting insecure wireless connections to prevent man-in-the-middle attacks
- Virtual public networks (VPNs): Encrypting data-in-transit
- Website security: Reviewing URL for HTTPS
- Social media scams: Being wary of links or downloads in direct messages or posts
To support end-user awareness training, cybersecurity professionals and IT teams can explain how they set controls and monitor the following:
- Denying access from unknown IP addresses
- Denying organization-owned devices from accessing social media websites
- Setting administrative controls for organization-owned devices that disallow installation of unapproved applications
- Use URL and Web filtering rules in firewalls to enforce HTTPS connections
- Monitoring geolocation of login using SD-WAN to enforce encryption of data-in-transit
Teamwork Makes the Security Education Dream Work
An effective cybersecurity awareness program builds a strong culture of security that bridges the gap between technical and non-technical employees. Training programs provide the information, but education offers a more thorough understanding that builds better habits.
By acting as a team within the organization, line-of-business and technical teams can create more robust security practices, build stronger relationships, and reduce resistance to protective controls.