In 2020, it is becoming more important than ever to educate and train end users on cyber security best practice in the workplace. Below we have listed the 12 topics to look out for. With increasingly sophisticated digital threats, educating your digital workforce on cyber security best practice is the most effective way of saving time and preventing security breaches.
What security awareness topics should I cover?
Most companies devote large amounts of time and finance implementing software to protect their security information, with average IT budgets on security being around 10%. However, 'human hardware' is by far the most vulnerable element of any business and companies should operate on a prevention over cure basis.
Human error is the cause of up to 95% of cyber security breaches, and with simple awareness training courses this number can be dramatically reduced. Recent estimates suggest that only half of all employees receive training only once per year.
From SMEs to large enterprises, the employee is the last line of defence in a company's security, the 'human firewall'. So what are the most important security awareness training topics for your staff?
What are the most important security awareness training topics?
We've listed the most relevant cyber security awareness training for employees in 2020:
- Phishing attacks
- Removable media
- Passwords and Authentication
- Physical security
- Mobile Device Security
- Working Remotely
- Public Wi-Fi
- Cloud Security
- Social Media Use
- Internet and Email Use
- Social Engineering
- Security at Home
1. Phishing Attacks
Phishing attacks are still the most common cause of cyber-security breaches. Current figures clearly reflect the need for awareness of phishing attacks, research suggests 91% of successful cyber attacks are the result of a phishing scam.
Although companies are increasingly aware of phishing, it is still a growing threat in 2020, in part due to lack of awareness on the employee level. By driving security training as part of the company's philosophy through recurrent security awareness training this number can be dramatically reduced over time.
"Spearphishing" is a more sophisticated and targeted form of attack, using specific company workers to legitimise an email to a specific set of end users. An email impersonating the CEO, for example, is likely to be clicked on by most employees, and could contain a malware attachment. The effectiveness of such attacks has led to newer and sophisticated developments, such as Voice Phishing and SMS phishing.
By training your end users to recognise potentially harmful emails and reporting suspicious ones, this threat can be dramatically reduced. By offering cybersecurity training courses, employee awareness of such attacks can be dramatically improved with consistent training. Simulated phishing attacks can demonstrate the potential risk to your company from such attacks.
2. Removable Media
Another security awareness topic that is used daily by companies is removable media. Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. USB devices containing malware can be left for end users to find, when they plug this into their device.
"Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside"*
As well as understanding the risks your employees need to know how to use these devices safely and responsibly in your business. There are numerous reasons a company would decide to use removable media in their environment. However, with all technologies, there will always be potential risks. As well as the devices themselves, it is important your employees are protecting the data on these devices. Whether it's personal or corporate, all data has some form of value.
A few common examples of removable media you and your employees might use in the workplace are:
- USB sticks
- SD cards
This security awareness topic should be included in your training and cover examples of removable media, why it's used in businesses, as well as how your employees can prevent the risks such as lost or stolen removable devices, malware infections and copyright infringement.
3. Passwords and Authentication
A very simple but often overlooked element that can help your company's security is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your accounts. Using simple passwords, or having recognisable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the deep web.
Implementing randomised passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Other steps, such as two-factor authentication, provide extra layers of security which protect the integrity of the account.
4. Physical Security
If you're one of those people who leaves their passwords on sticky notes on their desk, you may want to throw them away. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company's security system.
Simple awareness of the risks of leaving documents, unattended computers and passwords around the office space or home can reduce the security risk. By implementing a 'clean-desk' policy, the threat of unattended documents being stolen or copied can be significantly reduced.
5. Mobile Device Security
The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. With many people now having the option to work on-the-go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training in 2020, especially for travelling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.
Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password protected, encrypted or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.
Best community practice is making sure workers should have to sign a mobile security policy.
Follow this link to learn more.
6. Working Remotely
In 2020, the trend towards flexible remote working is still growing dramatically, some recent figures suggest that "61% of global companies currently allow their staff to have some sort of remote working policy." according to MerchantSavvy.
Remote working can be positive for companies and empowering for employees promoting increased productivity and greater work-life balance. This new trend does however pose an increased threat to security breaches when not safely educated on the risks of remote working. Personal devices that are used for work purposes should remain locked when unattended and have anti-virus software installed. If a company wants to offer this incentive, they should focus on educating remote employees of safe working practices.
7. Public Wi-Fi
Some employees who need to work remotely, travelling on trains and working on the move may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end users vulnerable to entering information into non-secure public servers.
Educating your users on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the companies awareness and minimise risk. WIRED magazine provides a helpful guide on avoiding the risks of public wifi.
8. Cloud Security
Cloud computing has revolutionised businesses, the way data is stored and accessed. These digital applications are transforming businesses, however, with large amounts of private data being stored remotely comes the risk of large-scale hacks. Many big companies are working on data-protection, but by choosing the right cloud service provider cloud-storage can be a much safer and cost effective way of storing your company's data.
As with the other topics mentioned, insider hacking is much more of a threat than to large scale cloud companies. Gartner predicts that by next year, 99% of all cloud security incidents will be the fault of the end-user. Therefore, cyber security awareness training can help guide employees through the secure use of cloud based applications.
9. Social Media Use
We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source (see: social engineering).
Educating employees on protecting the privacy settings of their social media accounts, and preventing the spread of public information of your company will reduce the risk of the potential leverage that hackers can gain from this access to your personal network.
10. Internet and Email Use
Some employees may have already been exposed to data-breaches, by using simple or repeat emails for multiple accounts. One study found that 59% of end users use the same password for every account. This means that if one account is compromised, a hacker can use this password on work and social media accounts to gain access to all of the user's information on these accounts.
Often websites offer free software infected with malware, downloaded applications from trusted sources only is the best way to protect your computer from installing any malicious software. Educating employees on safe internet habits should be a key part of any IT induction, though some may see this training as obvious, it is a key part of the safety of any security programme.
Many large websites have had large data breaches in recent years, if your information has been entered into these sites, it could have been made public and expose your private information. To check if you have used any websites that may have been exposed to data breaches, you can assess your risk score here
11. Social engineering
Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated on security awareness topics that cover the most common social engineering techniques and the psychology of influence (for instance: scarcity, urgency and reciprocity), in order to combat these threats.
For example, by posing as a viable client or offering incentives, private information can unwittingly be handed over to these malicious actors. Increasing employee awareness of the threat of these impersonations is critical in reducing the risk of social engineering.
12. Security at Home
Unfortunately, the threat of malicious actors does not stop when you leave the workplace. Many companies allow their employees to use their personal devices, which is a great cost-saving method and allows flexible working, however there are risks associated with this. Unwittingly malware downloaded applications on personal devices can risk the integrity of the company's network if, for example, log-in details are compromised.
Additionally, The growing network of digital resources available to workers and companies has increased connectivity and productivity. However, these applications also pose a risk to the user, a study by Propeller found that phishing campaigns targeted to dropbox had a 13.6% click-through rate. Increasing employee knowledge, sharing encrypted files and authenticating downloads will reduce the risk.
Other IT security awareness training topics
Alongside educating employees on security awareness training topics, as new regulations are imposed, compliance course are increasingly necessary for employees. GDPR compliance in the EU has led to new regulations regarding email, which may require re-training for many employees. Breaching these rules can lead to heavy fines, most notably BA and Marriott hotels. Learn more about changes to GDPR here.
Employees should also be aware of changing finance regulation, data protection, tax and more. By enrolling in automated online platforms for policy management, you can keep your employees up to date with the latest changes in policy and make sure they stay in the know.
Getting end user security awareness training right
All companies have different requirements, so ensuring a flexible cyber security awareness course that fits with your organisations goals is vital to getting the right training for your staff.
By promoting a culture of conversation and awareness in your business on a regular basis through end user security awareness training, you can keep your employees up to date with the requirements to keep their personal and business information secure.