With human error playing a key part in 95% of cybersecurity breaches, managing employee cyber risk is essential for your business to steer clear of a user-related data breach and to demonstrate regulatory compliance.
One core component of a strong human risk management (HRM) program is ongoing security awareness training that educates end-users on how to identify and combat modern threats, as well as best practices for staying security-savvy.
But deciding to launch this type of training comes with some common questions, not least of which is deciding on the security awareness training topics you should be including.
In this article, you'll learn which topics should be included in your core security awareness training library for 2023, as well as how you can start educating your staff on these topics in a flash.
What are the most important security awareness training topics in 2023?
Here is usecure's list of the most relevant cyber security awareness training topics for employees in 2023:
The top 12 cyber security awareness training topics:
1. Phishing Attacks
In a report conducted by Slashnext in 2022,
The first quarter of 2022 saw a dramatic increase in phishing attacks. Cybersecurity vendor, CheckPoint, revealed in their 2022 Q1 Brand Phishing Report that phishing attacks impersonating the professional social networking site made up over half (52%) of all attempts globally in the first quarter of 2022. This represents a 44% increase compared to the previous quarter, Q4 2021 when LinkedIn was the fifth most impersonated brand.
But why is phishing still such a threat to businesses in 2023?
One major factor is how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick employees into compromising sensitive data or downloading malicious attachments.
For example, business email compromise (BEC) is a common form of phishing that uses prior research on a specific individual — such as a company's senior executive — in order to create an attack that can be incredibly difficult to distinguish from a real email.
Partner these more intelligent attacks with the common misconception that phishing is 'easy to spot', then there is no wonder why many businesses are forecast to suffer a phishing-related breach in 2023.
Employees need regular training on how the spot phishing attacks that use modern techniques, as well as how to report a phishing attack as soon as they believe they have been targeted.
2. Removable Media
Another security awareness topic that is used daily by companies is removable media. Removable media is the portable storage medium that allows users to copy data to the device and then remove it from the device to another and vice versa. USB devices containing malware can be left for end-users to find when they plug this into their device.
"Researchers dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus. 98% of these drives were picked up! In addition, 45% of these drives were not only picked up, but individuals clicked on the files they found inside"*
As well as understanding the risks your employees need to know how to use these devices safely and responsibly in your business. There are numerous reasons a company would decide to use removable media in their environment. However, with all technologies, there will always be potential risks. As well as the devices themselves, it is important your employees are protecting the data on these devices. Whether it's personal or corporate, all data has some form of value.
A few common examples of removable media you and your employees might use in the workplace are:
- USB sticks
- SD cards
This security awareness topic should be included in your training and cover examples of removable media, why it's used in businesses, as well as how your employees can prevent the risks such as lost or stolen removable devices, malware infections and copyright infringement.
3. Passwords and Authentication
A very simple but often overlooked element that can help your company's security is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your accounts. Using simple passwords, or having recognisable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the deep web.
Implementing randomised passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Other steps, such as two-factor authentication, provide extra layers of security that protect the integrity of the account.
4. Physical Security
If you're one of those people who leave their passwords on sticky notes on their desk, you may want to throw them away. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company's security system.
Simple awareness of the risks of leaving documents, unattended computers and passwords around the office space or home can reduce the security risk. By implementing a 'clean-desk' policy, the threat of unattended documents being stolen or copied can be significantly reduced.
5. Mobile Device Security
The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. With many people now having the option to work on the go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training in 2023, especially for travelling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.
Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password-protected, encrypted or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.
Best community practice is making sure workers should have to sign a mobile security policy.
6. Working Remotely
In 2021, the obvious need for remote working, combined with the increasing uptake, led to many companies taking drastic steps towards full time working from home policies. Remote working can be positive for companies and empowering for employees promoting increased productivity and greater work-life balance. This trend does however pose an increased threat to security breaches when not safely educated on the risks of remote working. Personal devices that are used for work purposes should remain locked when unattended and have anti-virus software installed. If a company wants to offer this incentive, it should focus on educating remote employees on safe working practices.
Going into 2023, it is likely that this trend will continue. Though we hope to see offices reopening and a return to normal working life, companies have increasingly hired remote workers, and those who have adapted to WFH lifestyle may prefer to work this way. The need to train employees to understand and manage their own cybersecurity is apparent. As we've seen there is an increasing threat landscape targeting these individuals. Ensuring they keep security top of mind is a key theme of 2023.
7. Public Wi-Fi
Some employees who need to work remotely, travelling on trains and working on the move may need extra training in understanding how to safely use public Wi-Fi services. Fake public Wi-Fi networks, often posing in coffee shops as free Wi-Fi, can leave end-users vulnerable to entering information into non-secure public servers.
Educating your users on the safe use of public Wi-Fi and the common signs to spot a potential scam will increase the companies awareness and minimise risk. WIRED magazine provides a helpful guide on avoiding the risks of public Wi-Fi.
8. Cloud Security
Cloud computing has revolutionised businesses, the way data is stored and accessed. These digital applications are transforming businesses, however, with large amounts of private data being stored remotely comes the risk of large-scale hacks. Many big companies are working on data protection, but by choosing the right cloud service provider cloud storage can be a much safer and cost-effective way of storing your company's data.
As with the other topics mentioned, insider hacking is much more of a threat than to large scale cloud companies. Gartner predicts that by next year, 99% of all cloud security incidents will be the fault of the end-user. Therefore, cyber security awareness training can help guide employees through the secure use of cloud-based applications.
9. Social Media Use
We all share large parts of our lives on social media: from holidays to events and work. But oversharing can lead to sensitive information being available, making it easy for a malicious actor to pose as a trusted source (see: social engineering).
Educating employees on protecting the privacy settings of their social media accounts, and preventing the spread of public information of your company will reduce the risk of the potential leverage that hackers can gain from this access to your personal network.
10. Internet and Email Use
Some employees may have already been exposed to data breaches, by using simple or repeat emails for multiple accounts. One study found that 59% of end-users use the same password for every account. This means that if one account is compromised, a hacker can use this password on work and social media accounts to gain access to all of the user's information on these accounts.
Often websites offer free software infected with malware, downloaded applications from trusted sources only is the best way to protect your computer from installing any malicious software. Educating employees on safe internet habits should be a key part of any IT induction, though some may see this training as obvious, it is a key part of the safety of any security programme.
Many large websites have had large data breaches in recent years, if your information has been entered into these sites, it could have been made public and exposed your private information.
11. Social engineering
Social engineering is a common technique malicious actors use to gain the trust of employees, offering valuable lures or using impersonation to gain access to valuable personal information. Employees need to be educated on security awareness topics that cover the most common social engineering techniques and the psychology of influence (for instance: scarcity, urgency and reciprocity), in order to combat these threats.
For example, by posing as a viable client or offering incentives, private information can unwittingly be handed over to these malicious actors. Increasing employee awareness of the threat of these impersonations is critical in reducing the risk of social engineering.
12. Security at Home
Unfortunately, the threat of malicious actors does not stop when you leave the workplace. Many companies allow their employees to use their personal devices, which is a great cost-saving method and allows flexible working, however, there are risks associated with this. Unwittingly malware downloaded applications on personal devices can risk the integrity of the company's network if, for example, log-in details are compromised.
Additionally, The growing network of digital resources available to workers and companies has increased connectivity and productivity. However, these applications also pose a risk to the user, a study by Propeller found that phishing campaigns targeted to dropbox had a 13.6% click-through rate. Increasing employee knowledge, sharing encrypted files and authenticating downloads will reduce the risk.
Other IT security awareness training topics
Alongside educating employees on security awareness training topics, as new regulations are imposed, compliance courses are increasingly necessary for employees. GDPR compliance in the EU has led to new regulations regarding email, which may require re-training for many employees. Breaching these rules can lead to heavy fines, most notably BA and Marriott hotels.
Employees should also be aware of changing finance regulations, data protection, tax and more. By enrolling in automated online platforms for policy management, you can keep your employees up to date with the latest changes in policy and make sure they stay in the know.
Getting end-user security awareness training right
All companies have different requirements, so ensuring a flexible cyber security awareness course that fits with your organisation's goals is vital to getting the right training for your staff.
By promoting a culture of conversation and awareness in your business on a regular basis through end-user security awareness training, you can keep your employees up to date with the requirements to keep their personal and business information secure.
Launch your security awareness training program
Deliver bite-sized video and interactive training, tailored to each users' unique risks and achieved through intelligent automation.