The following security awareness training topics should be covered in your cyber security awareness training program. Each security awareness topic should discuss an overview of the concept, why it is important, and the risk to your organization.
All of your employees should have a basic understanding of these security topics, but also understand how to use critical thinking and apply their knowledge within your organization. Delivering these cyber security awareness topics should be prioritized to identify the biggest risks.
Use these security awareness training topics as a guide to help build a strategy for your own security awareness program.
Here are the must-have topics for your security awareness training.
Phishing is when an email is sent to an employee requesting them to click a link to update or enter their password.
The employee’s password is then sent to the hacker and used to compromise their online accounts. Employees need to understand how to identify a phishing attack and defend against not clicking suspicious links.
Try our Phishing Simulator for FREE
Passwords are an integral part of our online accounts and aren’t going away anytime soon.
Employees should understand how to create strong passwords and learn why passwords are so important in protecting their online accounts. They should also understand the risk of password reuse between personal and corporate accounts.
Ransomware is malicious software that encrypts data on a computer until a sum of money is paid to the hacker.
Employees should be aware that ransomware is one of the most popular threats targeting businesses across the world. If the ransom is not paid, your computer and all of its data is unrecoverable. The best way to defend against ransomware is to prevent it from happening in the first place.
Information security is the act of protecting digital information assets.
Employees should understand that accessing information is a privilege and “need to know access” should be practiced at all times. Sharing sensitive data should be taken very seriously and employees should know your organization’s policy for protecting information.
Removable media such as USB drives, external hard drives, and other portable storage devices can be a major risk for your organization.
Employees should be aware of how quickly plugging one of these devices into a computer system can impact security, and how to protect sensitive information when using removable media.
Social engineering uses social interactions to manipulate someone into undesired actions.
Employees need to understand when and how to identify a social engineering attack. They need to be aware to slow down when being requested sensitive information and trained to not disclose, fall out of line or be manipulated to break company procedures.
Physical security is protecting secure areas that require privileged access.
Employees should understand the risks of propping doors and protecting secure areas. Terms such as piggybacking and tailgating should be easily identifiable for employees as well as knowing where to report such activities.
Browsing websites on the Internet is a privilege and secure browsing techniques should be practiced.
Employees should be aware of how to identify a suspicious website and how they can be a major risk for your organization. They should also understand the importance of keeping browsers up to date and secured.
If your organization experiences a cyber security incident, a plan should be ready on how to respond.
Employees must be aware of their role in the response effort. Your organization should practice responding to mock incidents at least annually and discuss steps on which plans and procedures are needed to respond to cyber incidents.
We are all connected to our mobile devices and that makes mobile devices a huge vulnerability in our organizations.
Employees should be aware of what risks mobile devices introduce and how physically securing mobile devices is important to protect against unauthorized use if a device is stolen. These devices can unlock sensitive information and must be protected by your employees with strong passcodes.
Business Email Compromise
BEC attacks are when an email is hacked, then used to transfer money outside of an organization.
Employees should be aware of how to identify an email attack and what characteristics make a request suspicious. They should be trained to follow processes and procedures for authorizing transactions.
Sensitive information can fall into the wrong hands if left unattended or in plain view.
Employees should be aware of best practices to prevent sensitive information from being viewed by unauthorized sources. This would include locking computers when unattended, keeping sensitive files in a locked cabinet when not in use, and being aware of your surroundings when working on sensitive data.
Wi-Fi is everywhere we go, but employees should realize that not all networks are safe.
Employees should be aware of safe Wi-Fi practices and understand the concept of using a VPN. Wi-Fi will continue to be a major threat towards mobile employees and they should be trained on how to defend against threats when working remote.
Multi-factor secures online accounts by verifying two (2) different forms of identification for a user to access a service or application.
Employees should be aware of the concept of multi-factor authentication and why it is useful for them at work and in their personal lives. They should be trained to use multi-factor authentication when available and understand how it protects their online accounts.
Privacy is the expectation that your sensitive information is protected and not being shared with others without your consent.
Everyone needs to understand the challenges and ethics behind data privacy best practices, especially various regulations relating to their organization and their roles in protecting sensitive data.
It’s crucial to make sure that you have locked or logged out of your devices when leaving them unattended.
Employees need to know how to utilize physical protections for locking devices, why having a strong password is important, and the unintentional consequences of leaving devices unattended. Unlocked devices are a playground for anyone looking to steal data, install malware, or cause any number of other serious problems.
Gift Card Scam
Gift cards are an easy way for hackers to steal money by pretending to be someone you trust.
Employees should know about how gift card scams work, and why a hacker might target someone at your business. And if a potential gift card request is received, educate employees on how to verify the authenticity of requests, and follow a process for reporting potential gift card scams.
There is a huge security risk if you reuse passwords across multiple accounts.
It’s important for employees to recognize how a password can be exposed through a data breach, and how to level up password protection by turning on two-factor or multi-factor authentication (2FA / MFA).
Any information on social media can be used by hackers to target potential victims.
When training your employees on the risks of social media, ask them to consider what sensitive information may be inadvertently exposed through various channels, and understand the difference between misinformation vs. disinformation.
It just takes a single person for malware to find its way into all of your organization’s systems.
Employees need to know how to spot and stop various types of malware, such as ransomware and spyware, plus the best defenses to protect against a potential malware attack.
Every employee needs to know how they play a part in keeping sensitive information secure.
The importance of protecting confidential information cannot be understated. Employees must understand the basic principles of data classification plus “Need to Know” access behaviors.