Employees’ risky IT behavior can open the floodgates of cybersecurity threats and attacks. As cybersecurity threats continue to evolve, protecting Personally Identifiable Information (PII) and safeguarding sensitive data is more important than ever. Human error is the single biggest cause of data breaches. According to Cybint, a global cyber education company, “95% of cybersecurity breaches are due to human error.”
To thwart cybersecurity threats and attacks and avoid compliance issues, cybersecurity awareness training has fast become a requirement for employees, and many regulatory standards such as SOX, PCI, HIPAA, and CCPA codify this in their regulations.
Here are the top 7 cybersecurity awareness training tips for employees, according to the National Institute of Standards & Technology (NIST).
1 - Protect Your Sensitive Information and Data - You must be aware of unsolicited emails, phone calls, instant messages, or text messages. Scammers use these malicious channels to compromise your PII, like your credit card number or social security number. Moreover, fraudsters create email addresses and websites that look legitimate. They use phishing attacks to trick you into entering private data. In fact, they offer incentives such as free stuff, gifts, business opportunities, and so forth.
To avoid an online scam, you should not share your or your company’s data with anyone other than legitimate sources; if you’re not sure it’s legitimate, call and verify – when I doubt, give a shout out! Use spam filters and never enter your personal information in response to pop-up web pages.
2 - Be Aware of the Dangers of Removable Media - Removable media must only be inserted or plugged into your computer if you trust the source. For instance, if you find a USB flash drive near your office, it would probably not be an accident. Instead, hackers may plant it there. The USB may contain a preinstalled malware. No sooner do you connect it to your computer than attackers can gain initial network access, deliver malware, steal credentials or company secrets, perform data exfiltration, or destroy data. Preventive measures include disabling autorun on all computers, disallowing use of removable media, encrypting information on removable media, applying strong password policies, using an antivirus program, and reporting missing removable media immediately.
3 - Use Strong Password and Authentication - It is highly recommended to use passwords that are strong, long, and difficult for hackers to guess. The strong password thwarts password attacks such as a rainbow table, dictionary attack, and brute-force attack. When creating a password, never use your personal information such as name, country name, birthday, or vehicle number. Create a password that is at least 12 characters long. Use a mix of at least 3 character types such as uppercase and lowercase letters, numbers, and symbols. Never use the same password for more than one account. Use multifactor authentication for the accessing sensitive or personal accounts. In fact, multifactor authentication would add an additional layer of security to all of your accounts.
4 - Adhere to Clean Desk Policy - The Clean Desk Policy states that critical information on the desk should be limited to what is currently necessary. When you leave the office, you must securely store all confidential and private information.
5 - Ensure Physical Security - Prying eyes may observe & steal your password as you are typing it on a screen - this method is known as “Shoulder Surfing.” Letting someone follow you through a door into a restricted area can also be dangerous - this technique is referred to as “Tailgating.” Physical security is ensured through hardware locks (e.g., biometric lock, finger or retina scanner, smart cards or PIN locks), mantraps, proper lighting, proximity readers, fencing, video surveillance, barricades, guards, alarms, and motion detectors.
6 - Comply With Bring-Your-Own-Device (BYOD) Policy - Data leakage, malware, and hacking are the biggest BYOD security risks. Personal devices aren’t a part of your company’s IT infrastructure. Therefore, these devices aren’t protected by your company’s security systems and firewalls. BYOD policy helps you how to use your personal device in the workspace. Typically, this policy involves the following tips:
- Encrypt on BYOD devices.
- Use a VPN when working from public WiFi
- Employ your company-approved antivirus on your BYOD device.
- Download applications either from the manufacturer’s website or from major app stores.
7 - Keep Your Security Software Up-to-date and Backup Your Files - Outdated antivirus programs, IDS, IPS, firewalls, endpoint protection and other security devices and tools can lead to data breaches. If you don’t back up your critical files, you would lose them forever in the event of a cyber-attack. Therefore, you must keep your antivirus, firewalls, operating system, SOC platform, or other security tools up-to-date to avoid future cyber disasters. Moreover, you also need to create a backup of your sensitive data either on the cloud or on the external hard drive. A data backup plan is like putting your data in a vault. You can easily and quickly access such data in an emergency situation.
The Bottom Line
Cybersecurity awareness training is indispensable for employees to steer clear of phishing attempts and other social engineering attacks such as baiting, pretexting, vishing and smishing, quid pro quo, tailgating, and piggybacking. It is also a terrific tool to learn to help spot malware behaviors, following company IT policies and best practices, reporting cybersecurity threats, and adhering to regulatory standards such HIPAA, PCI DSS, GDPR, and so on.
