Security Training 101: Employee Education Checklist
Security awareness training can go a long way in arming your organization against intruders. For those who want to make sure they hit the right points, we’ve put together this quick hit employee education checklist. Please feel free to tailor the bullets according to what your organization needs, and for a more in depth run down, consider reading “Security Training 101: Employee Education Essentials.”
Never reuse passwords.
Utilize a password manager.
Enable MFA wherever possible.
For password changes, always navigate to the actual website. Unless it’s a password reset email you initiated, it’s a red flag if an email requests for you to change a password in the email.
Secure Work Devices
Make sure it’s always up-to-date with the latest system updates and patches.
Antivirus is required on all work devices.
The following policies are required on all work systems, and you shouldn’t try to subvert these:
[List required policies here. Full disk encryption, system screen lock, and disabled guest accounts are great places to start.]
You are responsible for your devices, so always be thinking about how to keep them safe. Always know where your devices are and who could have access to them.
Contact [insert name/contact info] immediately if you notice your device is missing.
Lock your laptop whenever you walk away from it.
MFA must be enabled on all laptops where possible.
Never use a USB drive that wasn’t purchased by you or the company, and never use one that was given to you by someone outside of the company. If you happen to find a USB drive on the street or in a coffee shop, throw it away.
Store all work devices in a safe place 24/7, either under watch or securely locked.
Be careful where you store sensitive data, and be mindful of what kinds of permissions are set for each folder and file. When possible, grant access on an individual basis.
Make sure all data is backed up in the appropriate place.
Encrypt data when it makes sense, or place that data in files and folders with very strict permissions.
Don’t consider email a secure medium of communication. Try to refrain from sending attachments or sensitive information you wouldn’t want publicized.
When you are in a public area, be cautious of logging into something and make sure nobody is peering over your shoulder as you do.
Email is at the center of the organization’s authentication space, so it’s imperative you don’t lose control over it. If you think you have lost control over your email, contact [insert name/email address] right away.
Do not click on links in emails. When possible, manually navigate to the site to complete any action the email is requesting.
Don’t trust an email is from who it claims to be.
Don’t open attachments from emails you’re not expecting, and stick to sharing files via [insert name of designated file sharing software: e.g. Google Drive, Office 365, etc].
Don’t add plugins without a true business need.
Stay away from websites that are using HTTP and not HTTPS, but don’t solely rely on that green lock to determine if you are safe or not. Take five seconds to double check the rest of the url.
Remote wipe should be enabled on your phone. After all, if email is on your phone, a lot of damage can be done if it gets lost or stolen and broken into.
Keep your phone up-to-date with the latest security patches.
Secure the Office
[cameras, guards, etc.]
No tailgating (Strangers sneaking in as the door closes).
Erase content on whiteboards when you’re done.
When you notice an unfamiliar person in the office, feel free to question them and find out what they need. If necessary, have them wait in a designated visitor area.
Secure Intellectual Property
Don’t download or save intellectual property on personal drives.
Don’t discuss intellectual property with anyone outside of the company.
When you absolutely need to use public WiFi, use a virtual private network (VPN).
Connect mobile devices only to [insert name of network].
Only connect work systems to [insert name of network].
Secure Interactions with the Public
Be wary of interactions that are not initiated by you, and never give out information in these situations. If it’s legitimate, they should already have everything they need.
You will be targeted because of your connection with the company. If you ever have an interaction with someone where you feel pressured to give an answer right away, the answer is no.
Don’t share private information with the public.
Watch out for malicious links in social networking communication.
Be careful about what information you post on social networks. In particular, post pictures about a company event or a vacation after it’s done.
What to Do If There’s a Problem
Security training is every [insert recurring time frame here, e.g., quarterly, semi-annually, etc.], and it is mandatory.
It’s crucial that you involve the security team when there is a problem. You won’t get in trouble if you make a mistake or a bad decision; however you will be in trouble if you don’t tell anybody about it.
By covering these talking points, your employees will be prepared to do their part in protecting your organization. Coupled with the right security tools in place, you’ll have a solid start to building a strong security foundation. Feel free to adjust these bullet points to match your company and organization better. Hopefully this checklist is a good starting point for you to customize to your needs.
Keep in mind security training shouldn’t just be about the do’s and don’ts. Make sure to contextualize these points and show your employees how they can apply them as they go about their jobs every day. For real life stories that demonstrate the importance of the items on this checklist, see Security Training 101: Employee Education Essentials.
Why Security Matters to Us
At JumpCloud, we live and breathe security every day. As an identity and access management platform, our customers must be able to trust us to uphold the highest standards of security. We also help organizations with checking a lot of these boxes off of their list, from our system policies (enforceable on Mac/Windows/Linux) to our password management capabilities (including MFA, password rotation, and complexity). You can learn more about JumpCloud’s Directory-as-a-Service platform here.