There is no such thing as an organization that is too small to be a target for hackers. In fact, Verizon’s 2018 Data Breach Investigation Report found that 58% of data breach victims were small businesses. So, it’s crucial for companies of all sizes to take security seriously. While implementing security technology is a great place to start, it’s also imperative to educate employees by conducting regular security awareness training. Small organizations don’t always have the luxury of having a security team to lead this, but with the right materials, anybody in an organization with an interest can conduct security training sessions. If you simply can’t dedicate resources towards having an in-house security guru, consider reaching out to a managed service provider (MSP) that offers managed security services. As IT experts, they can be a really effective partner in helping you achieve your security and operational goals. So what should a security training session cover? Well, we’ve put together this security training guide that will cover employee education essentials, some ideas on how to conduct the training, and a video on the matter.
Why Security Awareness Training?
“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”
— Daryl White, DOI CIO
In a U.S. State of Cybercrime survey, 42% of the respondents stated security awareness training helped to deter attacks. This same report also found that, when a cybersecurity incident occurred, organizations without a security training program experienced 300% greater financial loss compared to those that did have a security training program. If that’s not convincing, consider that regular security awareness training is required to meet compliance regulations such as HIPAA, PCI-DSS, GLBA, ISO, and others. Regardless of if you have to or not, security training can go a long way in protecting your organization from the fines and disasters that result from a security breach.
Now that you are armed with a couple of reasons you can share as to why it’s important, let’s go over the principles of security training.
Security Training Essentials
Below, we will walk you through talking points that you can cover in your security awareness training. In addition to these points, we’ve also included a few real world scenarios that describe how threat actors use some of these attack vectors to their advantage. By doing so, we hope to illustrate the need in covering many of these talking points, and to provide you with real world examples that you can share with your employees. This can be an effective way to teach them what to look out for and to help them understand the realities of why they need to take security seriously.
Identities are the number one attack vector, so it’s imperative that your employees understand how to protect them. Remind them that their passwords need to be as long and complex as possible, as well as impossible to guess. Passwords should never be reused or shared, and MFA should be enabled wherever possible. Lastly, inform your employees that they should never change a password via an email (an exception to this is a password reset email that they without a doubt requested themselves). If they know their password and they need to change it, they should always navigate to the actual site and change it there.
Inform employees of any security measures required for email. We’d recommend requiring MFA and emphasizing to your employees that email is at the center of the organization’s authentication space. As such, it would be catastrophic if they lost control over their email account. If they ever do, let them know they should immediately contact whoever is responsible for security or IT.
Additionally, stress the importance of taking a few seconds to critically think through why they are receiving an email. For example, they could make a habit of running through some of these questions:
- Does this email make sense?
- Did I click a link asking for this email?
- Did I ask someone (a team member or customer) to send me this?
- Did I engage with a website to send me marketing emails?
When possible, a good rule of thumb to follow is that if anybody receives an email from a site that is requesting some sort of action to be taken, they should manually type in the site address in their browser and navigate to the site that way. Generally, they should learn to distrust that an email is from who it claims to be. Lastly, they should know to not open attachments from emails they’re not expecting to receive.
Hook, Line, and Phished
True Story: One afternoon, an accountant in an organization received an email from an individual claiming to have paid a late invoice. All the accountant needed to do to claim the payment was to click a link and provide their email credentials, which they did. Yep, they had gotten phished. And, once the attacker got their hands on those email credentials, they logged into the accountant’s email and studied the organizations wire transfer approval process by searching through emails. The attacker then used previously sent invoices and forms to fabricate an approval email chain that the attacker then sent to the wire transfers department. Suffice to say, the attacker walked away with a lucrative sum of money. Read the full story here, page 16.
Moral of the Story:
- Email is a goldmine of information and at the center of authentication in any organization. Once those credentials are stolen, the sky’s the limit for attackers.
- Require/use MFA wherever possible. If MFA had been required on email in the story above, this incident could have been prevented.
- If you read the full story, you’ll find out that the organization relied heavily on tools to block fishy URLs on the corporate network. However, the accountant was on their home network when they had received the phishing email, and consequently, out of reach from the URL blocking tools. If they aren’t the main line of defense, your employees will be the last stand against an attacker. So, that’s why employee education is just as important as security technology.
Next, make sure to talk to your employees about how they can secure their work system. Inform them that they should only do company work on company machines. In other words, they should limit the amount of personal activity on their work device, and they should never access work on their personal device. The more you say it, the sooner they’ll get it down.
They should know that full disk encryption (FDE) and anti-virus software are required, and they should do their best to avoid losing their laptop. In the event that they do lose their laptop, make sure they know how to contact the security team and that they should do so right away in the event they lose their laptop. If there isn’t a security team, let them know who to contact and how to contact them, whether that’s an IT admin, your MSP, or another individual in your organization.
Where possible, MFA should be enabled on their work system. Additionally, you might want to let them know about the system policies that are in place on their devices if you have set some, and that they should not try to subvert these security measures.
Remind them to always lock their computer when they leave it unattended, even if it’s just to get a coffee refill in the kitchen. They should never insert flash drives of unknown origins. If your organization provides employees with laptops, let them know they should bring their laptop home each night because it’s best to minimize who has physical access to their device.
Remind employees of the physical security that is in place in your office, like cameras. If your office requires a key or a FOB for entry, let them know that there should be no tailgating. We don’t mean in the parking lot before the big game, but rather, a stranger sneaking in as the door closes.
Also, inform them that they should erase content on whiteboards when they’re done. When they print sensitive information, let them know they should retrieve it immediately and be sure to shred it once they no longer need it.
It’s a good idea to set the tone for what to do about visitors, too. For example, when they notice a visitor, should they feel free to question them? Where can they direct visitors to wait? Having firm answers to these questions can help employees be proactive in case of an intruder.
Leave No Stone Unturned
True Story: One particular organization had strong systems in place to offboard ex-employees from digital IT resources; however, they weren’t always so prompt in deprovisioning building access credentials. Then one day, a disgruntled ex-employee used this security weakness to their advantage to exact revenge. Using their “still-yet-to-be-disabled building access card” they entered the building, and then was able to gain entry into a room with an unlocked work system. They plugged a USB flash drive into the machine and had plans to steal and expose sensitive data. Luckily, forensic analysis alerted the company to the malicious activity, and they were able to put a stop to it before the ex-employee was successful. Read the full story here.
Moral of the Story:
- Not only is it important to immediately terminate a fired employee’s network access, but their office access as well.
- This story also demonstrates why it’s important to enforce certain system policies like those that enforce screen lock and disable USB drives. They can help prevent malicious activity on work devices.
Intellectual Property and Data
Security awareness training is also a good time to clarify your rules around intellectual property. Your employees should know what is considered company property, and what the rules are for storing it. Also, establish general rules regarding what they can or can’t talk about with non-company personnel.
Along the same lines, you should consider going over how to secure data. Ideally you should have rules in place about where employees should and should not store sensitive company data.
If your organization utilizes cloud productivity platforms like G Suite™ or Office 365™, warn your employees to be mindful of who they grant permission to access these files and folders, and that it’s best to share files and folders on an individual basis when possible. Also, advise employees to password protect data files where it makes sense, or to place those files in folders with strict access controls.
When data is sent via email, they should assume it is compromised the moment it is sent, and they should always know what, to whom, and why something is being sent.
Warn employees to be mindful about logging into an account in a public area, like Starbucks or while riding the bus. They especially need be wary of someone peering over their shoulder because this is an easy way for someone to steal credentials.
Speaking of public areas, let them know that they should avoid using public WiFi at all costs and only use it if they absolutely need to. While public WiFi can be extremely convenient, it can also be one of the easiest ways to compromise a set of credentials and a device. Lay out for your employees that they’re essentially ceding control of their network traffic over to whoever has access to the router. Some great questions to run through before connecting to public WiFi are:
- Do I trust the coffee shop I’m at to also be experts in network security?
- Do I trust that nobody has tampered with the router?
- Do I trust that the router has been updated recently?
- Would I have an intimate conversation with, say, my tax lawyer in a crowded coffee shop? If no, then it’s probably not the best idea to conduct online banking over the WiFi either.
It ultimately comes down to one’s risk model and what you’re comfortable exposing, but public WiFi fundamentally is an insecure method of communication. When in dire need for the internet, some alternative methods to public WiFi include using mobile data to do something on their phone or to create a mobile hotspot. For the times that’s not an option and they need to take that risk, a VPN (virtual private network) can help mitigate some of that risk, but not all.
Lastly, security training is a great time to also notify them of any company rules you have about company WiFi (e.g., if there’s certain networks they should or shouldn’t connect their phone to).
A Night with The DarkHotel
True Story: In 2014, the world learned of an advanced hacking group called The DarkHotel. They have since moved on to other types of attacks, but they were initially known for taking over WiFi networks in popular hotels across southeast Asia. They typically targeted traveling businessmen staying at those hotel; their main method of attack was to deliver fake software updates for applications over the public WiFi to the person’s device. If the target fell for it, the hacking group was able to steal work data from the device and use it to compromise the company the employee worked for. Read more here.
Moral of the Story:
- Whether it’s for personal use or work, it’s best to simply avoid using public WiFi altogether. You just don’t know who’s listening or what creative attacking methods could find you.
- This story also shows the prudence of limiting who has access to what. Stolen data from a work laptop could be merely an annoyance, not a catastrophe, if the right access controls are in place.
Browsers and Phones
Implore your users to leverage a secure browser like Chrome, to only use plugins that have a true business need, and to stick to websites that use HTTPS. However, it’s a good idea to let them know that many phishing websites now use HTTPS, so they shouldn’t solely rely on that lock icon to determine whether or not a website is safe. It never hurts to double check, for example, that they are in fact on google.com and not go0gle.com. Lastly, they should listen when their browser warns them about entering a website; this is often a sign that something is off.
Let your employees know that they should protect their phone with a password or PIN, and they should have it set to be wiped after a certain number of incorrect attempts. After all, more than likely their personal email is on their phone, if not their work email as well, and they can end up losing everything if their phone is not secure.
They should enable remote wipe in case they lose their phone, and they should also make sure to update their phone with the latest patches whenever they become available.
Secure Interactions with the Public and Social Networking
Educate employees about secure practices when interacting with the public online. For example, they should always know who they’re talking to. If someone initiates contact with them, they should never give out information in this situation. The initiator should already have all of the information they need, so it should be an immediate red flag if the initiator requests more. They will be targeted with these kinds of social engineering attacks, so a good rule of thumb to share with them is this: if someone needs an immediate answer, the answer is no. Lastly, to reiterate, make sure your employees know your policies related to sharing private information.
When it comes to social networking, remind personnel to use good judgement and to watch out for malicious links. Alert them that they can expect to be targeted because of their connection with the company.
The Odds are in Everybody’s Favor
True Story: Some time ago, the IT Help Desk at an organization received a frantic call from a “senior executive” claiming they needed help remembering their username for their email. The IT Help Desk walked through the security challenge questions, the caller paused and answered hesitantly, they got the answer correct, and the caller was provided with the username. A couple days later, the IT Help Desk received another call from the same “senior executive”. The caller needed help installing a VPN client, and they provided the IT Help Desk with their name, title, and username. Since the caller provided the username, the IT Help Desk skipped the security questions, and went straight to helping the caller install the VPN client. At the end, the caller said they “forgot” their password. Unfortunately, the IT Help Desk was eager to help, so they reset the password for the caller, granting them full access to the senior executives email account. Read the full story here.
Moral of the Story:
- This is a great reminder that anybody can fall victim to a social engineering attack, so it’s important to have security awareness training for all of your employees, whether they are technical or not. Everyone is a target because of their connection with your workplace, and it’s important to regularly reinforce to all employees that it’s essential that they personally uphold best practices for security every day.
- This is another scenario where MFA could have made a big difference in preventing the attacker from gaining access to the senior executives email account.
What to Do When There Is a Problem
Finally, a great way to end a security training session is by setting the expectation of what will happen should they make a mistake or encounter a problem and how to contact the security team when that occurs. It’s important to ensure that your employees won’t feel scared to admit they made a mistake.
Ideas for How to Conduct Security Training
Now that you have an idea of what to cover in a security training session, how should you go about delivering a session? Below are a couple of ideas to get you started. However, it’s crucial that security awareness training isn’t merely a list of do’s and don’ts. It’s important to take it a step further by providing context. For example, take one of the stories mentioned here and walk your employees through how security principles could have prevented the incident. Another way to provide context is to discuss the potential risks and consequences that could occur by making the decision to use public WiFi or to not lock a smartphone for instance. Whatever route you choose, it is key to provide context and help your employees understand how to apply their security education.
One of the most effective options to deliver security training is to conduct an in-person meeting. If your company is small enough, you can likely have the training session with everyone at once. If your organization is on the larger side, consider conducting individual training sessions with each department. Even if your company is small, tailoring security training to individual departments is really effective. So, whether you’re leveraging in-house resources or you’re utilizing an MSP, consider going that route. You’ll be able to make sure each department is equipped to handle the kinds of attacks they are likely to encounter in their day-to-day work life. If you would like a list of talking points to refer to as you give this training session, consider using this Employee Education Checklist.
Security Awareness Training Software
If you can afford it, another option is to utilize security awareness training software. This type of software helps organizations create an effective security awareness training program, and they often include features like online training modules, phishing simulations, knowledge assessments, and more.
Recorded Video with a Mandatory Quiz
One last option is to record a video of a security training presentation. It doesn’t have to be super fancy; something simple like a PowerPoint presentation with a voice-over can do the trick. To ensure your employees watch it and comprehend it, consider embedding the video into an online survey tool like Google Forms or Survey Monkey and including a mandatory quiz.
For inspiration on how to create the video, consider watching this webinar we recorded on security training.
Going Beyond Security Awareness Training
Security awareness training can be instrumental in strengthening your security posture, but that doesn’t mean you should rely on training alone to fortify your IT environment. A strategic start begins with implementing the right identity and access management solution. If your startup is cloud-forward and utilizes a heterogeneous mix of IT resources, JumpCloud® Directory-as-a-Service® could be the solution you need to secure user access to virtually all of your IT resources. Not only does JumpCloud centralize user and system management, but it empowers you with security features like Password Complexity Management, MFA, policies, and more. If you would like to learn more about JumpCloud or one of our security features, consider dropping us a note or signing up for an introductory webinar.