10 Security Awareness Training Topics For Your Business
While there are multiple technical solutions to secure your systems, accounts, and locations, these solutions can sometimes be circumvented where your people are unaware of the potential security risks their actions may cause.
The majority of data breaches often involve some level of human interaction and only around 11% of companies are reported to provide security awareness training to their employees.
Making your teams aware of some potential threats and providing some regular training on the following security awareness training topics can help improve your company’s overall security, align with different security compliance standards such as ISO 27001, and reduce the risk of incidents.
For some cyber security awareness training slides that can be used for your business, the following presentation can be used to provide some further information.
1. Why Would Anyone Target Me?
A common opinion that contributes to security risks is the attitude that “this doesn’t apply to me”, “no one will try to target me”, or “I don’t have anything to target”.
While it can be the case that an individual person or company may not be targeted directly by cyber-attacks, this doesn’t mean they won’t be the victim of an attack.
Part of your security training program should emphasize that the majority of cybersecurity issues are not directly targeted at any single business, but instead rely on attacking companies at scale, with the goal that a percentage of these attacks will be successful.
Targeted vs Un-Targeted Attacks
Security incidents can occur from targeted and un-targeted attacks. With a targeted attack, a person or company is singled out due to their position, access, finances, or other reasons.
A determined individual or often a group of hackers will then spend extensive time planning out an attack strategy.
An un-targeted attack aims at as many companies and people as possible, with the aim that a small percentage of these attacks will likely be successful. The aim of this type of attack can be to compromise credentials, access information, deliver ransomware, or establish access to systems.
Why Some Cyber Attacks Can Occur
In many instances, the information that is obtained may not be directly used by the attacker but instead sold on to other groups, often as part of a larger set of compromised devices and accounts.
There is therefore an incentive for attackers to compromise as many devices and accounts as possible to sell to others.
Attacks can also be from a Watering Hole Attack. Through a watering hole attack, attackers will target common websites and platforms that others use, and attempt to compromise these platforms with the aim that this will grant access to all who use them.
For your business and your team, it is important to be aware that businesses of all sizes and industries are impacted by cybercrime, and it is not exclusive to larger companies.
Maintaining some best practices for security and being aware of the potential risks can prevent your organization from becoming another statistic in the latest report regarding cyber-attacks.
2. Phishing, Smishing & Vishing
Phishing, Smishing, and Vishing are types of social engineering attacks that aim to target your employees through email, texts, and calls.
With over 5 million reported phishing attacks in 2023, carried out by cyber criminals, it is an increasingly common exploit technique.
Any security awareness training should highlight the risks these cyber threats can pose and the increasing number of Phishing attacks that continue to target organizations of all sizes.
What Are Some Of The Phishing Attack Types
Some types of attacks may aim to simulate a legitimate business provider and email template but may alter the embedded links to send you to an attacker-controlled login portal that also replicates the legitimate business.
Other types of attack may provide malicious software or files for you to download, in an attempt to compromise your device.
Attackers can also encourage employees to send documents and files containing confidential information or may provide falsified invoices in an attempt to convince your finance department to issue a payment when working through other invoices.
Developments in Phishing Attacks
Phishing attacks have developed in sophistication over the years. Although some attempts are still identifiable, many are increasingly convincing and can easily be perceived as genuine when glancing through the information.
With developments in automation and artificial intelligence, phishing emails are also becoming more targeted towards individuals while the grammar and tone of the email are continually becoming more convincing using generative AI techniques.
Protect Against Phishing Attacks
There are multiple defensive strategies to protect your organization from Phishing attempts, and it is always best to consider a layered strategy for security, rather than becoming dependent on any one solution.
Software solutions are available to identify and quarantine potential phishing emails before they arrive in a user’s inbox. This can vastly reduce the number of Phishing emails received.
While technical defense solutions are available, some attempts might still get through, which is where user training can help provide further protection. However, if a file is downloaded or a link is followed, your device should also be secured and your accounts protected.
Malware protection software can help protect your devices from some threats, but your devices should also follow a secure build process and implement the principle of least privilege for your user accounts.
Your user accounts should be set up with Multi-Factor Authentication (MFA) to help protect them against compromise, however, if a phishing link is followed, the fake login prompt can include prompts for MFA codes which can still result in account compromise.
Cybersecurity training software is also available to conduct regular Phishing simulations and ensure your team understands how to identify Phishing emails and how to raise this as an issue, as part of your security awareness program.
Identifying Phishing Emails
An urgent call to action is often used as part of a Phishing attack, encouraging a quick response, otherwise, there may be penalties, fines, loss of access to a service, or loss of access to an account.
Some phishing attacks may even claim to have identified phishing attacks, cybersecurity breaches, or other threats to your accounts or business, which need you to act now to protect yourself.
Although, at a glance, the sender’s email address may look legitimate, a common tactic with Phishing is to register domain names with slight variations to a legitimate business address. Scrutiny of addresses can identify small variations or character substitutions from the original.
Links within the email can also follow this same strategy, with embedded links sending you to websites with slight typos, but designed to look like the original site.
Another email change can be referenced in the message directly, such as when a message arrives stating the person has been unable to log in to their business email, is in a hurry, and is sending the message from their private account, then goes on to ask for information, documents, access to logins, etc.
Avoiding Phishing Attempts
Where you receive a message that looks like it may contain suspicious links, or suspect a phishing attempt for any reason, there are several strategies to combat this and avoid potential security risks.
If the email claims to be sent from someone you know or do business with, rather than respond to the email, reach out to them through other contact methods you already have in place and confirm if they have sent you the message.
Set up a dedicated email inbox and group chat within your business where your users can flag and report suspicious messages. If confirmed to be phishing attempts, these emails can be reported and blocked.
3. Password Security
Weak, shared, and reused passwords still remain an ongoing issue for personal and business accounts with millions of breached accounts reported each year.
Many employees still share accounts and passwords with coworkers which increases the risk of compromise and also makes tracking actions difficult as different people are using the same login information.
Cyber security awareness topics should highlight the importance of using secure authentication methods and choosing unique, strong passwords, which minimize the potential for any cyber attacks to gain access to your online accounts.
Password Management Solutions
While password managers can be a useful solution to many issues with password security, they aren’t without their own issues.
Online solutions such as 1Password or LastPass have suffered from cyber security breaches in the past, and local software solutions, such as KeePass, have other issues such as a lost, stolen, or damaged device resulting in the loss of your stored passwords.
While password management software can still be a good approach to securing your accounts, the risks of using software such as this should be considered, and processes in place to create backups of account information or to change account passwords in the event of a security breach.
Avoid Solutions Which Contribute To Password Fatigue
Some of the more updated recommendations for password security are to avoid regular password renewals, as this contributes to password fatigue, leading to simple and reused passwords.
Password fatigue can also be circumvented by using Single Sign-On (SSO) options where available.
However, the risks of using a single account for multiple platforms increases the requirement of ensuring your single account is protected and the authentication process is secure.
Setup Multi-Factor Authentication Options
Multi-factor authentication (MFA) options should be enabled for accounts wherever available, as this mitigates any weak passwords and passwords compromised in database breaches, even from other organizations.
However, your team should be aware that MFA solutions can still be compromised through a variety of techniques, and strong passwords alongside individual security awareness are still necessary.
Utilize Account Login Restrictions
For technical solutions to avoid password compromise, account lockout policies can be applied to your accounts and login portals can be monitored for activity to create an alert where suspicious login attempts are identified.
Use PassPhrases Rather Than Passwords
In addition to blocking certain words from being part of a password, your users can also be trained to consider passphrases rather than passwords.
Uncommon phrases consisting of multiple words combined with some technical solutions to restrict login attempts are considered to be an effective strategy for securing your accounts.
4. Data Protection
For many companies, your data security can be critical for continued operations. Your data could be proprietary, or confidential, customer data, internal documents, or other private information.
Having this data compromised or exposed online could have detrimental impacts to your business, including fines, reputational damage, and could even impact your continued operation.
A cybersecurity awareness training program should ensure that your teams understand the importance of protecting sensitive information especially where this may relate to customer data.
Data Leaks Through Social Media
Social Media sites can also be an inadvertent way in which data is disclosed through human error.
With many employees posting on social media platforms such as X, Linkedin, and Facebook, the content and images they post can contain key information regarding new product launches, clients, or mistakenly include computer screens and confidential data.
Maintaining a strict policy to protect data, which includes how social media accounts and posts can and can’t be related to the business can help to avoid potentially unwanted data disclosure.
Many Data Braches Occur From Internal Sources
Data breaches can be common amongst companies and often originate internally rather than externally. This can be due to a combination of factors including mistakenly revealing sensitive information through sending documents in an email or intentionally leaking information.
Around 20% of companies in the UK experience a data breach quite frequently, around once a month. Several technical safeguard solutions can be set up to minimize the risk of inadvertently leaking data.
Use Data Classification To Prevent Disclosure
Data classification and permissions are important to set up to reduce your overall risk and protect sensitive and confidential information. Data can be defined and labeled with categories such as Public, Internal, Confidential, and Restricted.
Your data can then be set up with limited access for only those individuals that need the access. Email attachments, for addresses outside your organization, can be similarly restricted to prevent your sensitive documents from being sent to anyone outside your company.
Make Use Of Encryption For Data Protection
Files containing sensitive information can also be stored in an encrypted format, where only specific individuals with the necessary encryption keys can access the file contents.
Devices should also be set up with encryption to ensure the protection of their contents.
Configure Email Delays To Provide a Grace Period For Mistakes
Even with safeguards on your files, mistakes can happen. Sending emails can be configured with an automatic delay of a few minutes, in case any last-minute realizations occur and you would like to undo sending the email.
To maintain data protection for your sensitive information, there are also some best practices and policies that can be followed to minimize any potential incidents.
Setup Approved And Dedicated File Transfer Methods
Have understood and dedicated methods to send files outside of the organization. This may be through email or a secure file transfer system, but there should be an agreed-upon process for sending documents. Anything outside of this method should be requested and permitted before any file is transferred.
5. Mobile Device Security
Your mobile devices can hold a wealth of information and access. Many mobile phones are connected to email accounts and messaging programs, have password manager applications installed, and have access to file systems, wireless passwords, and other useful data.
Verizon has shown an increase in mobile device compromise in recent years and a compromised device can result in data loss, financial loss, fines, reputational damage, and the time and cost of recovery.
Create A Separation Between Business And Personal Devices
Separate personal and business mobile devices should be utilized wherever possible. This avoids unnecessary risk from a compromised personal device or application impacting the business.
Make Use of Mobile Device Management Software
There are technical solutions available to manage mobile security that should be used which allow for management of configuration, required settings, password requirements, and encryption.
These solutions also allow for remote locking and wiping and can track devices to help with recovery if lost or stolen.
Avoid Open And Public Wireless Networks
Other practical security measures can include, avoiding open and public Wi-Fi networks as it may be possible that your data and connections are intercepted.
Configure Screen Locking For Devices
Establish a habit of locking your phone every time it is put down, in addition to configuration options to automatically lock the device after inactivity.
Avoid Leaving Devices Visible And Accessible To Theft
Avoid placing your phone down on tables when in public places, as “table surfing” is reported as one of the most common approaches for thieves.
Similar approaches to malicious files and software should be followed for mobiles as well as other devices. Avoid downloading unknown attachments, following suspicious links, and attempting to install unknown applications, especially any not directly from the official app stores.
6. Malicious Software
Malware has been shown to impact around 17% of businesses in the UK, of those surveyed, and has been found to impact businesses of all sizes.
Similar to other types of attack the delivery of Malware is often un-targeted and can make its way onto devices through Phishing, Website Downloads, Watering Hole attacks, and other methods.
Malware Can Often Have Multiple Functions
Malware can be designed with multiple purposes in mind and many have a combination of tasks they aim to carry out. Some aim to gather information and send it to an attacker-controlled location, this can include files that are accessed or credentials that are used.
Other Malware programs can be designed to provide remote access to your device or spread themselves to as many other devices as possible. These types of programs can be relatively invisible to the user, who may not be aware they have been impacted.
Restrictions Or Damage Through Ransomware
Other Malware can be more apparent, aiming to cause damage by deleting or encrypting files, preventing further access to your data.
Ransomware attacks often use this approach, with attacks designed to delete data after a period of time unless the ransom is paid, with some variations also copying the data and threatening to publish the information online, if the ransom is not paid.
Mitigating Malware Through Technical Solutions
There are technical solutions available to minimize the potential threats of malware. In addition to just maintaining up-to-date malware protection and anti-virus software:
- Multiple software options are available which can be set up to identify malware within email attachments and prevent the delivery to a user’s email inbox.
- File restrictions can also be set up to limit the type of files that are allowed to arrive in a user’s inbox.
- Web Browsers can be configured to restrict downloads of certain file types or all files, and also request confirmation from a user if they are sure they want to download files.
- User accounts can be set up with minimal permissions, to limit the amount of access malware may be granted.
- Installation of files can also be configured to require an administrator login prompt, preventing files from installing without permission.
Protection From Malware Through Layered Security
Like with many approaches to security, a layered approach is often the best solution. Alongside different technical solutions to protect your devices and data, users can help to reduce the potential of malware impacting their devices.
Phishing awareness training can help minimize the threat of malware impacting devices via email attachments.
Minimizing the amount of web browsing conducted on work devices and only using trusted sites can help to avoid browsing sites that may host malware.
Restrictions can also be configured for the types of websites that are available to access through firewall restrictions.
Maintain a policy for downloading and installing files, where permission for new software is requested rather than determined by each user.
Where necessary, only download software from trusted sources, and avoid downloading software from unknown sites, where a link was followed from an advertisement or email.
7. Removable Media
Removable storage drives pose several problems for businesses. There are multiple instances where sensitive data, password information, or personal details have been copied to USB drives that have been lost or stolen.
A training program can include cyber security topics that discuss the potential issues of using removable storage drives to store and transfer data.
USB Drives Can Lead To Data Loss
A specific instance several years ago involving Heathrow Airport resulted in some large fines as a USB drive was found on the streets in London and contained sensitive data.
USB Drives Can Be An Exploit Route For Attackers
USB drives can also be used as a method of compromise for your devices. Several exploit methods have been seen to use USB drives as the initial attack vector in recent years compromising businesses across a range of industries.
While a USB drive intentionally left in a company parking lot may still result in success, it’s not the only viable attack route as USBs could be sent to businesses as part of fake promotional material alongside pens, leaflets, and other marketing material.
Improving Your Teams Awareness Of Potential Threats
It should be understood that these threats and exploitation techniques exist, and educate employees on the importance of not using any unknown devices regardless of where they are from, including free promotional material and gifts.
Apply Security Controls To Devices To Minimize Risk
Technical solutions are also available to minimize this type of threat. As many file transfer solutions are now available that don’t require any physical media, your business could make the decision to avoid using any such devices.
USB ports on your devices can then be disabled to prevent the possibility of connecting USB drives for the storage of files or the delivery of malware.
Setup Restrictions On The Type Of Devices That Can Connect
Other software solutions also allow you to set up an allowed list of devices that can connect, which provides protection from unknown devices but doesn’t necessarily resolve the use of USB drives to store sensitive data.
Maintain Data Protection Policies And Encryption
Your data protection policies can also be applied to your removable media, to avoid the storage of sensitive data on external drives.
USB drives can also be set up with encryption and password requirements, to ensure that any devices that are in use cannot be accessed by anyone else in the event of loss or theft.
8. Remote Work
While remote working has many benefits, some risks are introduced for businesses that should be accounted for and mitigated.
Security awareness campaigns should include topics that emphasize the importance of maintaining strong security standards for any work environment, even within a home office.
Unmanaged And Vulnerable Home Routers
Home networks are an unknown and uncontrolled assortment of devices to which a business device can be introduced. The internet access point is typically a home router provided by an internet service provider, and devices such as this have had multiple vulnerabilities disclosed over the years.
A relatively recent report from SentinelOne found a method to remotely access millions of routers.
Avoid Mixing Personal And Company Devices
As other devices share the same home network, it may be the case that compromised devices are introduced into the same home office network, which may lead to the compromise of business data or access to business systems.
When working from home there is also an increased tendency to use personal devices to access company systems. This also mixes unknown and uncontrolled devices with company systems, services, authentication methods, and other sensitive data.
To account for these types of issues, employees who work from home should understand that the same type of security and security awareness principles need to be carried over into the home environment.
It should be made aware that home routers can be exploited, and that the mixture of personal devices with company devices and services puts company data at risk.
Company-issued and managed devices should be the only devices used to access company resources and technical solutions can be implemented to prevent other devices from being able to connect or authenticate to company networks and equipment.
Setup Secure Storage Options For Home Offices
Where company laptops and other equipment are used, ideally there will also be an option available to securely lock devices away, to mitigate against the risk of theft, or a device being “borrowed” by someone else in the home.
Company Issued Devices And Network Segmentation
While it can be convenient and cost-effective for users to continue using an existing personal computer to carry out their work, this should be avoided and a company-issued device provided as there are often too many unknowns to account for to guarantee their security.
Home offices can also have a physical router/firewall setup to create a segmented network strictly for the purpose of company equipment, which can avoid the mixing of unknown devices with company equipment.
Connect Using VPN Solutions
An always-on VPN solution and software firewall can also be configured for company devices to maintain a constant secure connection to the office and ensure communications stay encrypted and secure.
9. Physical Security
While it is important to be alert for Phishing, Malware, and other digital attacks, one of the security awareness training topics that can often be overlooked is Social Engineering techniques and Physical Security Awareness.
London alone reported over 100,000 phones and laptops stolen in 2022, around a third of people still write passwords down on paper, and around 14% of business premises have reported theft.
Exploiting Politeness Through Tailgating
Tailgating often relies on the inherent helpfulness or politeness of people to hold a door open for the next person. This technique can work in a number of scenarios, including being allowed through a security door with swipe card access.
Tailgating can occur for many businesses where there is a mixture of people entering and leaving the premises and there is an acceptance of unknown individuals working within the offices.
This acceptance can extend to allowing people through exterior security doors, reception areas, and other barriers of entry under the assumption or justification that someone else probably knows who they are.
For the physical security of offices, while door locks and keyfobs are important, this doesn’t account for problems with tailgating.
It is important to make use of visual forms of identification such as ID Cards and set a standard for everyone to have their entry logged as they enter the building, ideally confirming staff ID’s against an employee database.
Using Hotdesks To Establish Access
Hotdesks can also bring about their own set of security risks if not correctly managed. Many organizations have a dedicated area and set of desks for anyone to use. This may be employees who mostly work from home, travel between different offices, temporary contractors, or guests.
This can result in the normalization of people you may not know having access to the office and it no longer being questioned that unknown individuals are walking around different workspaces.
Hot desks can sometimes be reserved over the phone with minimal information, creating an expectation that an unknown individual may be entering the building to use the desks.
To account for unknown individuals accessing a building, even if holding an ID badge, it should be a requirement to sign in with a reception area.
This process should also include the verification of the employee ID, and making sure a record of all employees can be accessed to verify the identity of the individual.
Dumpster Diving For Data And Devices
Your office may throw away documents, scraps of paper, or even devices and hard drives that contain business information.
In more targeted instances of exploitation, an attacker can route through any accessible bins, to search for information that may be useful as part of their attack strategy.
A data disposal policy should be implemented that outlines appropriate measures to secure your business from the inadvertent disclosure of data through waste disposal.
For your employees, this can include not using paper or making notes that contain passwords, contact details, or other business-related information.
Ideally, documents should be mostly used digitally rather than printed to minimize any waste material that contains business information.
Where paper documents are used, paper shredders can be kept alongside bins to ensure that the correct disposal process for paper is always available and teach employees to follow the appropriate policies and use the provided equipment.
For devices and hard drives, when they do require disposal, tools are available to securely wipe the drives to ensure that no data is left, or a third-party disposal company can be used which will confirm the disposal.
Shoulder Surfing
When a member of your team is traveling, and still working, they may be on the train, in a coffee shop, or another public location. In these situations, care should be taken to avoid disclosing any sensitive information to people who are nearby and have visibility of the user’s screen.
Accounting for this issue can be difficult and can be minimized by only working on non-critical data while traveling.
Attempts can also be made to work from positions that limit other users’ ability to view a device’s screen. Products are also available that can help with this, as some screen protectors are designed to hide screens from view other than when looked at straight on.
10. Incident Response
In the event of a worst-case scenario and a security issue does occur, it is important for your security team to be well-informed and understand how to report and respond to a potential issue.
Security awareness training can also include security response training, to ensure your employees understand what actions to take in each scenario.
Implement Clear Methods To Report Security Incidents
Having clear and well-defined contact and reporting methods is vital to ensure issues can be quickly acted upon and responded to. Security awareness training should also outline what may constitute an issue, and where in doubt take a cautionary approach to ask questions or raise an alert.
Practice Your Teams Response To A Variety Of Security Incidents
The relevant teams responsible for action should also be practiced in the responses that are required. Ideally, this will include simulated exercises conducted to rehearse the required actions to take.
Although any security incident can result in issues to resolve, costs to account for, and a loss of time for the business, it is important to encourage the reporting of security threats when they are suspected, rather than risk overlooking a serious threat.
Encourage Reporting Of Any Issue
It is estimated that a large percentage of cyber security issues go unreported, this can be due to a lack of awareness, but a large proportion of unreported incidents can occur due to fear of repercussions.
Where an incident is reported, this should be taken as an opportunity to understand how the issue has occurred, implement measures to avoid a repeat occurrence, and improve security awareness training to cover additional topics and scenarios.
Conclusion
Similar to a vulnerability management program for your devices, your team also needs a security awareness training program to help your organization identify and prevent different types of cyber security threats.
The number of security awareness training topics that can be covered to educate your team and improve your company’s security culture are quite broad and varied.
While security training can be helpful to increase your team’s awareness, it should also be ensured that the information provided is useful and necessary to the tools and technologies that each user is currently using.
The method of delivery for security information should also be varied to avoid potential fatigue of the training itself and the topics it is trying to cover.
A security awareness training program can make use of multiple tools and techniques, such as:
- Training Videos,
- Presentations and Webinars
- Internal Blogs and Reports
- Quizzes and Tests
- Posters Placed Around The Office
- Regular Newsletters
- Relevant Statistics,
- Recent News articles of cyber security breaches,
- Simulated Attack Exercises and Training,
These techniques, in addition to other methods, can form part of a security awareness campaign, to provide regular, varied, security information that raises everyone’s awareness of cyber threats and improves your organization’s security posture.
Where you have any further questions regarding different cybersecurity solutions, our consultants are available to address any concerns you may have.