Good, Better, Best – Why Security Best Practices are Important for End Users in Your Organization
When we talk about cybersecurity awareness, we often find ourselves focused on the technology. It makes sense – the growing need for security awareness training is based on the rising use of technology in our daily lives. We are driven to make sure that those who are responsible for the implementation and maintenance of technology assets – developers, network administrators, IT staff, etc. – are well-trained in order to prevent security incidents and breaches. However, in our focus on the technological aspect of security awareness, we can often lose sight of a much larger group of people who are an essential part of overall security – end users. Let’s look at why giving end users access to security best practices through training is important for an organization.
What do we mean by the terms “end user” and “end user security”? An end user is an employee who uses the hardware and software assets of your organization in order to perform their job duties. It includes people at all levels, from the janitorial staff who uses an HR program to log work time, to the CEO who uses a company laptop to make a presentation to clients. This group of people comes to the table with different abilities and knowledge in relation to technology. However, the common need they share is for end user security awareness training that supports their roles and job functions.
This seems like a daunting task – how do you train all those people on all those systems in all their different configurations? As Desmond Tutu has said, “There is only one way to eat an elephant, a bite at a time.”. In other words, you cannot avoid the issue. You have to start and work through it.
One way to tackle this large project is to look for security training needs that are common across the organization. You will be surprised to learn how much your end users actually have in common, despite the differences in their job descriptions. The following are some security awareness training best practices needs your users most likely share.
Data Classification and Privacy – A critical step in security awareness training often overlooked is best practices in data classification and privacy. Your employees need to know how data is classified for use and protection.
Anti-phishing and social engineering – Phishing and social engineering scams are the most prevalent attacks used by hackers. Your employees need phishing awareness training to know what makes an email suspicious and what to do if one is received. They also need to be aware of common social engineering tactics, such as shoulder surfing, and what they can do to protect themselves and your data.
Email management – Many security awareness training programs focus on emails that are received. However, you should also provide best practices for emails that are sent by your employees. This includes what should and should not be attached to an email, the dangers of putting too many unnecessary people on an email thread, or the dangers of sharing certain types of data outside the organization (for example, mailing a spreadsheet of sales data to your personal address so you can work on it at home later).
Physical access controls – Locks on doors and other physical security devices used in your organization are for naught if your employees do not know best practices for their use.
Use of wireless networks – Many people have their devices set to automatically connect to public wifi networks. Your employees should know why this is not a best practice and the rules around the use of wifi networks.
Data backups – This is one that is often missed in security awareness training best practices. You should be providing, and your employees should be trained on using, a secure backup protocol for their data.
Software patches and updates – Employees need to be educated on the importance of patching software, especially their operating systems and any applications which handles critical or sensitive data, when critical updates are released.
Anti-virus and anti-ransomware applications – The use of anti-virus and anti-ransomware programs is a best practice for organizations. Your employees need to know why they should never disable these systems.
Web browsing – Best practices for web browsing – e.g., how to examine a URL, limiting access to work-related sites, never downloading from web sites, etc. – need to be shared within the organization.
Use of Virtual Private Networks (VPNs) – if your employees are allowed to access your networks and servers from remote, off-site locations, you should provide a VPN and training in best practices for its use.
Use of personal devices for work-related activities – If your organization supports a Bring Your Own Device (BYOD) policy, employees should be trained in the hardening of their personal devices and when their use is appropriate (e.g., you should require that the camera(s) on a phone be disabled when used inside a building or data center).
Impact of personal cyber security habits – One of the things we have learned about end users in the last few years is that the cybersecurity habits they practice at home will be reflected in how they approach cybersecurity at work. Employees need to understand this connection and be provided best practices training for home and work.
As you can see, your employees are more alike from a cybersecurity perspective than you may have realized. A strong general security awareness training program rooted in best practices for all employees is a key building block for introducing strong role-based training for employees. Once you know that everyone across the organization shares a common understanding and vision for cybersecurity, you can then focus on training employees in best practices that are specific to their jobs. No matter their level of knowledge or comfort with technology, every end user can be trained to become a security champion for your organization. Doing so ensures that your Human Firewall is strong and that your business is safer.