As a security executive, you can cover a dictionary’s worth of security-related topics in a single day. In your role, you’re always thinking of new ways for end users to be safe—including educating your users to help them prevent data breaches.
Use this roundup of terms, tips, and actions to help your organization become more security aware, one end user at a time.
App risks—Just because an app is cloud based doesn’t mean it’s secure. 47.5% of apps have poor risk ratings, including Yahoo Mail, ILovePdf, PDF to PNG, and AOL mail. Of course, sharing data is often accidental—and you don’t have time to audit every available app. Instead, ask your users to consider:
- How do most data breaches happen?
- What are some red flags that an app may not be safe?
Provide a list of company-approved apps and when to use them. Update the list often.
Behavior change—You know what your users should be doing, but one annual security training just doesn’t cut it. Is your organization using a change management platform? Learn more here about change management tools and frameworks.
BYOD—Bring your own device; this corporate trend requires employees to use their own devices for work instead of company-owned tech. If your organization has a BYOD policy, check your policies and talk with your IT team about what’s working and what’s not working.
CEO fraud —Also known as Business Email Compromise, CEO fraud continues to threaten organizations on a user-level. The sender falsifies an email from your organization’s leaders to get data or money, either by accessing a real email account or creating a very close fake email address. Fraudulent emails can still get past secure email gateways.
The best defense is a strong user base, so periodically share reminders and examples of this type of phishing threat with end users at your organization. Take a look at our simulated phishing training program, Threat Defense.
Data protection—It’s a given that no amount of security protection will prevent some users from sharing sensitive information. Effective cybersecurity relies on both technology and users. Ask yourself:
- Does your organization continually educate end users on the latest risks?
- Do your users have habits and routines that will protect your data? For example, before sharing a file or document, do they scan the file for personal information?
- How many of your users regularly install recommended updates?
- How well do your users know how to use permissions in all their Microsoft apps?
Education—Software training or security training for its own sake will not change user behavior. To motivate end users, you need to meet them where they are and find a way to offer personalized learning options on their own timetable. Consider:
- What kind of learning opportunity is right for each team or department?
- What strategy will motivate users to make changes in their technology habits?
- Which learning platform will help your organization address individual needs at scale?
Governance—Software governance is usually covered by the IT team. That said, all that data usage impacts organizational security. If you’re not doing so already, be sure to sync regularly with your IT director and others on matters of governance, compliance, and eDiscovery. Other suggestions:
- Work for a balance of governance and software adoption. For example, who can create a Teams channel? What are the security implications?
- Consider creating a governance committee to review policies. Work for a wide perspective by syncing with your legal department, human resources, auditors, and other relative stakeholders.
- How should end users learn about their role in governance and compliance?
IT department—In most organizations, the security team deals with cyberthreats while the IT team is responsible for software adoption. In smaller organizations, one person might wear both hats. Ask:
- How often do you share data from your security platform with IT?
- Is your data protected but software is underused?
- What security awareness issues are common in your organization? Does IT help address them?
Malware—Regularly talk about malware risks with your employees since these malicious agents are designed to harm a device or steal PII from a user.
- Do employees understand the basics of malware, including how to know it’s there, how it’s installed, and how to report/remove it?
- Include basic definitions in your security awareness campaigns:
- Adware: Unwanted advertisements can appear as pop-ups or an uncloseable window. Sometimes adware also spies on user activity. The biggest threat to Android mobile devices is adware, at about 45% of all threats.
- Backdoor: Modifies normal authentication features, so a hacker can remotely log in and control the affected device. Sophisticated backdoors can be very intrusive and collect large amounts of data from infected devices.
- Keyloggers: A type of monitoring malware designed to record a user’s keystrokes. Keylogging software is designed for other vulnerabilities on mobile devices without keyboards. 80% of all keyloggers are not detectable by antivirus software or firewalls.
- Ransomware: A type of malware that encrypts folders and files and tries to force the user to pay a ransom to regain access.
- Trojans, Trojan horse: Manually downloaded software that often uses the same file names as real apps but with malicious intentions. As part of its program, a Trojan horse may install a backdoor. One type of Trojan is a banker, which uses a keylogger to record users’ banking login credentials.
Multi Factor Authentication—A login requirement that needs two or more pieces of evidence to prove identity. Multi-factor authentication (MFA) can block over 99.9% of account attacks. Confirm with your IT department that MFA is in use for any applications that access your organization’s sensitive data.
Phishing—Phishing, one of the most common security attacks, needs to be on every user’s mind. These attempts to steal sensitive information through emails, text messages, and phone calls appear to be from legitimate sources. An effective way to train employees is through phishing simulation trainings.
Policy—Regularly review your company’s information security policies for password management, access management, data control, etc. An effective policy will describe how the organization will handle its cyber risks and vulnerabilities. When making these regulations, a few topics to consider include:
- How will your organization handle potential threats, such as a data breach or system outage?
- Which concerns are low risk and which would harm the organization’s survival?
QuickHelp— A third-party change and adoption platform, BrainStorm QuickHelp™ helps users create a self-learning environment, engage more efficiently with their technology, and implement best practices around security. Customized learning paths create an individualized approach to organizational change.
Remote work—Since COVID-19, remote work and hybrid workspaces are the new norm in business practice. Encourage employees to regularly review your company’s remote security standards.
- What are your organization’s approved apps or services? Is there a central list or repository?
- Make sure employees know how to contact IT or security with questions or problems.
Security awareness training—Just because you have an annual training session doesn’t mean your users will change their behavior long term. Consider ongoing security training to cover a rotation of topics throughout the year. Need help? BrainStorm can help automate your users’ learning experience.
Threat Defense—The strongest passwords in the world can’t protect users who aren’t proactive against phishing schemes and cyberattacks. BrainStorm Threat Defense helps empower users to work more securely, with a human-focused approach to security awareness that traditional training lacks. No shame, no guilt—just secure behavior.
Updates—Naturally, users should regularly update software and hardware. Large organizations may also struggle to implement updates, given the complexity of interacting systems where just one change can negatively impact business processes. In fact, the 2017 Equifax security breach that exposed 143 million US consumers could have been prevented if leaders had run an available software update.
Zoom bombing, Zoom trolling, or Zoom raiding—An unwanted intruder disrupts a video conference call by displaying offensive or obscene material. As a result, the session is usually shut down. Mainly associated with the Zoom platform, this can also happen on other videoconferencing programs. Prevent Zoom bombing by using a virtual lobby where only the meeting’s host can admit attendees.
Zero trust—A long-standing security concept that organizations should not automatically trust anyone outside or inside the organization. One way this is enforced is requiring authentication from all users trying to access networks, data, and equipment. A few final questions:
- How can you help your users develop a zero-trust attitude?
- How would a zero-trust policy reduce data breaches via phishing?
For additional security and adoption content, subscribe to our blog so you don’t miss a thing.