4 Common Security Awareness Mistakes and How to Mitigate Them
Introduction
For any company, being aware of the cyberthreat landscape is critical. There is often the mindset that most cyberattacks can be thwarted off by procuring and implementing the latest security technologies, and while this may be true to a certain extent, it takes a high level of security awareness on the part of both employees and management to 100% fortify the lines of defense around the business or corporation.
In this article, we'll examine four major security awareness training mistakes and how to mitigate them.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
The Major Mistakes and Their Fixes
1) Newly-Hired Employees Are Not Trained in Security During Their First Days of Employment
Whenever you bring new employees into your organization, the first few days (perhaps even the first week) is usually spent on orienting the new hire about the company, their job roles, what is expected of them, corporate culture expectations and so forth. An important part of this is to educate your new hire on the company's security policies and guidelines during the onboarding process. In particular, the following should be reviewed with them:
- What defines proper Internet usage
- How company assets should be safely used (there should be a strong emphasis given on devices that are issued to them that they can take home – namely wireless devices)
- The password security policy, especially in regards as to how the company defines what a constitutes a "strong" password and how often they should be changed. Training should be provided in how to use a password manager if your business or corporation uses one
- The consequences for not abiding by the security policies set forth
- Train new hires on the latest cyberthreats – with a focus on phishing, spearphishing and business email compliance attacks
- Explain the proper protocols and procedures that employees should follow if they see or witness any suspicious behavior or activities
2) Security Training Is Just a One-Time Deal
Just because you have security-trained your employees at some point in time during their tenure with your company, do not assume at all that they will remember all of it. Therefore, it is up to you to keep the training fresh and remind them of the consequences of not following the security policies.
In this regard, having training programs at least once a quarter is a must. Also consider the use of mock exercises at least once every couple of weeks.
Probably one of the best examples of this is to launch a mock phishing campaign. This will be an attempt to see how many employees will fall for a phony email, and those that will just delete it. This will be one of your strongest indications in determining if your new employees are carrying out on what they have been trained on. Of course, if they fall "victim" to this mock email exercise, then that particular employee should be notified that he or she will require further training and that their manager will also be notified about what has transpired.
3) Employees Are Not Rewarded for Their Security Hygiene
After a new hire has been trained and reminded of the security issues that are relevant and important to the business or corporation, they should also be tested on this to determine how much they knowledge they retain. With this goal in mind, you should perhaps consider implementing a certification program. If the new hire passes a set test, he or she should receive a certification of completion and a formal, documented "Congratulations" for it. If possible, even provide a small reward along with this, such as a gift card or a reduced gym membership.
The point of this is that if your employees are constantly being chastised for what they are doing wrong, not only will they lose motivation, but you may even provoke an insider attack. But if an employee is formally recognized for good work in abiding by company security policies, this will not only motivate the individual but other employees as well.
It is important to note also that longer-tenured employees should be acknowledged and rewarded as well for their security hygiene.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
4) Not Enough Content Related to Security Topics for Employees
It's important to keep everyone informed of the ever-changing cyberthreat landscape — not only your new hires, but all employees. You don't have to include all the technical jargon in your updates, but you could post straightforward daily content on the company intranet, covering what the IT staff has discovered in terms of the latest threats and what your organization is doing to prevent them. You can also use these daily posts to mention what your employees can do to help.
Then, perhaps once every couple of weeks, you could also send out an email to your employees reminding them of the security steps they need to accomplish before they leave for home. This could include the following:
- The importance of logging off their workstation and turning off their monitors
- Not to leave any sensitive documentation around their desks, and if anything needs to be destroyed, it should not be simply thrown away but shredded
- The need to take proper precautions when remotely logging into the corporate servers when working from home
- How not to fall for social engineering schemes off the company premises (one of the best examples of this is saying something by mistake at a party or a bar when mingling with friends)
- Above all, not to use their personal smartphones for conducting work-related matters. They need to use the ones that have been directly issued to them
Along with daily and periodic weekly reminders, it is also crucial to have security-related topics published on a quarterly basis as well. Probably one of the best tools to use in this is the infographic. People can have very strong visual memories, and seeing the data mapped out in a picture will help them remember it.
Conclusions
Overall, this article has reviewed some of the major security-awareness training mistakes that are found today and how to mitigate them. This is obviously not an all-inclusive list, but what you glean from this article will depend primarily upon your organization's own security requirements.
But keep in mind that employees don't have to be the weakest link in your security chain. Instead, if they are trained and motivated in a positive manner, they can be one of the strongest.
Sources
11 Tips for Training Your End Users on Security Awareness, Sumner One
Please don't send me to cybersecurity training, CSO Online
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
8 Security Practices to Use in Your Employee Training and Awareness Program, The State of Security
In this Series
- 4 Common Security Awareness Mistakes and How to Mitigate Them
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness