Security awareness

5 Security Awareness Best Practices [Updated 2019]

Ian Palmer
July 5, 2019 by
Ian Palmer

When asked who needs to take charge on the security awareness front, Varun Kohli says that employers must ensure that their workers know how to steer clear of cyber criminals.

Kohli, the vice president of marketing at predictive mobile threat defense company Skycure, insists that employees are the weak link in the chain of security – and research seems to support his claim. But whatever shortcomings workers may have, employers with the right security awareness policies in place can potentially limit the odds of seeing their networks compromised by malware, viruses or any of the other tools in the cyber criminals' bag of nefarious tricks.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

"The weakest link in security today is the human factor," said Kohli. "Employees don't know what is…right and how to differentiate the right from the wrong, so you cannot rely on them making smart decisions about what networks to connect to….If employers want to keep their data safe, it is up to them to tell the employee what to do."

Kohli's company is one of many that provides tools that can help businesses to safeguard their data, but all the tools, applications and solutions in the world won't compensate for a lack of security awareness – and that's where adherence to security awareness best practices comes in.

Experts say that a comprehensive strategy that is communicated to workers will help, but some add that a balance between security and usability must be achieved in order to ensure buy in.

Research Tells A Story

According to a study called Security Awareness Training: It's Not Just for Compliance, which relies on the responses of 600 persons, less than 50% of the workers actually get security awareness training, this despite the fact that major data breaches are not at all uncommon.

Specifically, the study finds the following:

  • 56% of corporate workers have not been ordered to take part in security awareness training; and
  • 45% of those who do get training only receive it once annually.

The problem, notes to the study, is that many of the employees who are not getting training are the very ones who should be getting training. Lots of it, in fact.

Consider the following for example:

  • 59% upload work-related data in the Cloud;
  • 58% store confidential information on their smartphones, tablets or other mobile devices;
  • 35% have clicked on links contained in phishing emails sent from unknown senders;
  • 33% fail to change personal passwords for the devices they use for work; and
  • 30% leave their smartphones, tablets or other mobile devices in their vehicles unattended.

The Big 5

Implementing security awareness best practices, and training employees so that they, one, know what is expected of them and, two, remain in compliance, is a must for corporations that want to reduce the odds of, if not completely eliminate the possibility of, data breaches.

Best Practice #1: Gain Visibility

Kohli cautions that IT departments can't protect what they can't see – thus the reason why it's important to gain visibility.

"Whenever I go talk to CIOs – I talk to some of the largest organizations on the planet – my question is: 'Do you know all your employees' devices [and] how many malicious or suspicious networks that those devices connect to in the past one month?'" he says. "And in most cases, almost all cases, the answer is, 'No, we don't have a clue.'"

The follow-up question, says Kohli, centers on whether or not CIOs know how many malicious or suspicious apps employees have downloaded via their mobile devices. The answer, again, is generally a resounding now. Once visibility is gained, companies can take decisive action to promote security awareness that properly addresses problem areas.

Best Practice #2: Treat Mobile Devices As Untrusted

With hackers working overtime to compromise corporate networks, businesses should not assume that their workers' mobile devices are safe. To the contrary, they should assume that these mobile devices have been compromised, says Scott Laliberte, managing director at Protiviti, a global consulting and internal audit firm that employs experts specializing in risk and advisory services.

When considering security awareness issues, businesses should look at, among other things, how to handle third-party applications on mobile devices that their workers use.

"Do you allow them or not?" says Laliberte. "Because often a lot of the malware or compromises are occurring through third-party apps that get installed on the end-point device. If a person has a mobile phone and lets the kids play or download a game on it," the device can become infected, and this can become an even more critical issue if the device is used for work.

Treating mobile devices as untrusted will help businesses to avoid complacency and to be more proactive, but businesses need to think twice if they believe that any policy or software will give them complete security. Although it is possible to reduce risks, no honest vendor would ever give a 100% security guarantee.

"If someone is telling you 100% security [is possible], they're lying about it," says Kohli. "If I'm the hacker, I have in my lab every single tool that is out there. And if you think about the security folks, the IT organizations, they don't know what tools hackers are using. It is like you're entering a battle blindfolded and you're hoping that you will win every single time. That's not how it works."

Laliberte and Aaron Weaver, associate director of IT security and privacy management at Protiviti, agree that any 100%-security claim should be regarded as a red flag. Laliberte explains that "you can't protect anything 100%," and Weaver adds that, while complete security is an unattainable goal, businesses can "mitigate" risks via the "layering of security."

Best Practice #3: Ensure That Workers Use Wi-Fi Responsibly

Convenience is one of the reasons why some workers connect to Wi-Fi hotspots, says Weaver, and since this is unlikely to change, companies need to teach their workers how to make wise choices.

"People don't want to eat their data plans," says Weaver, who adds that a lot of people connect to untrusted networks. "We see compromise through open Wi-Fi spots like that. One of our recommendations…is that either you...use your company's VPN or there's a lot of VPN providers out there."

Best Practice #4: Train Workers

Setting up security policies is one thing; training workers so that they understand the policies and buy in to the program is quite another. Employers can't assume that their workers know all of the dos and don'ts of security awareness, so they need to educate them to make intelligent decisions.

Gary Kretzer, CISSP and security engineer at LockPath, a provider of governance, risk management, and compliance and information security software solutions, says that workers need to know that they can't let their guard down just because they're using mobile devices over, say, PCs.

"I would presume that you still need to use an anti-virus or an anti-malware program or an application," he says. "I would worry about unknown power sources. They can be your enemy in ways that you hadn't worried about in the past. If you can't see the power source for your smartphone or your laptop, I would worry about that computer having malicious code…"

As cyberattacks are so common these days, companies need to ensure that their employees know not only about the cybersecurity threats they face when using mobile devices, but also about the consequences they face if they fail to follow security awareness best practices.

Best Practice #5: Find The Right Balance

It would be easy for companies to wield an iron fist and force compliance, particularly when considering the possible ugly aftermath of a successful breach. But, says Weaver, there needs to be a good balance between security and usability – or else workers will drag their heels.

"I guess it's a balancing act, too," he says. "If we try to get it as secure as possible, users always have a way of circumventing security controls. There's that balance of let's make that device as secure as possible, but let's still balance usability - otherwise people are going to go to less secure devices to do what they need to get done."

What Now?

Security awareness best practices can help organizations to stay safe, and businesses definitely need to train workers so that they don't become the weak link. With so much at stake, companies must be proactive, rather than reactive, on the security awareness front.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

"Make sure you're putting your best foot forward in this battle and you're doing everything that can be done," says Kohli. "Gain visibility, gain control, and that is how you can better be prepared to fight this battle."

Ian Palmer
Ian Palmer

A Canadian currently based in Ontario, Canada, Ian is a researcher for InfoSec Institute. Over the years, he has written for a number of IT-related sites such as, and