Essential topics for every security training programme
4 September 2018 | 0
Every IT security professional is well aware that a thorough end-user education programme is a necessary weapon in the battle to protect your perimeter. A good education programme trains your vulnerable humans to understand how to help defend your system from attack. Education helps people develop healthy habits, hones their defence against social engineering, and makes them an ally in the fight – rather than a chink in your defences.
You know security education is essential, but what is less clear is what a good security programme entails. How good is yours? Have you missed any important topics?
Here are 10 critical topics every computer security training programme should have.
Most people do not lie awake at night thinking about the right and wrong way to use that sweet laptop their employer handed them. They use it because they have it. That is why you need to spell out what is and what is not an acceptable use of that business device.
Sitting every employee down and insisting they read and sign an acceptable use policy every year is a great way to educate them. It also provides you with legal support later if that employee breaks the rules. To have any teeth, employees must agree to your acceptable use policy before you assign them a business device.
Common acceptable use statements include:
- Business devices are the sole property of the business. The business alone can assign, remove, and determine control over those devices.
- There is no expectation of privacy when using a business-owned device. The company may read employee emails or other communications at its own discretion, without prior notice.
- Unlawful or unethical activities are not allowed on business devices.
- Any user-created passwords can be disabled or reset by the company without prior notice.
- Personal use is allowed as long as it is not excessive (as determined by the business) and does not violate one of the previous guidelines.
- Failure to abide by this acceptable use agreement may result in adverse actions including removal of that same company device and up to and including termination.
Software requires frequent updates. Without these, any machine can become a dangerous access point for malware and other breaches.
Unpatched software is one of the top reasons companies become compromised. This is common knowledge among security professionals. But to the average user, installing patches is an irritant that quickly drops to the bottom of a crowded to-do list. For this reason, patch awareness education is an essential piece of any training programme. It should clarify the essential nature of patches, squelch any fears or myths surrounding the hassle and drawbacks of installing them, and detail what the company expects in terms of installing patches. Who does it? How often is it done? What should users not do? It should also detail the systems you have in place to see that this necessary task isn’t forgotten.
Your written patch management guidelines might include details like this:
- All critical security patches should be applied within one week of release.
- The user may be required to reboot his or her computer after the patch is applied.
- Missing patches are checked for daily and may be applied without advanced notice.
- Do not apply any patch or update initiated from within a browser session.
- If you suspect a patch is missing or has not been applied in a timely manner, report it.
- If a patch causes problems, report it immediately.
Social engineering awareness
The majority of data breaches begin with a successful social engineering attack. This is when the hacker targets a human being to get him or her to do something that gives the hacker the network access he’s looking for. In short, it’s a con game.
Social engineering doesn’t necessarily involve an elaborate sting operation, though, or even direct contact with the victim. It can be done over email, through a web site, over the phone, and by SMS. Your training programme should cover the many ways that humans get conned.
Training staff to prevent social engineering should happen more often than annually and it should include:
- How to recognise social engineering
- Concrete examples of common social engineering tricks
- Tests that simulated social engineering.
- Strategies to encourage social engineering victims to immediately report abuse without fear of repercussions.
Password best practices
While much of the world is moving to multi-factor authentication (MFA) as quickly as possible, passwords remain the only authentication method for a great many web sites and services. A password-only system requires that end users know how to create, remember, and use passwords so that they protect the data behind them without creating a security breach or unnecessary frustration.
Your password best practices training should include:
- Use two-factor authentication (2FA) and multi-factor authentication (MFA) where possible.
- Passwords should be 8-characters or longer.
- Passwords should not be so common that they can be breached in an instant. For example, don’t use words such as ‘password’ or ‘qwerty.’
- Use unique passwords for every site and service; don’t share between sites.
- Create and use password “reset questions” carefully to ensure that they do not contain answers that are easy to find (such as your mother’s maiden name.)
Most digital maliciousness starts with an unsolicited email that contains either a file attachment or malicious link, asking the recipient to click or open. If your team is well versed on how to appropriately handle the inevitable email hazards without exposing the company to risk, email will not be your undoing. For this reason, email coaching for everyone who uses a company computer, or its servers, should be a key part of any end-user education plan.
Email handling best practices should include:
- Coach people to always be slightly sceptical of any unexpected email.
- Teach everyone not to click on a file attachment you weren’t expecting. Call the sender first to confirm its source.
- Never click on any unexpected internet link without verifying that the URL domain is legitimate.
- Don’t enable “active content” in emails from untrusted sources.
- Report suspicious emails to IT security.
- Never click ‘Respond to All’ from large email posts.
Safe browser use
Using a browser to surf the internet is a high-risk activity. Everyone in your company must be taught to intelligently and safely browse the Internet without executing malicious files or content.
Internet browsing best practices should include:
- Instruction on ensuring that your browser is fully patched against critical security vulnerabilities.
- Warnings against installing unnecessary add-ons without admin approval.
- Cautions against surfing the internet using a highly-privileged account (e.g., the administrator’s).
- Warnings not to run unexpected executables presented in a browser.
- Training on how to verify the legitimacy of URL domains.
- Guidelines on what to do when encountering instructions online that tell you to avoid – or how to bypass – security warnings.
The importance of data protection has come into focus with new privacy and data protection laws and regulations like Europe’s GDPR and California’s Consumer Privacy Act (CCPA). Aside from making sure that the data you collect is needed, and gathered and used lawfully, your data-protection training should also cover these important topics:
- A definition of what type of information needs to be protected, with examples.
- How to dispose of data when it is no longer needed.
- The necessity to encrypt all confidential data when it is at rest and during network communications.
- The necessity of labelling data according to its sensitivity or criticality (e.g., top secret, secret, confidential, public, etc.)
- Protocols and the documentation required for sharing data.
- The importance of backing up critical data – encrypted and password-protected – in two or more places.
- Encourage staff to discuss these issues with your data protection officer whenever there is any doubt.
Unless they are schooled to be aware of the risks, most computer users would never think to lock their computer screen before walking away from a computer or device. But leaving a computer available to anyone can cause damage to your identity or company. At the low end of risk, a mischievous co-worker might send a joke email on your behalf. But worse things have happened. Unlocked computers and devices have ended up causing serious reputational damage to the unwitting companies and users.
All users need to be taught to lock their device screen when no longer nearby or in immediate control of the device.
Screen locking best practices include:
- Users should ALWAYS lock their device when leaving the vicinity.
- Users should be required to authenticate to unlock their device.
- An inactive device should always lock itself after less than 10 minutes.
- A locked device should never reveal its contents.
Specific types of users need precise training to counteract the targeted spear phishing they may encounter. The accounting department, for example, needs to understand why they are a potential target. The CEO and other people with privileged access also need to understand this sort of targeted social engineering.
And this cannot be a blanket training session to cover all spear phishing. Because if the particulars of the situation seem irrelevant, your trainees will likely blow it off. Spear phishers are keen to use personal details and a person’s ongoing project tasks to lull a victim into opening malicious emails and running rogue attachments. Fight back the same way! Use the same particulars a spear phisher would use to get to a victim to create your training programme.
Targeted training includes:
- Financial transfer fraud for employees able to transfer money
- The scepticism necessary when faced with “emergency” CEO requests for employees servicing the CEO
- Training against fraudulent password resets for employees who can reset passwords
- Training against unexpected re-entering credentials after reading email
- Seasonal training for different times of the year, such as W-2 or tax fraud near tax season
The average time it takes a company to discover a malicious hacking event is 8 months, and even then, it is often discovered by someone outside the victim’s company. Sadly, many times the security incident was noticed by someone within the company a long time before the official incident response team was made aware of it. The mantra, “If you see something, say something” applies as much in the digital world as in the real world.
All employees need to be told how to recognise and report security incidents. You want to create a culture where people aren’t afraid to report something that doesn’t seem right. They need to be encouraged to report all suspicious events without fear or repercussions. Use more “carrots” and fewer “sticks.”
Common incident report recommendations include:
- Some memorable examples of common security incidents.
- Who do you call if you see something suspicious?
- Guidelines on how to report a security incident.
- What people should expect after they’ve made a report.
- Plenty of friendly encouragement meant to coax people to proactively report security incidents.
- What to do with a computer or device that an employee believes may have been compromised. (Turn it off? Decommission it? Bring it to the IT department?)
IDG News Service