What Should Be Included in Security Awareness Training?

Security Awareness Training is one of the key ways to help protect your organization from social engineering attacks and help increase the level of security with which your employees operate. This training can be a great time to convey security-related information to your employees that not only helps to protect your organization, but also help to protect them in their everyday lives, as well. But oftentimes, companies struggle to produce (or obtain from a third-party) engaging training that employees can relate to and learn from. Many security topics can quickly go over the audience’s head. Today, we’ll give some quick tips on the topics that should be covered by your company’s security awareness training.

Topics You Should Cover

  • How to Recognize Different Types of Social Engineering Attacks – You want to remind your employees about the dangers of social engineering attacks, such as phishing, spear phishing, and vishing. So it’s helpful to define and explain these different attacks. It’s also helpful to explain the scenarios that are prevalent and being actively used by attackers. As penetration testers, when we are engaged to provide security awareness training for a client we cover the exact techniques we use when conducting social engineering assessments to give employees an interesting and engaging way to understand what these attacks look like in the real world.
  • How to Choose a Strong Password – One of the things that many people don’t really understand is how to make a secure password in the first place. It sounds simple, but explaining to users how to utilize a passphrase of sufficient length and how this makes them more resistant to password attacks can pay huge dividends for your organization, helping to eliminate extremely weak passwords. Check out our blog on the importance of using passphrases.
  • Everyday Ways to Protect Yourself – It’s helpful to include in security awareness training the different things that people can do to protect themselves on a daily basis. This can include everything from identifying encrypted websites (HTTPS, little green lock, etc.) to the dangers of connecting to untrusted WiFi networks at a coffee shop. Any tips you can provide to help users improve their personal security will in turn improve the security of your company.
  • Organization-specific Security Standards/Documentation – Tell employees about the location of important security policies, who they should report a suspected social engineering attack to, or the overall culture of security the organization is striving for.
  • Compliance-specific Requirements – If there are any compliance standards your organization adheres to, make sure employees are aware of specific requirements and the importance of complying with those requirements. HIPAA and PCI, for example, both have specific items that employees need to be made aware of during security awareness training.

While this certainly doesn’t cover everything that can be included in your security awareness training, this should help give you some ideas of where to start. If you’re interested in discussing further or need someone to conduct security awareness training for your organization, please reach out!