Essential Security Awareness Training Topics for any Organization 🐱‍💻🏢

Photo by Charles Forerunner on Unsplash

One question that you might ask yourself, what are the essential security awareness training topics that you need to know for 2022? In this article, I will discuss Some Essential Security Awareness training topics for any Organization even yours. Let’s jump right into it!

Phishing Attacks

Phishing remains one of the most effective and common avenues of attack for cyber criminals. Having doubled in 2020, phishing attacks steadily increased throughout 2021 and onto 2022, with becoming more prevalent remote work making it harder for businesses to ensure their users aren’t falling victim.

But why is phishing still such a threat to businesses in 2022?

One major factor is due to how sophisticated these types of attacks have become. Attackers are now using smarter techniques to trick employees into compromising sensitive data or downloading malicious attachments.

For example, business email compromise (BEC) is a common form of phishing that uses prior research on a specific individual — such as a company’s senior executive — in order to create an attack that can be incredibly difficult to distinguish from a real email.

Partner these more intelligent attacks with the common misconception that phishing is ‘easy to spot’, then there is no wonder why many businesses are forecast to suffer a phishing-related breach in 2022.

Employees need regular training on how the spot phishing attacks that use modern techniques, as well as how to report a phishing attack as soon as they believe they have been targeted.

Removable Media

USB drives, also known as thumb drives, have become a popular form for storing and transporting files from one computer to another. Their appeal lies in the fact that they are small, readily available, inexpensive, and extremely portable. However, these same characteristics make them attractive to attackers. Just look at some of the most spectacular computer attacks in past years, and you’ll find a USB drive being apart of the event. And it’s not just thumb drives that are the culprits, any device that plugs into a USB port including electronic picture frames, iPods, and cameras can be used to spread malware. These devices can even be infected during the production or supply chain process if quality control measures are not up to par. When users buy the infected products and plug them into their computers, malware is installed on their computers.

There are numerous ways for attackers to use USB drives to infect computers. One method is to install malicious code, or malware, on the device that can detect when it is plugged into a computer.

When the USB drive is plugged into a computer, the malware infects that computer. Another method is to download sensitive information directly onto a USB drive. The only thing needed to accomplish this is physical access to a computer on the network. Even computers that have been turned off may be vulnerable, because a computer’s memory is still active for several minutes without power. If an attacker can plug a USB drive into the computer during that time, he or she can quickly reboot the system from the USB drive and copy the computer’s memory, including passwords, encryption keys, and other sensitive data, onto the drive.

Often times, a company’s biggest weakness might not be a malicious insider, but rather an employee who simply doesn’t understand the potential security risks of their actions. inserted into company computers after they were picked up by unsuspecting workers. This number rose to 90% when the USB drives had the Department of Homeland Security logo.

There are steps you can take to protect the data on your USB drive and on any computer that you might plug the drive into:

  • Take advantage of security features — Use passwords and encryption on your USB drive to protect your data, and make sure that you have the information backed up in case your drive is lost.
  • Keep personal and business USB drives separate — Do not use personal USB drives on company computers, and do not plug USB drives containing corporate information into your personal computer.
  • Use security software and keep all software up to date — Use a firewall, anti-virus software, and anti-spyware software to make your computer is less vulnerable to attacks, and make sure to keep the virus definitions current. It’s also important to keep both the operating system and other software on your computer up to date by applying any necessary patches.
  • Do not plug an unknown USB drive into your computer — If you find a USB drive, do not plug it into your computer to view the contents or to try to identify the owner. You may also want to notify someone in your IT department if the drive is found on work premises.
  • Disable Autorun — The Autorun feature in Windows causes removable media such as CDs, DVDs, and USB drives to open automatically when they are inserted into a drive. By disabling Autorun, you can prevent malicious code on an infected USB drive from opening automatically.
  • Develop and enforce USB drive-related policies — Make sure employees are aware of the inherent dangers associated with USB drives and what your company policy is on the proper use of them. Also consider mentioning the dangers of USB flash drives in company training. No matter how technology-savvy your employees may seem, no company is immune to human error.

Next time you pick up a USB drive, keep in mind the potential risks you could be unleashing on your network. Following these simple suggestions, can go a long way in helping to increase your data’s security.

Passwords and Authentication

A very simple but often overlooked element that can help your company’s security is password security. Often commonly used passwords will be guessed by malicious actors in the hope of gaining access to your sensitive accounts. Using simple passwords, or having recognizable password patterns for employees can make it simple for cyber-criminals to access a large range of accounts. Once this information is stolen it can be made public or sold for profit on the deep web.

Implementing randomized passwords can make it much more difficult for malicious actors to gain access to a range of accounts. Other steps, such as two-factor authentication, provide extra layers of security that protect the integrity of the account.

4. Physical Security

If you’re one of those people who leave their passwords on sticky notes on their desk, you may want to throw them away. Though many attacks are likely to happen through digital mediums, keeping sensitive physical documents secured is vital to the integrity of your company’s security system.

Simple awareness of the risks of leaving documents, unattended computers and passwords around the office space or home can reduce the security risk. By implementing a ‘clean-desk’ policy, the threat of unattended documents being stolen or copied can be significantly reduced.

5. Mobile Device Security

The changing landscape of IT technologies has improved the ability for flexible working environments, and along with it more sophisticated security attacks. With many people now having the option to work on the go using mobile devices, this increased connectivity has come with the risk of security breaches. For smaller companies this can be an effective way of saving budget, however, user-device accountability is an increasingly relevant aspect of training in 2022, especially for travelling or remote workers. The advent of malicious mobile apps has increased the risk of mobile phones containing malware which could potentially lead to a security breach.

Best practice online courses for mobile device workers can help educate employees to avoid risks, without high-cost security protocols. Mobile devices should always have sensitive information password-protected, encrypted or with biometric authentication in the event of the device being lost or stolen. The safe use of personal devices is necessary training for any employees who work on their own devices.

Best community practice is making sure workers should have to sign a mobile security policy.

Conclusion:

To conclude, these are 5 security awareness training that you can provide to your organization. It’s imperative to note that there were many other security awareness training topics that I have not discussed. So please do your homework to see what best for your organization and its specific needs. Let me know what your thoughts are in the comments below!

Bye!!

Resources:

--

--

Cybersecurity Professional and OSINT & Tech Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store