See larger image
Getty Images
The weakest linkEvery IT security professional is well aware that a thorough end-user education program is a necessary weapon in the battle to protect your perimeter. A good education program trains your vulnerable humans to understand how to help defend your system from attack. Education helps people develop healthy habits, hones their defense againstsocial engineering, and makes them an ally in the fight rather than a chink in your defenses.
You know security education is essential. Less clear? What is a good is security education program? How good is yours? Have you missed any important topics?
Here are ten topics every computer security training program should have.
See larger image
Getty Images
Acceptable useMost people don’t lie awake at night thinking about the right and wrong way to use that sweet laptop their employer handed them. They use it because they have it. That’s why you need to spell out what is and what isn’t an acceptable use of that business device.
Sitting every employee down and insisting they read and sign an acceptable use policy every year is a great way to educate them. It also provides you with legal support later if that employee breaks the rules. To have any teeth, employees must agree to your acceptable use policy before you assign them a business device.
Common acceptable use statements include:
Business devices are the sole property of the business. The business alone can assign, remove, and determine control over those devices. There is no expectation of privacy when using a business-owned device. The company may read employee emails or other communications at its own discretion, without prior notice. Unlawful or unethical activities are not allowed on business devices. Any user-created passwords can be disabled or reset by the company without prior notice. Personal use is allowed as long as it isn’t excessive (as determined by the business) and does not violate one of the previous guidelines. Failure to abide by this acceptable use agreement may result in adverse actions including removal of that same company device and up to and including termination.
See larger image
Getty Images
Patch awarenessSoftware requires frequent updates. Without these, any machine can become a dangerous access point formalware and other breaches.
Unpatched software is one of the top reasons companies become compromised. This is common knowledge among security professionals. But to the average user, installing patches is an irritant that quickly drops to the bottom of a crowded to-do list. For this reason, patch awareness education is an essential piece of any training program. It should clarify the essential nature of patches, squelch any fears or myths surrounding the hassle and drawbacks of installing them, and detail what the company expects in terms of installing patches. Who does it? How often is it done? What should users not do? It should also detail the systems you have in place to see that this necessary task isn’t forgotten.
Your written patch management guidelines might include details like this:
All critical security patches should be applied within one week of release. The user may be required to reboot his or her computer after the patch is applied. Missing patches are checked for daily and may be applied without advanced notice. Do not apply any patch or update initiated from within a browser session. If you suspect a patch is missing or has not been applied in a timely manner, report it. If a patch causes problems, report it immediately.
See larger image
Getty Images
Social engineering awarenessThe majority of data breaches begin with a successful social engineering attack. This is when the hacker targets a human being to get him or her to do something that gives the hacker the network access he’s looking for. In short, it’s a con game.
Social engineering doesn’t necessarily involve an elaborate sting operation, though, or even direct contact with the victim. It can be done over email, through a web site, over the phone, and by SMS. Your training program should cover the many ways that humans get conned.
Training staff to prevent social engineering should happen more often than annually and it should include:
How to recognize social engineering Concrete examples of common social engineering tricks Tests that simulated social engineering. Strategies to encourage social engineering victims to immediately report abuse without fear of repercussions.
See larger image
Getty Images
Password best practicesWhile much of the world is moving to multi-factor authentication (MFA) as quickly as possible, passwords remain the only authentication method for a great many web sites and services. A password-only system requires that end users know how to create, remember, and use passwords so that they protect the data behind them without creating a security breach or unnecessary frustration.
Your password best practices training should include:
Use two-factor authentication (2FA) and multi-factor authentication (MFA) where possible. Passwords