8 Security Practices to Use in Your Employee Training and Awareness Program

This might be hard to believe, but it is true: 59% of data breaches are happening not because of some smart hacker who wants to do harm to your company; those breaches are happening because of your own employees.

As I’ve argued in my article How a change in thinking can stop 59% of security incidents, in order to stop these incidents, you have to focus on two things (other than investing in new technology): set your internal processes and procedures correctly, and train your employees and make them aware of the security threats.

In this article I’ll focus on the second issue: which topics to include in your security training and awareness program. The suggestions below are applicable regardless of whether your employees are using smart phones or computers, of if they’re using their own devices or company equipment.

1) Authentication

Of course, your employees must use complex passwords, and must never tell these passwords to anyone.

This is because if their computer, laptop, smart phone, or any other device gets stolen, not only will the thief control all the data on this device – he will also be able to penetrate your company network and create havoc with your company data.

CautionThe best practice is to use special software called password managers, because with such software your employees will need to remember only one complex password, while the password manager will remember all the others. And the good thing is that one and the same password manager can be used for all the employee’s devices.

Further, for most important services like email and file sharing, your employees should use even more advanced techniques like 2-factor authentication – such techniques are available for free these days from most of the cloud providers, and provide a higher level of security even if the passwords get compromised. These 2-factor authentication systems can work together with a phone (by sending a text message to a legitimate user) or with special USB keys – without them, access to the account would not be allowed.

2) Network connection

Unfortunately, wireless connections have proved to be very unsafe. For example, your employees should avoid Bluetooth whenever possible, because it has proved to be the easiest to break.

Public Wi-Fi networks are often not much better – hackers set up such networks in public places, claiming to be legitimate providers, with the purpose of gaining access to users’ Internet traffic. In this way, they can access all the passwords and other sensitive information. Therefore, one should be very careful which network to connect to.

If the home or office Wi-Fi network is used improperly, it can also be the cause of a security breach – again, the passwords at the router must be complex enough, and WPA2 encryption should be set.

The connection to the Internet through the mobile telecom provider (i.e., 3G or 4G) is considered to be the most secure wireless connection, but it is very often the most expensive. Of course, using a fixed line is more secure than any wireless connection.

There is one method that makes the communication much more secure at a relatively low cost: using the VPN service. This is a method where all the data that is transmitted is encrypted before it leaves the computer, so this is probably the best way to keep it safe.

3) Access to the device

Your employees should never provide access to their device to anyone else; OK, in some cases they will want to allow their spouses or children to access their computer for, e.g., playing games or shopping. But, in such cases, they should open a separate account on their operating system to allow this person to access the computer; such account may not have administrator privileges because then they will be enabled to (unintentionally) install malware.

Allowing someone to access the same account on a computer is a huge security risk – this person doesn’t have to do anything malicious – it is enough that they delete a couple of your files by mistake, or run some program that is not to be touched.

4) Physical security

Mobile devices, including laptops and smart phones, are the ones that are very often the target of thieves – not only because they want to resell the device, but also because they know the data on those devices can be far more valuable.

So, here are a couple of tips on how to protect a mobile device:

  • Mobile devices should never be left in a car.
  • They should be never left unattended in public places like conferences, airports, restrooms, public transport, etc.
  • The devices should be kept with the user the whole time, or stored in a facility with no public access – e.g., a room or an office that is locked when no one is present.

5) Data encryption

No matter how careful your employees are, a laptop or a smart phone can still get stolen. This is why you should ask them to protect all of their data (or at least the most sensitive) with encryption. This is still not easy with smart phones, but this feature is included in most computer operating systems – it just needs to be turned on.

Since most of the data is now transferred or archived through the cloud, encrypting such data also makes sense. Most cloud providers claim they do encrypt the data in their systems; however, it might be better to encrypt the data before it reaches the cloud – you never know how much the cloud provider can be trusted.

6) Backup

If data is lost, and everything else fails, backup is usually the last resort – in many cases, backup has saved not only days, but also months or years of someone’s work.

So, make sure your employees have the right backup system in place (very often a simple cloud service will do), but also that the backup is updated regularly. One word of caution: having a backup system means that data is stored at least in two places – e.g., on a computer, and in the cloud. This means that keeping the data only in the cloud doesn’t constitute a real backup.

7) Software installation and patching

First of all, you should provide a list of allowed software to your employees, and allow the installation of only that software onto the devices that are used for business purposes. Very often, there are some games or utility software that are offered as free downloads on the Internet, only to be discovered later that they were used by hackers to inject viruses onto your employees’ computers with the purpose of extracting information.

Unfortunately, the approved software will also have security vulnerabilities, allowing malware to be installed on the device – this is why it is crucial to install all the security patches as soon as they are published. The best would be to ask your employees to set the updates to be installed automatically.

8) Basic security “hygiene”

There are some security practices that should be considered as normal, for instance:

  • Your employees should install anti-virus software, and enable its automatic updating.
  • The firewall on the computer should be turned on, and the traffic that is allowed should be chosen very carefully – only the applications that are trusted should be allowed to communicate with the Internet.
  • Links in emails should be clicked very carefully – some links might take your employees to infected websites, and it is enough for a visitor to spend a fraction of a second on such a website for a virus to penetrate the computer.
  • Similarly, surfing the Internet on suspicious websites should be avoided – as explained, some of the websites are developed with the sole purpose of spreading malware.
  • Transferring data with USB flash drives should be avoided – they are the easiest way to infect a computer with a virus, because it is very difficult to stop such a malicious program once the device is physically connected to the computer.

Invest wisely in your security

Of course, each company will have to adapt its training & awareness programs according to its own needs, so you should not take these 8 items as a definitive list. The best would be to use a framework like ISO 27001, the leading information security standard, to provide you detailed guidance on how to perform security training & awareness. See also: How to perform training & awareness for ISO 27001 and ISO 22301.

No matter how you train your employees and how you make them aware of security, remember the most important thing: simply purchasing the new technology won’t increase your level of security; you also have to teach your people how to use that technology properly, and explain to them why this is needed in the first place. Otherwise, this technology will only become what business owners fear the most: a wasted investment.

See here a series of 25 free security awareness videos that can be easily understood by any employee in your company.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.