{"id":2458,"date":"2021-12-30T14:29:06","date_gmt":"2021-12-30T11:29:06","guid":{"rendered":"https:\/\/esi.edu.sa\/?p=2458"},"modified":"2021-12-30T14:29:17","modified_gmt":"2021-12-30T11:29:17","slug":"it-security-awareness-in-an-organization","status":"publish","type":"post","link":"https:\/\/esi.edu.sa\/en\/it-security-awareness-in-an-organization\/","title":{"rendered":"IT Security Awareness in an Organization"},"content":{"rendered":"
\"Mohammad
Mohammad Abdul Khadeer
CGEIT, PMP, CISA, CQA, CSTE, CMMi
Manager \u2013 IT Trainings<\/figcaption><\/figure>\n

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

Preamble<\/strong><\/p>\n

In an organization employees are at one of the biggest risks to its cybersecurity. \u00a0In fact, human error is considered the leading cause of data breaches.\u00a0 However, an organization\u2019s employees can also be a huge asset for its cybersecurity. \u00a0If employees are provided with the adequate knowledge and skills that they required to identify cyber threats \u2014 through an effective and engaging security training program, thus, they can act as another line of defense for the organization.<\/p>\n

When designing a cybersecurity training program<\/a>, it\u2019s important to ensure that it covers the cyber threats that an organization is most likely to face. \u00a0This article outlines the ten (10) most important security awareness topics that to be included in a security awareness program and they are:<\/p>\n

    \n
  1. Email Scams<\/strong><\/li>\n<\/ol>\n

    Phishing attacks are the most common method that cybercriminals use to gain access to an organization\u2019s network. \u00a0They take advantage of human nature to trick their target into falling for the scam by offering some incentive (free stuff, a business opportunity and so on) or creating a sense of urgency.<\/p>\n

    Phishing awareness should be a component of any organization\u2019s security training program. \u00a0This should include examples of common and relevant phishing emails and tips for identifying attempted attacks, including:<\/p>\n

      \n
    • Do not trust unsolicited emails.<\/strong><\/li>\n
    • Do not send any funds to people who request them by email, especially not before checking with leadership.<\/strong><\/li>\n
    • Always filter spam.<\/strong><\/li>\n
    • Configure your email client properly.<\/strong><\/li>\n
    • Install antivirus and firewall program and keep them up to date.<\/strong><\/li>\n
    • Do not click on unknown links in email messages.<\/strong><\/li>\n
    • Beware of email attachments. Verify any unsolicited attachments with the alleged sender (via phone or other medium) before opening it.<\/strong><\/li>\n
    • Remember that phishing attacks can occur over any medium (including email, SMS, enterprise collaboration platforms and so on).<\/strong><\/li>\n<\/ul>\n
        \n
      1. Malware<\/strong><\/li>\n<\/ol>\n

        Malware is malicious software that cybercriminals use to steal sensitive data (user credentials, financial information and so on) or cause damage to an organization\u2019s systems (e.g., ransomware and wiper malware). \u00a0It can be delivered to an organization in a number of different ways, including phishing emails, drive-by downloads and malicious removable media.<\/p>\n

        Employee security awareness training on malware should cover common delivery methods, threats and impacts to the organization and the important tips are:<\/p>\n

          \n
        • Be suspicious of files in emails, websites and other places.<\/strong><\/li>\n
        • Don\u2019t install unauthorized software.<\/strong><\/li>\n
        • Keep antivirus running and up to date.<\/strong><\/li>\n
        • Contact IT\/Security team if you may have a malware infection.<\/strong><\/li>\n<\/ul>\n
            \n
          1. Password Security<\/strong><\/li>\n<\/ol>\n

            Passwords are the most common and easiest-to-use authentication system in existence. \u00a0Most employees have dozens of online accounts that are accessed by providing a username (often their email address) and a password.\u00a0 Poor password security is one of the biggest threats to modern enterprise security. \u00a0Some of the important password security tips to include in the training content:<\/p>\n

              \n
            • Always use a unique password for each online account.<\/strong><\/li>\n
            • Passwords should be randomly generated.<\/strong><\/li>\n
            • Passwords should contain a mix of letters, numbers and symbols.<\/strong><\/li>\n
            • Use a password manager to generate and store strong passwords for each account.<\/strong><\/li>\n
            • Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password.<\/strong><\/li>\n<\/ul>\n
                \n
              1. Removable Media<\/strong><\/li>\n<\/ol>\n

                Removable media (such as USBs, CDs and so on) are a useful tool for cybercriminals since they enable malware to bypass an organization\u2019s network-based security defenses. \u00a0Malware can be installed on the media and configured to execute automatically with Auto-run or have an enticing filename to trick employees into clicking. \u00a0Malicious removable media can steal data, install ransomware or even destroy the computer they\u2019re inserted into.<\/p>\n

                Malicious removable media can be distributed by being dropped in parking lots and common areas or being handed out at conferences and other public events. \u00a0Employees should be trained to properly manage untrusted removable media:<\/p>\n

                  \n
                • Never plug untrusted removable media into a computer.<\/strong><\/li>\n
                • Bring all untrusted removable media to IT\/Security for scanning.<\/strong><\/li>\n
                • Disable auto-run on all computers.<\/strong><\/li>\n<\/ul>\n
                    \n
                  1. Safe Internet Habits<\/strong><\/li>\n<\/ol>\n

                    Almost every worker, especially in tech, has access to the internet. \u00a0For this reason, the secure usage of the internet is of paramount importance for companies.\u00a0 Security training programs should incorporate safe internet habits that prevent attackers from penetrating your corporate network and some important content to include in the training program:<\/p>\n

                      \n
                    • The ability to recognize suspicious and spoofed domains (like yahooo.com instead of yahoo.com).<\/strong><\/li>\n
                    • The differences between HTTP and HTTPS and how to identify an insecure connection.<\/strong><\/li>\n
                    • The dangers of downloading untrusted or suspicious software off the internet.<\/strong><\/li>\n
                    • The risks of entering credentials or login information into untrusted or risks websites (including spoofed and phishing pages).<\/strong><\/li>\n
                    • Watering hole attacks, drive-by downloads and other threats of browsing suspicious sites.<\/strong><\/li>\n<\/ul>\n
                        \n
                      1. Social Networking Threats<\/strong><\/li>\n<\/ol>\n

                        Enterprises use social networking as a powerful tool to build a brand (either locally or globally) and generate online sales. \u00a0Unfortunately, cybercriminals also use social media for attacks that put an organization\u2019s systems and reputation at risk.\u00a0 To prevent the loss of critical data, the enterprise must have a viable social networking training program that should limit the use of social networking and inform employees of the threats of social media and they are but not limited to the followings:<\/p>\n

                          \n
                        • Phishing attacks can occur on social media as well as over email.<\/strong><\/li>\n
                        • Cybercriminals impersonating trusted brands can steal data or push malware.<\/strong><\/li>\n
                        • Information published on social media can be used to craft spear-phishing emails.<\/strong><\/li>\n<\/ul>\n
                            \n
                          1. Physical Security and Environmental Controls<\/strong><\/li>\n<\/ol>\n

                            Security awareness isn\u2019t just about what resides in your company\u2019s computers or handheld devices. \u00a0Employees should be aware of potential security risks in physical aspects of the workplace, such as:<\/p>\n

                              \n
                            • Visitors or new hires watching as employees type in passwords (known as \u201cshoulder surfing\u201d).<\/strong><\/li>\n
                            • Letting in visitors claiming to be inspectors, exterminators or other uncommon guests who might be looking to get into the system (called \u201cimpersonation\u201d).<\/strong><\/li>\n
                            • Allowing someone to follow you through a door into a restricted area (called \u201ctailgating\u201d).<\/strong><\/li>\n
                            • Leaving passwords on pieces of paper on one\u2019s desk.<\/strong><\/li>\n
                            • Leaving one\u2019s computer on and not password-protected when leaving work for the night.<\/strong><\/li>\n
                            • Leaving an office-issued phone or device out in plain sight.<\/strong><\/li>\n
                            • Physical security controls (doors, locks and so on) malfunctioning.<\/strong><\/li>\n<\/ul>\n
                                \n
                              1. Clean Desk Policy<\/strong><\/li>\n<\/ol>\n

                                Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands and seen by prying eyes. \u00a0A clean desk policy should state that information visible on a desk should be limited to what is currently necessary. \u00a0Before leaving the workspace for any reason, all sensitive and confidential information should be securely stored.<\/p>\n

                                  \n
                                1. Data Management and Privacy<\/strong><\/li>\n<\/ol>\n

                                  Most organizations collect, store and process a great deal of sensitive information, this includes customer data, employee records, business strategies and other data important for operation of the business. \u00a0If any of this data is publicly exposed or accessible to a competitor or cybercriminal, then the organization may face significant regulatory penalties, damage to consumer relationships and a loss of competitive advantage.\u00a0 Therefore, employees within an organization need to be trained on how to properly manage the businesses\u2019 sensitive data to protect data security and customer privacy and the important training contents are to be included are:<\/p>\n

                                    \n
                                  • The business\u2019s data classification strategy and how to identify and protect data at each level.<\/strong><\/li>\n
                                  • Regulatory requirements that could impact an employee\u2019s day-to-day operations.<\/strong><\/li>\n
                                  • Approved storage locations for sensitive data on the enterprise network.<\/strong><\/li>\n
                                  • Use a strong password and MFA for accounts with access to sensitive data.<\/strong><\/li>\n<\/ul>\n
                                      \n
                                    1. Bring-Your-Own-Device (BYOD) Policy<\/strong><\/li>\n<\/ol>\n

                                      BYOD policies enable employees to use their personal devices in the workplace. \u00a0While this can improve efficiency by enabling employees to use the devices that they are most comfortable with and it also creates potential security risks, therefore, the BYOD Policies should include at least the following conditions:<\/p>\n

                                        \n
                                      • All devices used in the workplace should be secured with a strong password to protect against theft.<\/strong><\/li>\n
                                      • Enable full-disk encryption for BYOD devices.<\/strong><\/li>\n
                                      • Use a VPN on devices when working from untrusted Wi-Fi.<\/strong><\/li>\n
                                      • BYOD-approved devices should be running a company-approved antivirus.<\/strong><\/li>\n
                                      • Only download applications from major app stores or directly from the manufacturer\u2019s website.<\/strong><\/li>\n<\/ul>\n

                                        Conclusion and Recommendations<\/strong><\/p>\n

                                        Employees play a crucial role in for successful business operation. \u00a0An untrained and negligent workforce can put your enterprise in danger of multiple data breaches. Therefore, organizations must adopt a viable security training program that should encompass the essential guidelines needed to thwart imminent cyber-incidents.<\/p>\n

                                        It is necessary that an organization should also set monthly training meetings, provide frequent reminders, train all new personnel on new policies as they arrive, make training material available and implement creative incentives to reward employees for being proactive in ensuring the security of the organization.<\/p>\n

                                         <\/p>\n

                                         <\/p>\n

                                        *****\u00a0\u00a0\u00a0\u00a0 End of Article\u00a0\u00a0\u00a0\u00a0 *****<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[25],"tags":[],"class_list":["post-2458","post","type-post","status-publish","format-standard","hentry","category-uncategorized","infinite-scroll-item","no-featured-image-padding"],"acf":[],"_links":{"self":[{"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/posts\/2458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/comments?post=2458"}],"version-history":[{"count":2,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/posts\/2458\/revisions"}],"predecessor-version":[{"id":2462,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/posts\/2458\/revisions\/2462"}],"wp:attachment":[{"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/media?parent=2458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/categories?post=2458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/esi.edu.sa\/en\/wp-json\/wp\/v2\/tags?post=2458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}