Building a Strong Cyber Security Foundation in the Workplace
Discover how you can build a better working world.
Visit ey.com/zw
User Awareness Training: Building a Strong Cyber Security Foundation in the Workplace
It has become evident, without doubt, that a strong cybersecurity foundation is a must for any business no matter its size for it to have a chance of survival in this digital age. The use and implementation of firewalls, virtual private networks (VPN), endpoint, cloud and application security has shown that technological controls are not enough on their own. To build a much stronger cyber security foundation in the workplace, user awareness training is very important.
What is User Security Awareness Training?
User security training is the process of educating employees on the cyber security topography, the cyber security threats they will be exposed to and how well to deal with them through a variety of teaching methods. Security training will be aimed at providing staff with the necessary knowledge on how to identify and react to cyber threats and attacks. This will, in turn, help in reducing the attack surface area and mitigating any risk through building a great cyber security awareness culture. However, for this to happen all employees at every level in the organization must be involved and receive the training as no one person is ever immune.
What Are Some of the Key Areas to Consider?
There are a lot of topics that can be considered when preparing for cyber security awareness training. Here are some of the most relevant ones:
1. 2. Working Remotely and Security at Home
The COVID-19 pandemic’s devastating effects and the lockdowns introduced to try and deal with it brought about an increase in working from home. With remote work not likely to go away post the COVID-19 pandemic, it’s very important that organisations include working remotely and security at home as an area of focus in their user awareness training. The cyber security landscape traditionally limited to workplaces has shifted to people’s homes due to remote work, thus creating the need for staff to be educated on ways to protect themselves and the business while working remotely at home. Cloud security must also be emphasized upon as most business now use the cloud more and employees may end up accessing resources from the cloud whilst working remotely, making its security of paramount importance during remote work.
Social Engineering and Phishing
It is important to have user training and awareness that covers social engineering and phishing attacks. Malicious actors often use social
3. 4. 5. 6. 7.
engineering and phishing to gain trust of victims to gain access to valuable personal information or even information about the organization that could have devastating effects if it gets in the hands of the wrong person. It is important for employees to cover the most common social engineering and phishing attacks, how to identify them and what action to take when they encounter such.
Internet and Email Use
It is vital for user security awareness training to focus on responsible internet and email usage. Employees need to be aware of the risks and threats associated with the use of the internet and how to best deal with them. Employees must be educated only to accept emails from credible sources, how to identify credible emails, how to spot odd looking emails and how to identify malicious email links.
Authentication and Passwords
User security awareness training must also focus on educating employees about the use of strong, easy to remember but not easily guessable passwords. It needs to teach employees on ways to come up with these secure passwords, common bad password habits, password reuse and use of guessable or easily recognizable password patterns. Focus must also be put on common password attacks and how they can be avoided, use of multi factor authentication and password managers.
Physical Security
Physical security is one topic that must be covered during user security awareness training. It’s vital for employees to understand that sensitive physical documents must always be secured, they must not leave their belongings unattended, laptops must be secured and always shutdown or locked every time they leave their workstations even for a few seconds. Identity cards must always be always secured together with removable media that could possibly contain sensitive company information.
Social Media Use
It is also vital that user security awareness training covers good social media use. Often employees give out a lot of information on social media that can be used to launch an attack. Employees must be educated on how to stay safe online, what information not to give on social media and how to use privacy settings provided for by the different social media platforms they use effectively.
Mobile Device Security
Ongoing advancements in technology have made it possible to work on the go using your mobile device thus creating a need for user security awareness training to also focus on mobile device security. It is important that employees know how to better protect their mobile devices, both company owned and personal.
Some of the Key Methods to Deliver Awareness
• Video lectures
• Presentations
• Posters and newsletters
• Simulations and gamifying learning
• Instructor led training etc
With this said, it is important for user awareness training to be planned and prepared in such a manner that it targets all employee groups from the most vulnerable to the least vulnerable. People get complacent at times due to their busy schedules meaning user awareness and training should be an ongoing thing to help safeguard the organization’s cyber environment.
Always remember to share cyber security news, incidents, and statistics, carry out social engineering and phishing simulations and tracking and reporting on training success whilst adjusting based on results to increase efficiency and effectiveness.
To find out more contact Nigel Chasiya, Cybersecurity Consultant on: Email: nigel.chasiya@zw.ey.com or eymarketing@zw.ey.com
Address: Angwa City Building, Corner Julius Nyerere Way/ Kwame Nkrumah Avenue. P O Box 62, Harare, Zimbabwe.
Tel: +263 4 750905/ 750979
This article was compiled by EY as a source of general information and notification and should not be construed as a formal professional/legal opinion. Although reasonable skill and care is taken when providing information, EY offer no warranties or representations as to the information’s accuracy. The information provided is not intended to replace the need for an expert/ legal opinion on interpretation, application and consequences of the relevant legal, technical or regulatory provisions. E Y does not accept responsibility for any loss or damage you or any third party may suffer as a result of utilising the information provided.