Good day to all Global Team Members.
As part of this month’s Continuing Privacy and Security Training (“CPST”), the Compliance Team wants to present on Security Awareness Training.
What Is Security Awareness Training?
Cyber Security awareness is essentially a mindset. It’s how we think and what we do. It’s our attitude toward security, privacy, and threats at work and home. And it’s a skill something we can learn and improve on over time.
Cyber Security awareness is an ongoing process that starts with training employees about basic security principles and threats, then continues with practical security awareness education and exercises.
The goal of cyber security awareness for employees is to create an environment where people feel empowered to be active participants in their own security rather than helpless victims of cybercrime.
Here are the few Essential Cyber Security Awareness Training Topics:
- Email scams
Phishing attacks are the most common method that cybercriminals use to gain access to an organization’s network. They take advantage of human nature to trick their target into falling for the scam by offering some incentive (free stuff, a business opportunity and so on) or creating a sense of urgency.
Phishing awareness should be a component of any organization’s security training program. This should include examples of common and relevant phishing emails and tips for identifying attempted attacks, including:
- Do not trust unsolicited emails
- Do not send any funds to people who request them by email, especially not before checking with leadership.
- Always filter spam.
- Do not click on unknown links in email messages.
- Beware of email attachments. Verify any unsolicited attachments with the alleged sender (via phone or other medium) before opening it.
- Remember that phishing attacks can occur over any medium (including email, SMS, enterprise collaboration platforms and so on).
- Malware
Malware is malicious software that cybercriminals use to steal sensitive data (user credentials, financial information and so on) or cause damage to an organization’s systems (e.g., ransomware and wiper malware). It can be delivered to an organization in a number of different ways, including phishing emails, drive-by downloads and malicious removable media.
- Be suspicious of files in emails, websites and other places.
- Don’t install unauthorized software.
- Contact IT/security team if you may have a malware infection.
- Physical security and environmental controls
Security awareness isn’t just about what resides in our company’s computers or handheld devices. Employees should be aware of potential security risks in physical aspects of the workplace, such as:
- Visitors or new hires watching as employees type in passwords (known as “shoulder surfing”)
- Letting in visitors claiming to be inspectors, exterminators or other uncommon guests who might be looking to get into the system (called “impersonation”)
- Allowing someone to follow you through a door into a restricted area (called “tailgating”)
- Leaving passwords on pieces of paper on one’s desk
- Leaving one’s computer on and not password-protected when leaving work for the night
- Physical security controls (doors, locks and so on) malfunctioning
- Password security
Passwords are the most common and easiest-to-use authentication system in existence. Most employees have dozens of online accounts that are accessed by providing a username (often their email address) and a password.
Poor password security is one of the biggest threats to modern enterprise security. Some important password security tips to include in training content:
- Always use a unique password for each online account.
- Passwords should be randomly generated.
- Passwords should contain a mix of letters, numbers and symbols.
- Use a password manager to generate and store strong passwords for each account.
- Use multi-factor authentication (MFA) when available to reduce the impact of a compromised password.
- Removable media
Removable media (such as USBs, CDs and so on) are a useful tool for cybercriminals since they enable malware to bypass an organization’s network-based security defenses. Malware can be installed on the media and configured to execute automatically with Autorun or have an enticing filename to trick employees into clicking. Malicious removable media can steal data, install ransomware or even destroy the computer they’re inserted into.
Malicious removable media can be distributed by being dropped in parking lots and common areas or being handed out at conferences and other public events. We should manage untrusted removable media:
- Never plug removable media into a computer that has access to PHI/ePHI.
- Bring all untrusted removable media to IT/security for scanning.
- Disable autorun on all computers.
- Safe internet habits
Every employee has access to the internet. For this reason, the secure usage of the internet is of paramount importance for us.
Security training programs will incorporate safe internet habits that prevent attackers from penetrating our corporate network. Some important content to include in training:
- The ability to recognize suspicious and spoofed domains (like gooogel.com instead of google.com)
- The differences between HTTP and HTTPS and how to identify an insecure connection.
- The dangers of downloading untrusted or suspicious software off the internet.
- The risks of entering credentials or login information into untrusted or risks websites (including spoofed and phishing pages).
- Watering hole attacks, drive-by downloads and other threats of browsing suspicious sites.
- Shadow IT
Shadow IT is a term that refers to the way employees use technology without approval from organizational management.
There are so many plug-ins, widgets, and other helper tools that “ethically” snoop on us. Take for example a grammar checker – in order to fix our grammar they need to know everything we type. Some of these tools are like keyloggers that send everything we type to the cloud. Your team may be sending very sensitive data to a 3rd party, which is not only a security risk but also a compliance risk.
- Public Wifi
Public Wifi basically means sharing the same Wifi with strangers. After all, it’s easier for someone else to get a hold of our organization information if they have access to the same network as you. This has been a popular topic for many years. These days with so many people working from home, working at coffee shops, and traveling, it’s even more relevant.
- Clean desk policy
Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands and seen by prying eyes. A clean desk policy should state that information visible on a desk should be limited to what is currently necessary. Before leaving the workspace for any reason, all sensitive and confidential information should be securely stored.
- Data management and privacy
Our organizations collect, store and process a great deal of sensitive information. This includes customer data, employee records, business strategies and other data important to the proper operation of the business. If any of this data is publicly exposed or accessible to a competitor or cybercriminal, then the organization may face significant regulatory penalties, damage to consumer relationships and a loss of competitive advantage.
Employees within an organization need to be trained on how to properly manage the businesses’ sensitive data to protect data security and customer privacy. Important training content includes:
- The business’s data classification strategy and how to identify and protect data at each level.
- Regulatory requirements that could impact an employee’s day-to-day operations.
- Approved storage locations for sensitive data on the enterprise network.
- Use a strong password and MFA for accounts with access to sensitive data.
eHealth Technologies’ Privacy and Security Compliance Team delivers monthly training – everyone should know – Think Before You Click! As always, please let us know if you have any questions on the privacy and security of Covered Information, including PHI, ePHI, and other Confidential Information.
Thank you for Caring Together…
eHealth Technologies’ Compliance Team