All information system users in an organization need Security Awareness Training. Security Awareness Training should include training for all new users, when there are changes to an information system, and periodically thereafter.
- Your organization most likely has some sort of new hire orientation. This is a great opportunity for IT to communicate with new users on the importance of information security. Some topics to discuss should include:
-
- Locking your computer when leaving it unattended
- Good password habits
- Phishing awareness
- Warning signs for malware and viruses
- How to report an incident
-
- It is important to notify and train employees that are affected by changes or updates to information systems.
-
- Many vendors have resources to help you with training. Some vendors are able to provide learning materials like videos, information sheets, webinars, etc. Others offer the option of sending a representative onsite to walk employees through the system.
- Training is also needed when there are changes to password requirements within an information system. The users will need to know lockout times, password reuse enforcement, if multi-factor authentication is being implemented, etc.
-
- Security Awareness Training refreshers are suggested on an annual basis. This refresher training should include:
-
- Topics covered in the new hire orientation
- Updates on recent malware, virus, and phishing methods
- Password best practices
- Any other items as they pertain to your organization and information systems
-
- There are things you can do on a regular basis to keep employees aware of good security practices:
-
- Send email notifications of trending phishing or malware threats
- Display posters to remind users of important best practices or security alerts
- Use logon screen messages for important reminders and alerts
-
Security Awareness Training is one of the most effective methods of protecting your environment, so making it a priority is a great step towards a more secure organization!
