Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine within the SANS Securing The Human library. Today we discuss the third and last set of three of those topics and why our Advisory Board selected them.
Passwords: Let's be honest, passwords are a complicated, broken concept. Unfortunately, passwords still remain the primary way people authenticate to most systems and online sites. As such, we have to teach people how to best protect themselves when using passwords. One of the key mistakes we see with password training is organizations focusing only on password length/complexity. While important, we are finding it more important on how to properly USE passwords, to include unique passwords for each account, never sharing your passwords, use of two-step verification when possible, and use of password managers. This is one of the toughest topics to teach, as you have to balance the goal of being comprehensive and simple at the same time.
Data Security: This is the catch all topic that addresses the steps in protecting data. Steps such as sharing data with only authorized users, storing or transfering confidential data using only secure means to include encryption, and securely destroying data that is no longer needed. Almost every organization has some type of confidential data that needs to be protected, including PHI, PII, NPI, student data, cardholder data or organizational intellectual property. As such you need to lay the foundation on how to handle and protect that data.
Hacked: Security awareness needs to go beyond just the human firewall, we need to develop the human sensor. People who can identify and report indicators of compromise. That is precisely what this topic does. It teaches people the indicators of a hacked device, and how to report it. In addition, we need to make sure people feel comfortable reporting the incident. In many ways using technology is driving a car, no matter how safe you are, sooner or later you most likely will have an incident. The more comfortable people feel reporting an incident, the more secure your organization will become.