MSP Community Blog
The ASCII Blog highlights articles featuring MSP members from our community as well as ASCII staff
Security awareness training best practices for MSPs
Human error is the root of many IT security catastrophes. Use these security awareness best practices to craft programs that users will actually learn from.
Most breaches, and even ransomware, begin with a simple email. We all know this. But how do we get users to change the risky behaviors they take part in with their technology?
Whether it’s clicking on emails, installing random apps on their phones or simply giving out information freely, users are a major threat to any organization. Obviously, we can’t get rid of the users, so we must train them. Establishing a security awareness training journey is a great place to start.
Begin with a security policy
Your users’ educational journey should start with an IT security policy. This policy will tell users what the expectations are for their behavior and how they use tech. It will also outline how users will be continually trained. Additionally, the policy will tell users that you are making security a priority.
Train the users on the policy itself and have them sign it. Any organization faces real risks of data loss, breaches and ransomware, which all have costs associated with them. Be sure your IT policy states what can happen to your employees if they are not following the policy as per your local, state or federal laws and regulations.
Provide a baseline user education
All employees should then receive a baseline course delivered online. The course should cover the basics, such as how to do the following:
- avoid phishing emails and other types of social engineering cyberattacks;
- spot potential malware behaviors;
- report possible security threats;
- follow company IT policies and best practices; and
- adhere to any applicable data privacy and compliance regulations.
That may seem like a lot, but remember: Security awareness isn’t once and done; it’s continual.
When users complete the initial course, begin testing them on a recurring basis. Send emails designed to fool the user at first glance, delivered a few times a month at random intervals on various and trending topics. They will need to use the skills they learned or else they will be fooled. If they are fooled, be sure to follow up with remedial training based on the type of phishing email sent.
Deliver additional training and testing
In addition to the phishing emails, your security awareness training best practices should include further training. You will want to cover topics that include the following:
- Password security/multifactor authentication
- Removeable devices
- Safe surfing
- Social networking and catfishing
- Physical security
- Clean desk
- Data management
Test users on those topics, as well. When it becomes second nature to a user, the risky behaviors drop off. A mature security posture doesn’t mean you should end the training, however. Your training and testing should evolve along with the different types of threats. Make the training harder as your users get smarter.
About the author: Dawn R. Sizer is the CEO of 3rd Element Consulting, Inc. She has been a member of The ASCII Group since 2018.
Reprinted with permission, courtesy TechTarget.