You've successfully subscribed to INFIMA Security
Great! Next, complete checkout for full access to INFIMA Security
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

What topics should my Security Awareness Training Program cover?

Of course, you want to get your team ready for the real thing!

We get asked this question a lot in various ways:
How do I know my Security Awareness Training is comprehensive?
How do I ensure my Security Awareness Training program meets our needs?

So here is an overview of the critical topics - also ones that are called out in NIST frameworks and other regulatory guidance. These topics fit all organizations - large, small, non-profit, government, private, public.. all of them!
(To satisfy our very friendly attorneys: The below is not to be taken as legal advice.)

Some critical topics to address in your team's Security Awareness Training program:

Phishing - This is the most common entry point for cybercriminals. It’s so common that you’re betting against the odds if you assume that an attack did not originate from Phishing.

Safe Use of Email - This is related to Phishing. It’s important to ensure your team understands the dangers lurking in email links and attachments from hackers. Additionally, they need to be instructed on secure ways to transmit sensitive data.

Social Engineering - This includes many forms of deception, including Phishing and other cons. It’s important to highlight that hackers can (and do!) use phone calls, voicemails and texting in piecing together an attack entry.

Malware and Ransomware - Your employees need to understand the severe harm caused by these malicious programs, from financial loss to identity theft to business termination.

Password Safety - Your passwords matter! It’s critical to ensure your team knows the dangers of reusing passwords and the value of password managers and multi-factor authentication, when available.

Sensitive Data Risks - Your team should know what constitutes sensitive data, why attackers want it and how to keep it protected in your network. The loss of sensitive data has led to many organizations' challenges, and even shutdown.

Personally Identifiable Information (PII) - Your team should be taught what constitutes PII, how to recognize it and how to keep it safe. Loss of PII can cause severe dangers for employees, partners and customers.

Insider Threats - These attacks can be some of the sneakiest attacks on your organization. Your team should be instructed on the signs of an insider attack and the appropriate reporting procedure.

Physical Data Security - It’s not just the digital data that has value to attackers! Your team should be made aware of the proper handling, storage and transfer of any physical data.

Additional Topics - Depending on your organizations needs, you'll want to consider adding in coursework related to: HIPAA, PCI-DSS, GDPR or more industry-specific or regulator-defined coursework.

And when you're ready, we're here to help!

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Joel Cahill

Cybersecurity enthusiast. Entrepreneur.