Information security will always be a journey, there will never be a single end goal. Your information security course will be constantly evolving, and your team needs to know this. No matter what threats may come in the future, there will always be three separate information security areas to look at:
- Confidential: This means that information should only be given to those who need it to minimize compromises.
- Integrity: While information is being stored or transported it must not be altered or corrupted.
- Available: Those who need the information must be able to access it. Not only that, but they must be able to access it easily.
The best information security tech available can’t help if your employees don’t understand and take these three points seriously. This is going to involve proper training, and having proper policies and practices in place. Let’s look at a rough outline for an information security course below.
What to include in your information security course
There are five basic threats which you need to educate your employees on. Those five threats include:
- Malware: In practice, this is any type of software that is downloaded onto the computer and is malicious.
- Trojan attacks: This is a program which seems legitimate but is actually a front for a hacking program. It typically performs its actions in the background of a system.
- Social engineering: Social engineering is usually an aspect of Trojans. It is the act of altering people’s social perception of a program in order for it to be installed or downloaded.
- Viruses: These malicious programs harm systems. They can alter the function of the network.
- Phishing attack: This is when a hacker disguises themself as a trusted source, and seeks to take personal information. Such as a hacker disguising themselves as the CEO and asking for login details.
These five key areas must be covered extensively. They form the cornerstone of any good information security course as they also form the cornerstone of any hacker’s arsenal. Learn a little bit more about phishing attacks:
Any information security course that does not cover password construction is not doing its job. Cracking passwords can be remarkably easy with a very simple password cracking tool. These tools simply guess passwords thousands of times per second until they get the correct one.
If your employees choose very easy to guess passwords your company’s information will be compromised. All of the information security technology in the world cannot protect you from your employees making a bad decision. Good passwords will be:
- Long sentences or phrases, they don’t have to be single words.
- Your employees do not have to remember a wide variety of them, they can use one very strong password with a password management tool.
- The more varied the password is in using letters and numbers and upper and lowercase the better.
- Using the same password more than once is always a risky proposition. If a hacker steals that one password they will have access to multiple accounts rather than one.
- They must never, under any circumstance, give their password away to anyone. If one of their coworkers forgets their password they cannot give away their login information to that employee.
Poor password choices have led to many information security breaches. Make sure that one of your employees is not a weak link in this regard. The last point is to make sure that they do not write their passwords down on a post-it note at their workstation. Here is the video you could possibly show to them:
Security procedures and policies to create
This is where you need to really map out what your information security plan is going to look like. Once you have that done you can then begin teaching it to your employees. Here’s what you need to cover:
- Information handling: Your information needs to be labeled according to how sensitive it is. Your employees also need to know who it’s targeted towards. You can create different labels for different departments and levels of management. The most sensitive information must be encrypted and password-protected. Once information is no longer of use it should be discarded.
- Network access: The sharing of user IDs and passwords must be strictly prohibited amongst employees. In an ideal scenario, the IT team will handle password recovery and managers do not even need to know the passwords for their employees. This is another opportunity to cover password creation.
- Accessing the network: When your employees are away from the office and are trying to access the network, or access your assets, they need to know the dangers of using public Wi-Fi. These are frequently used for a number of hacker attacks. Your employees need to be trained to use a VPN as reliable as IPVanish after they connect to a Wi-Fi that is not owned by the company, and before they access any company-owned assets. This tool will encrypt all of their communications and provide you with information security.
- Antivirus policy: Not only do you need to make it mandatory for every machine to have antivirus software on it, you also need to make it the responsibility of each employee to scan their computer regularly. This includes making sure that all incoming files and software are scanned before being executed. Be sure to make this an important point in your information security course.
- Backup policy: At minimum, staff should back up the computer once per week. Ongoing projects should be done within an encrypted cloud environment so they are continually saved.
- Pirated software: All software installed on your company machines must be properly licensed. Make it a policy that staff members only have properly licensed software on their work machines.
- Internet usage: Make sure your employees know that your IT team is monitoring their online activities. Make sure they know not to go on gambling sites, pornographic websites, or hacker websites as the IT team will know.
- Email usage: Your employees should be made aware of the fact that they should not use their company email to send chain letters, solicitations, political material, religious material, and anything else that is not related directly to business. If they want to check their personal email during their break times, make sure that they know they still need to maintain proper antivirus practices.
- Physical security: Your machines must first be protected by being in a locked office. The next level of security is making sure that the machines are secured within a locked cabinet, or with a computer cable lock.
- Password protection: All machines and devices must have some sort of password protection screen to prevent unauthorized access to your network.
- Disclosure of information: Have your employees sign a nondisclosure agreement. In it, underscore the importance of not sharing information.
- Bringing your own device: Tell your employees that all of the above policies still apply to machines which they bring to work. This is about protecting your entire network, not just individual machines.
Each of these 12 points should be covered separately. When designing your information security course, give them each at least one screen in your slideshow or presentation. Be sure to make this accessible for employees to review afterwards.
Your employees are critical to information security
You can buy all of the antivirus software in the world. You can hire the most cutting edge IT team that money can buy. Neither of these things will matter if your lower-level employees don’t understand what they need to do to maintain information security. A proper information security course should lessen these problems, and increase the security of your business.