Information security will always be a journey; it will never be a single end goal. It is constantly evolving, and your team needs to know this. No matter what threats may come in the future, there will always be three separate information security areas to look at:
- Confidential: This means that information should only be given to those who need it. Giving information to people who do not need it increases the chances that it will be compromised.
- Integrity: While information is being stored or transported, it must not be altered or corrupted. Steps must be taken to make sure that this does not happen deliberately or accidentally.
- Available: Those who need the information must be able to access it. Not only that—they must be able to access the information easily.
The best information security tech available can not help you if your employees do not understand and take these three points seriously. This is going to involve proper training, and having proper policies and practices in place.
"Information security is a part of EVERY employee's responsibility", Heather Roszkowski, #CISO Univ of VT Health Network
— HIMSS New England (@NewEnglandHIMSS) April 11, 2017
Below, you are going to see a rough outline for an information security course. The way that I’m going to cover it is the same as the order of how you should cover the course with your employees. In short, I’m going to teach you the same way you should teach them.
What to include in your information security course
There are five basic threats which you need to educate your employees on. Those five threats include:
- Malware: In practice, this is any type of software that is downloaded onto the computer and is malicious.
- Trojan attacks: This is a program which seems legitimate but is actually a front for a hacking program. It typically performs its actions in the background of a system.
- Social engineering: Social engineering is usually an aspect of trojans. It is the act of altering people’s social perception of a program in order for it to be installed or downloaded.
- Viruses: These malicious programs harm systems. They can alter the function of the network.
- Phishing attack: This is when hackers disguise themselves as a trusted source and seek to take personal information. Such as a hacker disguising as the CEO and asking for login details.
These five key areas must be covered extensively. They form the cornerstone of any good information security course as they also form the cornerstone of any hacker’s arsenal.
Any information security course that does not cover password construction is not doing its job. Cracking passwords can be remarkably easy with a very simple password cracking tool. These tools simply guess passwords thousands of times per second until they get the correct one.
If your employees choose very easy to guess passwords, your company’s information will be compromised. All of the information security technologies in the world cannot protect you from your employees making a bad decision. Good passwords will be:
- Long sentences or phrases. They don’t have to be single words.
- Your employees do not have to remember a wide variety of them. They can use one very strong password with a password management tool.
- The more varied the password is (in using letters, numbers, uppercase, and lowercase), the better.
- Using the same password more than once is always a risky proposition. If hackers steal that one password, they will have access to multiple accounts rather than one.
- They must never, under any circumstance, give their password away to anyone. If an employee’s coworker forgets the password, the employee should not give away any login information to that coworker.
Poor password choices have led to many information security breaches. Make sure that one of your employees is not a weak link in this regard. The last point is to make sure that they do not write their passwords down on a post-it note at their workstation.
— LastPass (@LastPass) May 17, 2016
Security procedures and policies to create
This is where you need to really map out what your information security plan is going to look like. Once you have that done, you can then begin teaching it to your employees. Here’s what you need to cover:
- Information handling: Your information needs to be labeled according to how sensitive it is. Your employees also need to know who is the target of the information. You can create different labels for different departments and levels of management. The most sensitive information must be encrypted and password-protected. Once information is no longer of use, it should be discarded.
- Network access: The sharing of user IDs and passwords must be strictly prohibited among employees. In an ideal scenario, the IT team will handle password recovery, and managers do not even need to know the passwords of their employees. This is another opportunity to cover password creation.
- Accessing the network: When your employees are away from the office, and they are trying to access the network or access your assets, they need to know the dangers of using public Wi-Fi. These are frequently used for a number of hacker attacks. Your employees need to be trained to use a corporate VPN after they connect to a Wi-Fi that is not owned by the company and before they access any company-owned assets. This tool will encrypt all their communications and provide you with information security.
- Antivirus policy: Not only do you need to make it mandatory for every machine to have antivirus software. You also need to make it the responsibility of each employee to scan their computer regularly. This includes the act of making sure that all incoming files and software are scanned before being executed. Be sure to make this an important point in your information security course.
- Backup policy: At a minimum, staff should back up the computer once per week. Ongoing projects should be done within an encrypted cloud environment, so they are continually saved.
- Pirated software: All software installed on your company machines must be properly licensed. Make it a policy that staff members only have properly licensed software on their work machines.
- Internet usage: Make sure your employees know that your IT team is monitoring their online activities. Make sure they know not to go on gambling sites, pornographic websites, or hacker websites as the IT team will know.
If your employees are viewing porn, up your internet security and give em a talking to, not like its a crime. All this media is ridiculous.
— Maria (@Muh_ree_aah) February 16, 2012
- Email usage: Your employees should be made aware of the fact that they should not use their company email to send chain letters, solicitations, political material, religious material, and anything else that is not related directly to business. If they want to check their personal email during their break times, make sure that they know they still need to maintain proper antivirus practices.
- Physical security: Your machines must first be protected by being in a locked office. The next level of security is making sure that the machines are secured within a locked cabinet or with a computer cable lock.
- Password protection: All machines and devices must have some sort of password protection screen to prevent unauthorized access to your network.
- Disclosure of information: Have your employees sign a nondisclosure agreement. It underscores the importance of not sharing information.
- Bringing your own device: Tell your employees that all of the above policies still apply to machines which they bring to work. This is about protecting your entire network, not just individual machines.
Each of these 12 points should be covered separately. When designing your information security course, give each point at least one screen in your slideshow or presentation. Be sure to make this accessible for employees to review afterward.
Your employees are critical to information security
You can buy all of the antivirus software in the world. You can hire the most cutting edge IT team that money can buy. Neither of these things will matter if your lower-level employees don’t understand what they need to do to maintain information security. A proper information security course should lessen these problems and increase the security of your business.
Information security is only as strong as the weakest link. In many cases, that equates to the human element. How strong is your security?
— Bob Larrivee CIP, ECMm, BPMm (@BobLarrivee) July 19, 2011