Security Training 101: Employee Education Checklist

Guides

Security Training 101: Employee Education Checklist

Security awareness training can go a long way in arming your organization against intruders. For those who want to make sure they hit the right points, we鈥檝e put together this quick hit employee education checklist. Please feel free to tailor the bullets according to what your organization needs, and for a more in depth run down, consider reading 鈥�Security Training 101: Employee Education Essentials.鈥�

Secure Identities

Use long, complex passwords that are unique and impossible to guess.
Never reuse passwords.
Utilize a password manager.
Enable MFA wherever possible.
For password changes, always navigate to the actual website. Unless it鈥檚 a password reset email you initiated, it鈥檚 a red flag if an email requests for you to change a password in the email.

Secure Work Devices

Only do work on your work system.
Make sure it鈥檚 always up-to-date with the latest system updates and patches.
[Insert Policy Here] is required on all work devices (i.e. Antivirus, Full disk encryption, system screen lock, disabled guest accounts, etc.)
You are responsible for your devices, so always be thinking about how to keep them safe. Always know where your devices are and who could have access to them.
Contact [insert name/contact info] immediately if you notice your device is missing.
Lock your laptop whenever you walk away from it.
MFA must be enabled on all laptops where possible.
Never use a USB drive that wasn鈥檛 purchased by you or the company, and never use one that was given to you by someone outside of the company. If you happen to find a USB drive on the street or in a coffee shop, throw it away.
Store all work devices in a safe place 24/7, either under watch or securely locked.

Secure Data

Don鈥檛 store company data on non-company drives or websites.
Be careful where you store sensitive data, and be mindful of what kinds of permissions are set for each folder and file. When possible, grant access on an individual basis.
Make sure all data is backed up in the appropriate place.
Encrypt data when it makes sense, or place that data in files and folders with very strict permissions.
Don鈥檛 consider email a secure medium of communication. Try to refrain from sending attachments or sensitive information you wouldn鈥檛 want publicized.
When you are in a public area, be cautious of logging into something and make sure nobody is peering over your shoulder as you do.

Secure Email

MFA is required for email.
Email is at the center of the organization鈥檚 authentication space, so it鈥檚 imperative you don鈥檛 lose control over it. If you think you have lost control over your email, contact [insert name/email address] right away.
Do not click on links in emails. When possible, manually navigate to the site to complete any action the email is requesting.
Don鈥檛 trust an email is from who it claims to be.
Don鈥檛 open attachments from emails you鈥檙e not expecting, and stick to sharing files via [insert name of designated file sharing software: e.g. Google Drive, Office 365, etc].

Secure Browsers

Use Chrome.
Don鈥檛 add plugins without a true business need.
Stay away from websites that are using HTTP and not HTTPS, but don鈥檛 solely rely on that green lock to determine if you are safe or not. Take five seconds to double check the rest of the url.

Secure Phones

Phones must be protected with a password or a pin, and ideally your phone is wiped after a certain number of incorrect login attempts.
Remote wipe should be enabled on your phone. After all, if email is on your phone, a lot of damage can be done if it gets lost or stolen and broken into.
Keep your phone up-to-date with the latest security patches.

Secure the Office

We have the following for office security:
[cameras, guards, etc.]
No tailgating (strangers sneaking in as the door closes).
Erase content on whiteboards when you鈥檙e done.
When you notice an unfamiliar person in the office, feel free to question them and find out what they need. If necessary, have them wait in a designated visitor area.

Secure Intellectual Property

Anything you develop for the company belongs to the company.
Don鈥檛 download or save intellectual property on personal drives.
Don鈥檛 discuss intellectual property with anyone outside of the company.

Secure WiFi

Avoid using public WiFi altogether if possible.
When you absolutely need to use public WiFi, use a virtual private network (VPN).
Connect mobile devices only to [insert name of network].
Only connect work systems to [insert name of network].

Secure Interactions with the Public

Always know who you are talking to.
Be wary of interactions that are not initiated by you, and never give out information in these situations. If it鈥檚 legitimate, they should already have everything they need.
You will be targeted because of your connection with the company. If you ever have an interaction with someone where you feel pressured to give an answer right away, the answer is no.
Don鈥檛 share private information with the public.
Watch out for malicious links in social networking communication.
Be careful about what information you post on social networks. In particular, post pictures about a company event or a vacation after it鈥檚 done.

What to Do If There鈥檚 a Problem

Contact [insert name/contact info] right away.
Security training is every [insert recurring time frame here, e.g., quarterly, semi-annually, etc.], and it is mandatory.
It鈥檚 crucial that you involve the security team when there is a problem. You won鈥檛 get in trouble if you make a mistake or a bad decision; however you will be in trouble if you don鈥檛 tell anybody about it.

By covering these talking points, your employees will be prepared to do their part in protecting your organization. Coupled with the right security tools in place, you鈥檒l have a solid start to building a strong security foundation. Feel free to adjust these bullet points to match your company and organization better. Hopefully this checklist is a good starting point for you to customize to your needs.

Keep in mind security training shouldn鈥檛 just be about the do鈥檚 and don鈥檛s. Make sure to contextualize these points and show your employees how they can apply them as they go about their jobs every day. For real life stories that demonstrate the importance of the items on this checklist, see Security Training 101: Employee Education Essentials.

About 探花大神

The 探花大神 Directory Platform provides secure, frictionless user access from any device to any resource, regardless of location. Get started, or contact us at 855.212.3122.

探花大神

Use Cases

Identity Management

Access Management

Device Management

SaaS Management

Become a Partner

Partner Resources

Engage

Learn

Support