Users who do not have the appropriate security awareness training are considered a weak link in the security of an enterprise. These untrained users are easier to exploit than finding a flaw or vulnerability in the equipment that an enterprise uses to secure its network. Attackers could convince unsuspecting users into unintentionally providing access to the enterprise network or exposing sensitive information. Proper training should be provided to users in order to decrease the risk of a security incident.

Key Takeaways for Control 14

An enterprise should provide users with frequent security awareness training to increase its overall security posture. The information provided by the security awareness training should be relevant and provide insights into recent security incidents. Training should also reiterate the necessity of using strong passwords, spotting and reporting phishing attacks, as well as properly handling personal information. 

Security awareness training should include frequent phishing tests. Phishing tests allow users to learn from their mistakes and utilize their training to spot actual phishing attacks. These phishing tests should be specially crafted for different departments within an enterprise. Specially crafted phishing tests are harder to detect and demonstrate the value of security awareness training.

Safeguards for Control 14

1. Establish and Maintain a Security Awareness Program

Description: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually or when significant enterprise changes occur that could impact this Safeguard.

Notes: The security function associated with this safeguard is Protect. Success with this control means that every user will have access to regular training to ensure they interact with data in a secure (Read more...)