Cyber security awareness training: Protecting yourself and your organisation

Last updated on July 20th, 2024

I’ve spent my career advising on, and implementing, information technology at everything from multi-national corporations to small businesses. I’m regularly confronted with the need to step up the knowledge of an organisation (not just the IT department) to protect against cyber attacks.

I know it’s difficult for small businesses in-particular to find cost-effective ways to do this. So below is my take on basic cyber security awareness training for your whole organisation. A video will follow if I can get around to it!

Part 1: Understanding Cyber security

1.1 What is Cyber security?

Cyber security refers to the protection of computer systems, networks, and data from electronic forms of attack (“cyber attacks”). It aims to protect our digital assets from theft, damage, or unauthorised access.

1.2 Why is Cyber security so important?

Cyber security is essential because cyber attacks are incredibly common and can result in:

  • Data breaches (data being stolen from the organisation)
  • Severe damage to the organisation’s reputation
  • Financial losses (including direct financial theft, loss of business from damage to our reputation, as well as fines from data breaches of customer data)
  • Loss of critical business data (cyber attacks may destroy critical data to impact the organisation)

1.3 Types of Cyber attack

There are many types of cyber attack, including:

  • Malware: A term formed from the words “malicious software”. Often associated with email attachments or Internet downloads; malware is malicious software designed to do something without the users consent. Malware usually aims to cause damage, steal data or provide unauthorised access to a computer system/network. Simply opening an email attachment can be enough to provide malware with the same access to a computer or network as yourself.
  • Ransomware: A type of malware that either blocks access to data or threatens to publish it, unless a ransom (usually a cryptocurrency payment) is made. Ransomware commonly seeks to spread beyond the computer that is initially infected, to affect any data the user has access to, including shared file locations such as department “shared drives”. These attacks can cause significant and long lasting disruption to an organisation.
  • Social engineering: A family of attack-types whereby attackers aim to manipulate employees or others with privileged access, into sharing, disclosing or providing access to something they should not have. Social engineering acts can take place through any communication method, including in-person (e.g. tailgating at a building entrance).
  • Phishing: Pronounced “fishing”, this is the most common type of social engineering attack. Phishing refers to the use of communication methods (such as e-mail, phone calls, text messages, social media etc.) to manipulate employees and others with privileged access into sharing, disclosing or providing access to something they should not have. Targeted forms of phishing attack are often named with other fishing analogy based names (e.g. whaling and spearphishing). These are all types of phishing attack, as are non-targeted forms of phishing such as generic spam emails with malicious links etc.
  • Denial-of-service attacks: A type of attack designed to disrupt access to a service (e.g. a website). Attacks often seek to overload a service with requests to remove any capacity, so normal users are unable to access it.

Part 2: Protecting yourself and your organisation

2.7 Physical Security

Ensure that physical access to your workplace and equipment is restricted.

  • Wherever possible, do not leave your devices unattended in a vehicle. If it is necessary to do so, hide them out of sight.
  • Don’t leave your devices unattended near an open window or in a public space such as a cafe.
  • Report any lost or stolen devices promptly to your IT department.
  • Beware of tail-gating at the entrance to buildings. Politely ask those you don’t know to “badge in” if someone tries to tail-gate you into a building or secure work area. Equally ensure you do not tail-gate others into secure areas.

2.1 Passwords

Most passwords people create are easy for a hacker to guess. Consider:

  • In general longer passwords are better than highly complex ones (“Greater6pencilMotion” is better, and easier to remember/use than “fs4f2L@N”)
  • Think of a password as a passphrase i.e. not based around a single word. Three random words that form a memorable image is a good approach e.g. flying metal dog. Just be careful this is not a pre-existing phrase (e.g. from a film) as attackers will try these. Consider trying our password/passphrase tool to generate random three word options.
  • Do not reuse passwords from your personal life to work, and avoid family member’s names, pets, and dates of birth. These are obvious choices for an attacker even with minor changes like an extra number or symbol added.
  • Never share your password or multi-factor authentication token with anyone else. It is a common approach for attackers to pose as “the IT department” to gather these details
  • If you must write a password down, consider writing it in a coded form (i.e. a reminder), and do not leave this in an obvious place such as attached to your screen.

Use strong passwords that include a combination of letters, numbers, and symbols. Change your passwords regularly, and never share them with anyone.

2.2 Email Security

  • Be cautious of any email received from outside your organisation in-particular, and never click on links or download attachments from unknown sources.
  • Enable spam filters and use two-factor authentication whenever possible. Two-factor authentication is provided with many free home-use emails services these days, due to the significant extra protection it offers.
  • Be suspicious of emails (or other communications such as text message (SMS)) that require an urgent action, change of details, or a financial transaction.

2.3 Software Updates

Keep your software and operating systems up to date to ensure that they have the latest security patches and updates. This includes your smartphones software, as well as regularly rebooting your PC, to allow security patches to take affect. Be suspicious however of prompts to update your software, malicious websites may use this approach to encourage you to download malicious software. Software update messages should come from the existing software installed on your device, not a web site.

It is good practice to reboot your PC week, so consider shutting down your PC at the end of each week to build this into your routine. Shutting down your PC allows updates to be installed, and makes your PC unavailable to attackers while you are not using it.

2.4 Mobile Devices

  • Use passcodes or biometric authentication to secure your mobile devices
  • Be cautious of public Wi-Fi networks
  • Never store sensitive information on your mobile devices (e.g. access details for your bank, or a photo of your passport) unless absolutely necessary

2.5 Social Media

Be mindful of the information you share on social media, and adjust your privacy settings to limit who can see your posts.

2.6 Remote Access

If using public wifi such as a cafe or hotel wifi network, remember that your connection may not be secure. Consider using your organisations VPN to protect confidential communications.

2.7 Other

  • Delete data when no longer needed. Data is always at risk whilst it exists.
  • Lock your workstation screen (Window key plus L) when walking away from your desk, even in the office.

Part 3: Responding to Cyber Attacks

3.1 Reporting Cyber Incidents

Report any cyber incidents or suspicious activity to your IT department immediately. This will help prevent further damage or data loss.

3.2 Incident Response Plan

Your organisation should have an incident response plan in place that outlines what to do in the event of a cyber attack. Familiarise yourself with this plan and follow it carefully.

3.3 Backup and Recovery

Regularly back up your data and test your backup system to ensure that it is working properly. I recommend the 3-2-1 principle to backups, you can see this explain in 2 minute video here: https://youtu.be/kU-mwM0tXns.

Conclusion

Cyber awareness is essential to protect yourself and your organisation from cyber threats. By following the best practices outlined in this training, you can help ensure the safety and security of your data and systems. Remember to stay vigilant and report any suspicious activity to your IT department immediately. Cyber security poses a high risk to the organisation, so there is no harm in being cautious.