Employees should be educated on how to spot and report phishing and the dangers of interacting with suspicious links or entering credentials on a spoofed page. Phishing extends beyond the traditional Nigerian prince email scam. Overviews should cover spear phishing, suspicious phone calls, contact from suspicious social media accounts, etc. Examples of phishing attempts that have affected other similar organizations will also be helpful here.
Physical security requirements can vary on an organization’s nature. Since businesses should already have a physical security policy in place, this is a great opportunity to make sure employees understand the parts of the policy that apply to them, such as locking desk drawers and rules about allowing guests into the office. Training should also review how to report physical security risks, such as someone in the building who isn’t wearing a guest badge or sensitive data that is left exposed.
Outline the potential consequences of failing to lock or shut off computers at appropriate times and plugging unauthorized devices into workstations.
Explain the nature of wireless networks and outline the risks of connecting to unfamiliar ones.
Complex password requirements and prompting employees to change their passwords on a regular basis should already be enforced, but password security training is still important to explain the risks involved in reusing passwords, using easy-to-guess passwords, and failing to change default passwords immediately. Authorized password management tools may also be covered.
A training session on malware should define the types of malware and explain what they are capable of. Users can learn how to spot malware and what to do if they suspect their device has been infected.