1. Strategy to get employee buy-in for security awareness
1.1. 1. Partners with your security team
1.1.1. Security team has a vested interest in ensuring all employee understand how to combat cybercriminal activities and how to practise good cybersecurity hygiene
1.2. 2. Make it clear that everyone is a potential targe
1.2.1. cybersecurity skills are life skills.The employee can teach their family at home about the important of cybersecurity skill
1.3. 3. Breakthrough training fatigue
1.3.1. Be sure that scenarios reflct situation your employee would encounter .Deliver content tahat relevant to your employee's roles and specific location
1.4. 4. Acknowledge employee as stakeholder
1.4.1. Communicate the need for the training program explain what's expected of them and speak to them as stakeholders
2. Awareness threats information
2.1. Security policy first
2.1.1. At a minimum, your security policy should include procedures to prevent and detect misuse, as well as guidelines for conducting insider investigations. It should spell out the potential consequences of misuse.
2.2. strong passwords
2.2.1. strong passwords and the part they play in keeping the novice hackers at bay.
2.3. Disabled Security Controls
2.3.1. Usability and security are often each other’s worst enemies. Administrators often disable security controls to make applications more usable for the employees but, obviously, this can lead to fatal repercussions.
2.4. Lack of Remote Security
2.4.1. Remote insecurity can also have catastrophic consequences. Employees often transfer files between their personal computers and their corporate workstations or allow their family members to use their corporate devices at home, and this can create some security loopholes.
2.5. Clumsy Social Networking
2.5.1. Social networking obviously allows the entire workplace to stay collaborative and lively but it can also pose some obvious risks, such as confidential corporate information getting posted on networking websites.
3. Keep your software up to date.
3.1. So hacker cant exploit it easily
4. Social Engineering
4.1. Think before you click.
4.1.1. best way is to utilize another method of communication different from where the message is from
4.1.2. When you get a highly urgent, high-pressure message, be sure to take a moment to check if the source is credible first.
4.2. Write a policy and back it up with good awareness training.
4.2.1. Once you know which of your assets are most tempting to criminals and the pretexts they're most likely to use to pursue them, write a security policy for protecting your data assets. Then back up that policy with good awareness training.
4.3. Checking the URL may help you spot fake sites. Avoid responding to emails that request you to provide personal information.
4.4. Beware of any download
4.4.1. If you don’t know the sender personally AND expect a file from them, be careful and dont click any link on it
5. Poor password security
5.1. 1. Add controls for minimum password length and complexity
5.1.1. Developers must implement controls for enforcing a minimum length and complexity requirements for all passwords that are used to authenticate user access to enterprise systems.
5.2. 2. Require multifactor authentication
5.2.1. Requiring users to submit one additional credential for verifying their identity beyond just a password is a relatively painless yet surprisingly effective mechanism for bolstering the effectiveness of password-based authentication.
5.3. 3. Enable single sign-on
5.3.1. One of the most effective ways to address poor password security practices is to implement a single sign-on (SSO) capability with multifactor authentication support
5.4. 4. Lock down privileged passwords
5.4.1. Passwords to accounts with privileged access to sensitive data and critical systems are extremely powerful. Systems and network administrators use such accounts to maintain, administer, and update systems.
5.5. 5. Make sure passwords are stored securely
5.5.1. Hashing user passwords makes them harder to crack than passwords stored in clear text, but only barely. Numerous attacks in recent years have shown how attackers can strip away hashing protections from passwords relatively easily using automated tools containing already-computed hashes for virtually a limitless number of passwords.