Here are 5 bullet points summarizing the article:
- Security awareness training is crucial in 2023 due to the constantly evolving technology and attack landscape.
- Haekka suggests an annual review of security awareness topics, along with sending weekly topical security coaching content in Slack.
- Important security awareness topics for 2023 include phishing and social engineering attacks, password security, mobile and personal device security, cloud security, physical security, cybersecurity regulations and compliance, incident reporting and response, and cybersecurity trends and emerging threats.
- Security awareness training should be an ongoing process that is regularly updated to keep up with the latest threats and best practices.
- Haekka is a security awareness content partner that offers customizable training, including the use of AI in the form of ChatGPT, to help companies protect their data and assets.
As we move further into 2023, it is imperative for companies, and their employees, to stay up-to-date with the latest security threats and best practices. The technology and attack landscape is evolving quickly so even though some of the topics have not changed in 2023, the material for these topics and how they are presented may be different.
At the very least, an annual review of security awareness topics should be done; at Haekka, we rewrite our security awareness training each year while also sending short, weekly, topical security coaching content in Slack.
We lumped the most essential security awareness topics into 8 categories. Here are the critical topics that should be covered as a part of security awareness training in 2023:
- Phishing and social engineering attacks: Phishing attacks remain one of the most common methods used by cybercriminals to gain access to company data. Employees should be trained on how to recognize and avoid phishing emails and other social engineering attacks. With ChatGPT, cyber attackers have a new tool that makes identifying phishing attacks harder than ever before. Additionally, phishing simulations are additive to security awareness training to help employees identify phishing and not fall victim to these attacks.
- Password security: Passwords are often the first line of defense against cyber attacks. While Passkeys are starting to gain traction, passwords are here for at least the short to medium term. Employees should be taught how to create strong passwords, how to securely store them, and why it is important to change passwords regularly. Strong passwords are unique passwords as attackers have access to treasure troves of databases full of real passwords.
- Mobile (and personal) device security: With more employees working remotely or using mobile devices for work, it is important to cover mobile device security in security awareness training. This includes topics such as securing mobile devices, avoiding public Wi-Fi networks, and using secure communication channels. This also includes the use of personal software on devices that are used for work as recent data breaches at LastPass have resulted from vulnerabilities in personal software.
- Cloud security: Many companies are using cloud-based services for data storage and collaboration. Extending “cloud” to SaaS covers most of the applications employees use today. Employees should be trained on how to securely use and access cloud-based services and SaaS apps, as well as the importance of data backup and recovery. The evolution of cloud and SaaS mandate new approaches to managing human risk.
- Physical security: While much of security awareness training focuses on digital threats, physical security is also important (even with non-office workers). Employees should be trained on topics such as securing company assets, locking doors and windows, not leaving devices in public areas or cars, or shared spaces (AirBNBs), and reporting suspicious activity.
- Cybersecurity regulations and compliance: Compliance regulations such as GDPR, HIPAA, CCPA, and PCI-DSS require companies to adhere to certain security standards. Employees should be trained on these regulations and the importance of complying with them. It is not just knowing the regulations, some employees must understand the data rights granted to individuals over their personally identifiable information (PII).
- Incident reporting and response: Employees should be taught how to report potential security incidents and how to respond in the event of a breach or attack. Employees should also not be shamed or embarrassed when they make mistakes that result in security incidents and data breaches.
- Cybersecurity trends and emerging threats: Finally, keeping employees up-to-date on the latest cybersecurity trends and emerging threats is important. This includes topics like ransomware attacks, zero-day vulnerabilities, and supply chain attacks, which are not new, as well as new topics like the dark web, account takeover attacks, and the use of ChatGPT and other AI tools by cyber attackers.
Security awareness training should be an ongoing process that is updated regularly to keep up with the latest threats and best practices. Covering these important topics in security awareness training in 2023 can help companies protect their data and assets, comply with regulations, and reduce the risk of cyber attacks.
If you’re looking for a security awareness content partner, check out Haekka. We curate content on a weekly basis so our customers always have access to up-to-date, relevant security awareness and training. We even use AI, in the form of ChatGPT, to create some of our training and some of our phishing templates. All training is customizable so you can use it as is, customize it to meet your specific needs, or create your own training from scratch.