5.6 Implement security awareness practices

phishing

An attempt to acquire sensitive information by masquerading as a

trustworthy entity via electronic communication, usually email

phishing campaigns

Coordinated attacks employing phishing techniques

aimed at deceiving recipients into disclosing sensitive information or

installing malicious software. Organizations simulate these campaigns as

educational tools to enhance employees’ ability to identify and respond to

phishing threats.

recognizing a phishing attempt

The process of identifying signs of

deception in communications, such as email, which typically includes

suspicious sender addresses, unsolicited requests for sensitive information,

and urgent or too-good-to-be-true appeals

responding to reported suspicious messages

The steps an organization

takes after a user reports a phishing attempt, including immediate analysis,

communication with the reporter, mitigation of the threat, and dissemination

of awareness based on the incident.

anomalous behavior recognition

Identifying actions that deviate from

established patterns or expected behavior, potentially indicating a security

threat. This includes risky, unexpected, and unintentional behaviors

risky behavior

Actions knowingly taken that pose a security risk, such as

sharing passwords or downloading untrusted applications

unexpected behavior

Activities that deviate from normal or predictable

behavior patterns, like sudden large data transfers or accessing systems at

unusual times.

unintentional behavior

Actions taken without harmful intent that still pose

a risk to security, such as mistakenly sending sensitive information to the

wrong recipient.

user guidance and training

Educational efforts aimed at raising awareness

among employees about cyber threats and the best practices for maintaining

the security of systems and data.

policies/handbooks

Documents that provide clear guidance on acceptable

behaviors and practices to maintain organizational security

situational awareness

The ability of individuals to recognize and respond

to potential security threats in their environment, thus promoting a culture of vigilance

insider threat

Potential harmful actions that come from individuals within

the organization, ranging from malicious intent to negligence or lack of

knowledge. Also, any employee who, on purpose or by accident,

jeopardizes the CIA of the organization

password management

The creation, use, and storage of passwords in a

manner that reduces the risk of security breaches, advocating for strong,

unique passwords and the use of secure password managers

removable media and cables

Any type of portable data storage device that

can be connected to and removed from a computer system, including

associated cables that are used to transmit electrical power or data between

devices

social engineering

The process of taking advantage of human behavior to

attack a network or gain access to resources that would otherwise be

inaccessible. Social engineering emphasizes the well-known fact that poorly

or improperly trained individuals can be persuaded, tricked, or coerced into

giving up passwords, phone numbers, or other data that can lead to

unauthorized system access, even when strong technical security measures

can otherwise prevent such access

operational security

Practices aimed at protecting sensitive information

related to business operations, involving limiting information sharing,

managing data access, and using secure communication channels

hybrid/remote work

Security strategies required for

employees accessing company systems remotely, addressing secure Internet

connections, device security, and the use of secure video conferencing

practices

reporting and monitoring

The processes for detecting, alerting, and

addressing security incidents, including the development of a clear

reporting process and the continuous monitoring of system operations for

anomalies

Initial Reporting

The first formal notification of a security incident or suspicious activity, providing essential details to relevant stakeholders for timely assessment and response

Recurring Reporting and Monitoring

The ongoing process of tracking security events, system performance, and compliance metrics over time to detect trends, ensure controls are effective, and support continuous improvement

development phase

of a security awareness program shapes the foundation

of your security training. An effective security awareness program should

address every employee and provide them with the knowledge and skills

necessary to protect themselves and the organization from cyber threats.

Accurate content creation, tailoring of training modules, and an understanding

of what your organization aims to achieve take precedence

execution phase

all your planning, designing,

and theory-testing is put into motion. Strategies chalked out in the development

phase now consolidate into employee training sessions, communication, and

consistent evaluation