Security Awareness Training for Employees

Low-risk employees are your best advocates for proactive IT security. This is because they have the knowledge and understanding to recognize and report security threats to your organization.

How do we ensure all employees are at minimal risk? By providing regular security awareness training. Let’s take a look at several security tips you can implement and share with your employees.

Download the PDF

1. Passwords

Managing passwords is the simplest, most impactful and inexpensive thing you can do when it comes to IT security.

Change Passwords Every Three Months

  • Network Logins
  • Operating Systems Login (Windows, Linux, MacOS, etc.)
  • Email Accounts
  • Network Devices (Routers, firewalls and VPNs)
  • Wireless Networks (Private and guest access)
  • Cloud and data storage services

Password Rules

  • Characters: upper and lowercase letters
  • Numbers
  • Special characters (.!@#$%^&*)
  • Don’t reuse old passwords

Passwords to Avoid

[Personally identifiable information]Iloveyou
[Public information]Superman
[Public information on your social media profiles]Batman
[Names of sports teams] Sunshine

Characteristics of Strong Passwords

  • Long and complex: The longer and more complex the password, the harder it will be to crack. While your account may only require 6 to 9 characters, expanding your password complexity to 12, 16, or more characters will give you a stronger password.
  • Not in the dictionary: Avoid single words or common phrases that can be found in the dictionary or vernacular.
  • Character substitutions: Substituting characters for letters is a good practice, but you want to think outside of the box. Don’t substitute zero for the letter O and assume you are safe. A better option would be using the ampersand (&) for O.
  • Illogical phrases: While you wouldn’t want to use a common phrase like “ThankYouVeryMuch,” you could string together completely random words like “ThankCheeseBoatsNetwork.”
  • Acronyms and abbreviations: Instead of spelling out words, abbreviate them or replace phrases with acronyms that you can remember. Using the example above, “ThankYouVeryMuch” could become “TkYVreM.” Of course, you would add more to it so it’s longer and has a variety of characters.

Pro Tips

  • Set your password policy to require changes every 90 days based on the guidelines recommended above.
  • Ensure SaaS solutions enforce periodical password resets and support multi-factor authentication (MFA).
  • Consider using password managers when allowed to securely store and manage your passwords.
  • Be sure to address legacy systems as part of your password policy.
  • Don’t make exceptions for executives – they are more frequently targeted by hackers.

Learn more about password mistakes to avoid and how to create strong passwords.


2. Phishing Emails

The ability to detect phishing emails empowers end users to be vigilant against security threats. Learning what to look for and how to respond when faced with a phishing attack can be indispensable for proactive security within organizations.

Email is still the number one entry point for cyber threats. Review email domains, URL links, sender and recipient information as well as the email body content to detect a possible fake email.

How To Recognize a Phishing Email

Proactive security awareness involves checking the email’s domain, address, sender information and the body of the email for anything suspicious. Here are some phishing email red flags to watch for:

  • Urgency: Any email that prompts you to take action with wording such as “log in immediately,” “click here now” or “action required” is likely fraudulent. Most emails do not require this sense of urgency.
  • Wire transfer/receipt of payment: Before opening an attachment (i.e., invoice) or clicking a link, contact the sender directly to verify email legitimacy.
  • Unusual grammar: Inspect the email for typos, grammatical errors, unusual tone or wording that clash with company culture.
  • Multiple embedded links: An email with several embedded links distributed throughout is most likely spam or a phishing attempt. Delete any spam and report any attempted phishing emails.

Pro Tips

  • Implement company-wide email usage policies as part of your internet use guidelines and cybersecurity policies.
  • Use security awareness solutions that routinely train and test users to recognize phishing attempts.
  • Make sure that spam and phishing filters are enabled to automatically detect and filter out potential threats. Regularly check your spam folder to ensure legitimate emails aren't being filtered out.
  • Always be wary of emails from unknown senders or those that seem out of the ordinary. Be particularly cautious of emails that ask for personal information, prompt you to click on a link or download an attachment. These could be phishing attempts designed to steal your information or infect your system with malware.

Learn more about how to detect phishing attacks.


3. Network Segmentation

When it comes to cybersecurity, there is no substitute for network segmentation.

Areas to Segment

  • Users: Privilege levels should be based on the user’s role in device administration.
  • The DMZ: These subnetworks expose externally facing systems.
  • Guest network: Keep guest access separate from corporate access.
  • IT workstations: Give IT their own network segments for testing and management functions.
  • Servers by application: Create separate network segments for servers with confidential or financial data applications on them.
  • VoIP/communications: This network will become a common attack plane as communications move away from traditional platforms.
  • Traditional physical security: Cameras, ID card scanners and other physical devices should run on an independent or firewalled network.
  • Industrial control systems: In addition to segmentation, remote access by vendors should use VPNs and have MFA.

Pro Tips

  • Audit your existing network architecture and use the list on this page to figure out your network segmentation priorities.
  • Evaluate what resources you’ll need to properly segment your network.
  • Create a business case to help executives understand why this is important and the time and resources it will require.
  • Communicate to end users about what you’re doing, why you are doing this, how long it will take and what downtime they may experience.
  • Backup EVERYTHING before making any changes.

Learn more about network segmentation.


4. Devices

IT should regulate the corporate use of devices and offer cybersecurity guidance for employees. Determining what devices can and cannot be connected to the corporate network and how devices can be used while connected is IT’s responsibility.

USB Drives

  • Restrict the usage of USB drives to individuals who require them to perform their job.
  • If USB drives must be used by employees, buy USB drives for your employees so they don’t feel like they need to use free ones.

BYOD (Bring Your Own Device)

  • IT should have the ability to quarantine any device regardless of who purchased it.
  • Research sample BYOD policies to write and implement your own.

Pro Tips

  • Utilize the operating system’s whole disk encryption services when available on all company-issued laptops to help prevent criminals from stealing information on those devices, as well as biometric authentication solutions when available.
  • Regularly update the applications and operating system patches to reduce the risk of a cyberattack from the use of old and vulnerable software.

5. Prime Targets: Executives and Finance Employees

Finance employees and executives are targeted much more frequently than other teams on your staff.

Protocol Awareness

Finance and executives should understand how the company executes a transfer and the protocol for doing so. Anything outside of that framework should raise suspicion and be reported to IT or the security team. Don’t forget to establish policies and procedures for vendors and clients to change banking information. Let them know the process and how you will verify the validity of a request.

Authentication Tokens

Consider requiring an authentication application or a physical authentication token to complete multi-factor authentication. The key should be to ensure all access points, including devices, applications, vendors and employees keep their authentication methods active and used regularly to safeguard against unauthorized access attempts.

Executive Triage Training

Executives will have to bear the public relations hit when/if an incident occurs. Is anyone on staff trained on how to deal with this? Do you work with a PR firm, and do you have an incident response plan?

Pro Tips

  • Create an acceptable transfer policy or refresh your current policy to include these rules.
  • Hold a meeting and train on it, then role play a few situations with the staff.
  • Audit with finance managers and executive assistants quarterly, looking through transfer requests to see if the protocol was acted on.

Download The Complete Guide to Risk Management.


6. Backup and Recovery

Regularly backup systems and ensure you routinely test the recovery process. In the event of a data breach or ransomware attack, having a backup can save your business.

Pro Tips

  • Regularly backup all important business data. This includes documents, databases, software configurations and any other critical data.
  • Consider using automatic backup solutions to ensure consistent backups. These solutions can be scheduled to run at convenient times, like after business hours, to minimize disruption.
  • Store backups securely in multiple locations. Onsite backups are convenient for quick recovery, but offsite backups (including cloud-based solutions) protect against physical damage to your business premises.
  • Regularly test your backups to ensure data can be recovered. This involves restoring a file from backup and checking its integrity. Backup verification is crucial to ensure your backup system is working correctly.
  • When backing up systems, utilize encryption capabilities when available and separate passwords for those backups to reduce the risk of data breaches.
  • Where possible, look for systems that offer immutable backups to ensure that no one can make changes to the backup after it is made.

7. Incident Response Plans

Create an incident response plan that includes these five key areas:

  • Critical systems and data: Understand where your risks are and what systems are involved internally, in the cloud and with third parties.
  • Teams and defined roles: Identify and assign the individuals or groups that will be involved in a response and clearly define their roles. This can include third-party response groups.
  • Action plans for each incident type: Clearly define the steps and responsible parties for each type of incident. These should include identifying, assessing, containing and recovering.
  • Communication/information sharing plan: Create a clear and effective plan to communicate with both internal and external groups. This should include a chain of command to prevent unauthorized communications, and it may involve law enforcement.
  • Training and testing: Plans won't be effective if the people involved don't train for and test them. Utilize these exercises to fine-tune and update plans, as situations can change and preparedness is crucial. Don't forget to include training for all employees. In the event they identify an incident, they'll need to know what actions to take and whom to notify.

Pro Tips

  • Ensure your attorney has reviewed any response plans to ensure it complies with all state, federal and international laws and regulations that may apply.
  • Hold routine tabletop exercises to run through possible scenarios that may occur and update the plan with any discovered weaknesses.

Learn more about creating incident response plans.


Terms to Know

Acceptable Use Policy

Acceptable use policies explain what devices can and cannot access the company network and how they can be used while on the network.

Application Isolation

Application isolation is the separation of one program or application stack from the rest of the running processes.

Distributed Denial of Service (DDoS) Attack

A DDoS attack occurs when multiple compromised systems are used to target a single system.


A domain is a group of computers and devices on a network that are administered as a unit with common rules and procedures; defined by an IP address.

Immutable Backup

An immutable backup is a backup that, once created, cannot be altered or deleted.

Legacy System

Legacy systems are outdated computer systems, programming languages or application software that are used instead of upgrading to available new versions.

Local Area Network (LAN)

A LAN is a computer network that links devices within a building or group of adjacent buildings.

Multi-Factor Authentication (MFA)

Multi-factor authentication is a security process in which the user provides two or more different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access.

Network Segmentation

Network segmentation is when different parts of a computer network are separated by devices like bridges, switches and routers (this helps to limit access to those who need it and protect the network from widespread cyberattacks).


Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.


Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.


Security Awareness Training Guide

Learn cybersecurity best practices you can implement and share with your employees to prevent security breaches and keep your organization secure.


Read more about Cybersecurity.