This post was flagged by the community and is temporarily hidden.
Enabling two-factor authentication for all users’ accounts is the easiest way to add significant security to your organization.
This is great, Jessica! From my experience, I see the most successful learning experiences when your phishing campaigns frequency is set for at least once a month. This is just enough time to keep people on their toes and to remember all their training without making them too paranoid.
When someone calls your work line asking for information, don’t be afraid to verify who they are. Internal IT and Helpdesk folks (usually) won’t ask for your passwords or any other sensitive information without verifying who they are.
A recent example comes to mind at the hospital where a family member works, a bad guy claiming to be IT asked for and was given access to all employee records, including names, addresses, and SSNs.
In our line of work, it is always important to remember to change your passwords regularly. I know this can be annoying for some users or admins, but it is very important! Especially if your data is compromised in any way. Remember if you change your passwords they do not have your most up to date information. A small and possibly annoying task, but totally worth it!
Remind your users to always, always, always lock their workstation if they are leaving their desks. This is of course even more important if they are in an area accessible to the public or if they work with sensitive data!!
It very important to make sure all of your users are trained if they have access to your network. Every single one, no user is too insignificant or too important to go through training. If they have access to the network they need to be inoculated to current attacks against your system. Every user has the keys to the kingdom! Remember your human firewall is only as strong as the weakest brick.
Always be wary of emails containing requests for urgent actions to be taken (like requests for money, credentials, etc. appearing to come from friends, family, co-workers and managers or executives) and verify that it’s actually coming from the person it’s supposed to be coming from by making direct contact with the person (i.e. calling them directly, talking to them in person, etc.) .
Security is not always techincal. Simply shredding documents with important data and information can mitigate risk tremendously! Dumpster diving is still a thing! Kevin Mitnick himself as a teen started out by dumpster diving!
I agree with changing compromised password, but lets move away from randomly setting an expiration on passwords. NIST is changing the guidance on this.
I think it’s a good idea to have users go through some of the knowbe4 micro training modules throughout the month.