This is a work in progress and not a release. We're looking for volunteers. See Issues to know how to collaborate.

Security Training

tag: [Security Specialist, Operations & Strategy, HR]

All team members should receive some type of security training, however how in-depth this training is depends on their specific needs and what type of access they have. It is important to not do this only once, but to keep it as a recurring activity, however a training session does not need to mean sitting down for 60 minutes to look at a power point presentation but rather could be tiny nuggets of relevant information that doesn't take more than a minute to consume each time.

Security Training Session

As an introductory and overarching training session, this could be done:

1. Introduction to Security

  • Importance of Security: Explain why security is important for your project.
  • Common Threats: What are the common threats targeting your platform, and what type of attacks are most likely to happen for the team you're doing security training for.

2. Password Management

  • Strong Passwords: Explain the reason for using unique and complex passwords for accounts.
  • Password Managers: Show the value and time save of using a password manager to securely store and manage passwords.

3. Two-Factor Authentication (2FA)

  • Enabling 2FA: Explain why it's important to enable 2FA.
  • Types of 2FA: Explain the different types of 2FA, including SMS, authenticator apps, and hardware tokens. Each of these have their strengths and weaknesses which should be explained (and especially why nobody should be using SMS for 2FA).

4. Secure Communication

  • Email Security: Explain how phishing emails and fake jobs can be used by a threat actor to compromise a project.
  • Messaging Apps: Explain why messaging apps such as Telegram does not have end to end encryption, and why secure messaging apps like Signal should be used for sensitive communications.

5. Device Security

  • Software Updates: Explain why it's important to keep operating systems and software up to date.
  • Antivirus Software: Explain when it could be relevant to install and keep antivirus software up to date on relevant devices.

6. Data Protection

  • Backups: Discuss when it could be relevant to back up important data.
  • Encryption: Discuss when using encryption could be important to to protect sensitive data both in transit and at rest.

7. Phishing Training

  • Phishing Test Campaigns: As a means to keep team members aware of the type of phishing emails that they may be receiving, it could be beneficial to run a phishing test campaign against the team members from time to time.
  • Effectiveness of Phishing Training: While phishing training can be beneficial, it's important to note that not all phishing tests are insightful. Poorly designed phishing tests can lead to frustration and a contrary effect, where team members become desensitized or overly cautious, impacting their productivity. It's crucial to design phishing tests that are realistic, educational, and provide constructive feedback to truly enhance security awareness.

8. Incident Response

  • Reporting Incidents: Discuss the need for everybody knowing how to react during security incidents, and how one should never be afraid to raise the alarm.
  • Response Plan: For teams where relevant, discuss the incident response plan.