Building mobile security awareness training for end users
Do concerns of malware, social engineering and unpatched software on employee mobile devices have you up at night? One good place to start is mobile security awareness training.
Despite all the security talent, tools and dashboards IT teams might have at their disposal, an organization's employees remain the weakest link when it comes to cybersecurity.
External threats thrive on untrained workers connecting to enterprise networks with mobile devices. Cybercriminals can use social engineering techniques to coax these users into providing unauthorized access to sensitive data and systems. In other cases, users unknowingly create easier access due to limited security knowledge and errors in judgment. Either way, without mobile security training, employees lack the skills to spot and avoid threats, increasing the chances of a serious data breach.
That's why it's so important to educate users on how to identify mobile device weaknesses and block malicious attempts. The challenge is teaching these concepts in a way that resonates with users and accounts for the evolving threat landscape. With the right approach, IT leaders can build an effective, scalable mobile security awareness program.
Mobile device security training topics
A wide range of topics are essential to mobile security training. IT should ensure users have a good grasp of different types of malware, prevention tactics and how they must apply their knowledge.
Types of mobile malware
Malware is a concern with any device containing corporate data. Mobile endpoints have some specific vulnerabilities that users should be aware of, however. Certain attacks target mobile devices, often through email, malicious apps or SMS text messages. Popular types of mobile malware include ransomware, spyware and Trojan horses.
Common attack vectors to avoid
With the right approach, IT leaders can build an effective, scalable mobile security awareness program.
Employees should learn about the practices they should avoid on their mobile devices. Training should outline the dangers of jailbreaking or rooting mobile OSes and opening suspicious files. Cover the unwitting mistakes they might make, such as clicking on a phishing link, as well as harmful security workarounds, such as installing software from third-party app stores.
Understanding that threats to mobile devices are everywhere
Many organizations have BYOD policies, allowing employees to use their personal mobile devices for work purposes. However, this comes with added risks. Users are more likely to access websites and files on their personal devices that they would not open on a corporate-owned device. Mobile phones are also easier to lose than other endpoints, and in cases of loss or theft, it's harder to secure devices that contain both corporate and personal data. Because users can bring mobile devices virtually anywhere, potential threats to them are everywhere.
The employee's role in mobile device security
Training should revolve around how untrained users amplify risks. Employees must understand that ignoring the warning signs of common cyberthreats can directly affect their organization's security posture and lead to serious consequences.
End users should know what the top mobile security threats are and how to avoid them.
How to train employees on mobile device security
The IT security team is responsible for creating a comprehensive mobile security training plan. While a complete plan should cover an extensive list of security recommendations, the following lessons are most crucial:
Types of malware with specific and relatable examples.
Examples of phishing text messages and emails. Highlight phishing attempt red flags such as misspellings and unsolicited attachments.
The importance of strong passwords and encryption. Key points include password storage options, authentication methods, how to enable message encryption and why users must reset passwords on a regular basis.
How to mitigate security risks when in or out of the office. Key points include safe downloading and use of apps, public Wi-Fi networks, Bluetooth connections and protecting against social engineering attacks.
It's important to remember that most workers have plenty of tasks to deal with throughout the day. Thus, it's common for users to see a long and boring training as a tedious chore on top of their other work. For users to absorb and retain security information, IT must design training courses to be practical, efficient and even fun.
Consider the following best practices to build an effective program:
Prebuilt online training should be short -- less than 10 minutes -- but frequent. Each month, send out a brief set of training exercises that focus on one mobile device security topic. To make sure employees are paying attention to the lessons, require a short quiz at the end.
Provide a longer training program specifically for new employees. This can cover the organization's policies about smartphones and corporate data use. Require users to sign a waiver confirming their understanding of standards and policies at the end of the training.
Create scalable training that can readily adapt to new and emerging security threats.
The use of real-world examples often resonates well when it comes to security training. Be sure to highlight the latest examples.
Training resources should be easily accessible. Employees need to know where to find more information, as well as how to contact the information security team when they suspect a security incident has occurred.
Andrew Froehlich is founder of InfraMomentum, an enterprise IT research and analyst firm, and president of West Gate Networks, an IT consulting company. He has been involved in enterprise IT for more than 20 years.
