Information security awareness and training are critical for any organizationâ€™s information security strategy and supporting security operations.
People are, in many cases, an organizationâ€™s last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. It is, therefore, important to educate workers on what your organization considers appropriate security-conscious behavior and on the security best practices they need to incorporate in their daily business activities.
Transform your security message from â€œnoâ€ to â€œhow.â€ Demonstrate to your organization how to be secure rather than telling them what they can or cannot do. Some ideas:
- Drive security awareness, and stay informed. Teach users to be aware of the threat landscape around them.
- Users who think they may have been a victim of an attack, or who suspect something unusual on your network, should immediately contact the IT department for assistance.
- Teach users about the importance of using strong passwords for all of their online accounts, and on your network, and of keeping passwords and personal identification numbers (PINs) secret.
- Educate users not to click links or call phone numbers from emails received from financial institutions, but to instead call the numbers that they have on file. Remind them that financial institutions typically print customer service phone numbers on the backs of credit cards and bank statements, and it is those numbers that users should call.
- Inform users that malware can be transmitted through instant messages on both computers and mobile devices.
- Users should only open email attachments that they are expecting to receive. When in doubt, users should contact the person who sent the file and confirm that the attachment was intentional and non-malicious.
- Users should install and use an email client that actively blocks active content and the automatic opening of attachments.
How Microsoft IT Protects Its People
With close to 90,000 employees across 99 sites worldwide, information security awareness and training are critical at Microsoft.
In addition to the recommendations described above, Microsoft IT has employed these tactics to protect its people:
- Used innovative media, like podcasts, comics, and challenges, to evangelize security messaging.
- Created focused, scalable, and prescriptive guidance (for example, â€œHow-Do-Iâ€ podcast modules).
- Mandated security training for all of its engineers.
- Developed and used the Security Development Lifecycle (SDL) process to build products that are both productive and secure.
- Used tools and templates like the Microsoft security awareness program tool kit and guide and Microsoft ITâ€™s Work Smart Productivity Guides to educate employees about secure practices.