Cyberattacks are on the rise, specifically targeting highly regulated industries like healthcare, financial services and legal. Educating your users on cybersecurity antics, what to watch for and how to detect attacks has never been more important. To help you get started, we’ve developed a training curriculum that outlines learning objectives, topics to cover and exercises to help keep your organization safe from cybersecurity attacks.
Regular cybersecurity training and refresher courses are important to keep your users educated on the latest cybersecurity threats and prevention methods. If you’re looking for great training resources for your staff, check out KnowBe4, Cybrary or 4MedApproved.
Cybersecurity Training Learning Objectives
- Overview of cybersecurity
- The risks of cyberattacks
- Explore how we combat cybersecurity at an organization-level
- Best practices to protect yourself and your organization from social engineering attacks
- How to identify a phishing attack
- How to keep PHI safe and secure
- When to report an attempt or attack
- Practice identifying suspicious data in screenshots of emails
Editor’s Note: Are you looking to improve the security posture of your organization? Download our FREE Cybersecurity Toolkit, which includes handy desk reference guides, posters and checklists that you can share with your teams.
Cybersecurity Training Course Outline
When you set up your cybersecurity training plan, follow this suggested outline of what to cover in your curriculum:
Password best practices
Your organization likely has password policies, but it never hurts to reiterate the purpose and necessity of complex passwords. In addition, encourage your users not to use the same password for multiple logins. Using different passwords will prevent hackers from accessing multiple accounts.
Further, offer your users some options for secure password management using a highly rated password manager, like LastPass.
Importance of encryption
Using encryption is reported to reduce the cost of a data breach by about $9 per record. Ensure your users have their mobile device, laptops, notebooks, tablets and operating systems encrypted. Further, for protected or sensitive information in transit, ensure your users are using email encryption to send patient and client data back and forth.
Corporate and personal mobile devices
Mobile devices stand to make your organization most vulnerable because most of the time, these devices are owned and managed by your users, not your organization. Here are some best practices to cover with users regarding their mobile devices:
- Do not download programs or apps from unknown sources
- Never provide your personal or organizational information
- Always keep your phone’s operating system updated
- Encrypt your phone (if you have an Apple device, it’s encrypted if you use a passcode)
- Do not transmit PHI over open wireless networks
Detecting a phishing attack
Your users need to know how to detect a phishing attack. During your cybersecurity training, make sure you share these tell-tale signs of a phishing attack:
- If the URL displayed in the email is different than the URL that appears when you hover over the link.
- The “From” address is an imitation of an actual email address. For instance, email@example.com may be in place of firstname.lastname@example.org. At first blush, it looks the same, but could be from a malicious sender.
- If the content is poorly written.
- If the email requests that you click a link to update your personal information.
- The email contains attachments from a source you weren’t expecting.
- If the website where you’re entering your information is not secure, that is, it does not have https:// in front of it.
- The email requests that you transfer money.
- The format of the email is different than an email that you typically receive from that person.
Preventing a phishing attack
There’s no way to prevent all phishing attacks, but your users can mitigate their chances of falling victim by following these guidelines:
- Keep your browsers up to date
- Keep your operating system updated and patched
- Never give up your personal information
- Think before you click
- Keep updated on phishing techniques
- Keep a close eye on your online accounts
- Don’t open emails or messages that you’re not expecting
Reporting attempts or attacks
We’re all human, right?! Teach your users what to do if they suspect they’ve compromised their own information or your organization’s data. Make sure your users never forward an infected email, but rather send the email as an attachment to be reviewed by your organization’s security team.
Keeping your system up to date
Outdated operating systems can make your device vulnerable to hackers. While most computers will be kept up to date by your organization, ensure your users understand the importance of updating their operating system on their phones, tablets and other devices they use to access PHI.
Practice. Practice. Practice.
Throughout the cybersecurity training with your staff, include exercises that help them Identify and thwart suspicious activity. The best way to teach your staff how to adopt good cybersecurity best practices is to practice with real-life examples in a safe environment.