Security awareness can be seen as the total knowledge and behaviors that people in an organization have in regards to the protection of physical and information assets. It also sums up one of the hardest parts of the security management mix. There is no laid down bench mark on what security awareness should be for all organizations. The level of security awareness your organization has can vary greatly based on industry, size of company, and various points of experience.

For those who work in a highly regulated industry like healthcare or finance, or for a large public company, there may be a greater need for them to undertake training for physical and cyber-security from time to time. The errors that are made by human beings are in fact the greatest threats to organizational security – after all, you’re only as strong as your weakest link, and people are your first line of defense. The best way to ensure that your entire workforce is prepared for any breach in security is to implement regular employee security training.

No matter what industry you’re in, security awareness should be a core business practice. Currently, there is an increased potential for people to deliberately or accidentally distort, damage, steal or abuse the data that is stored within a company’s computer and information systems. For this reason, most organizations now have mandatory security awareness training for all new workers as well as existing ones.

According to the European Network and Information Security Agency, “being aware of the risks and available safeguards is the first line of defense for ensuring the security of information systems and networks.” This statement emphasizes the need for an institution or organization to protect its physical or information assets by empowering its employees with adequate security awareness.

Irrespective of if you are a business owner that wants to teach your workers some basic security awareness tips, or an employee who has not been properly armed with the proper security awareness tips, these tips here will benefit you greatly. Even through security awareness tips can vary within organizations, some basic tips can be applicable in all places and settings. Take the time to establish security-conscious habits both in your professional and personal life, and before long it will be part of your routine. Here are 50 of such basic tips:

49 Best Security Awareness Tips for Employees

Table of Content

1. Train Employees Effectively

All employees in an organization, from top executives to those on the lower rungs, need to know that they have a part to play in maintaining effective security in an organization. Security awareness training is of utmost importance. When new staff are employed into the organization, they should be armed with adequate security tips, but this should not be a one-time activity. Training needs to be constantly enforced to ensure that security is top of mind for employees and that the latest threats are covered. Think of creative ways to deliver training so it grabs everyone’s attention and the information is more likely to be retained.

2. Know your audience

In order to ensure that you make security awareness successful across your company, you should know the end user. In some cases, your audience may not be a single person. You’ve got people from different age brackets and technological know-how. You’ve got people who know enough that they can be dangerous, and others who know so little they are the most dangerous. In other words, your demographic is varied so make sure your educational content like videos and blogs is too. And don’t always make it so ominous and serious.

3. Recognize the Importance of Policies

Policies define what standards of behavior are required and the role that everyone has in ensuring security. There needs to be a range of policies in place, covering topics such as acceptable use, incident reporting and how to deal with social engineering antics. It is extremely important to include these policies in your security awareness and training program so that employees are aware of what they must do. Without communicating these policies to employees right off the bat, they’ll be extremely hard to enforce.

4. Ensure Executive Sponsorship

In order to ensure that the culture of security is effectively entrenched in your company and that sufficient budgets are available for security programs to get buy-in from those at the top; it should be up to a specific person to have the overall executive responsibility for driving the program and keeping it on track, and they should report directly to the board. This will give your organization the best chance of ensuring that security objectives are balanced with other risks your business faces. It will also demonstrate to everyone in the organization the importance that needs to be attached to security.

5. Enforce Basic Controls

It is important that all the employees in an organization should understand the need for security hygiene. A clean desk policy needs to be enforced, and all workstations and devices locked down and signed out of when not in use. Common practices such as using strong passwords that are hard to crack alongside stronger authentication methods and timely updates to security controls need to be enforced. Research what users need and set baseline behaviors for basic security controls that should be in place and adhered to at all times.

6. Provide Secure Devices

At times, you may find out that the weakest links are the users and as such, it will be up to you to protect them from exposing themselves to security risks. Unintentional errors and loss of / stolen devices are some common causes of security breach that can lead to loss of sensitive data. If a device is corporate issued, it is up to the corporation to ensure that they have a high level of security built into the device. Organizations should raise awareness of the dangers associated with mobile apps and file-sharing services, and ensure that corporate alternatives are provided that meet employees’ needs.

7. Create a culture of cyber security and talk about it often

When business leaders and stakeholders have cyber security on their minds, it helps to create a culture of cyber security that permeates all the way through the employee level. “Do as I say, not as I do,” has never been a saying that actually holds much merit. Employees learn cyber security habits best through the example of their leaders. This tone from the top helps the culture of cyber security to remain on the forefront of the minds of those within the organization, enhancing security and lowering the risk of human error.

When employees understand the potential impact that a cyber-attack could have on their organization, it can help encourage better cyber security awareness practices. A good way to ensure this happens is by implementing an annual cyber security awareness training program. This program should be mandatory and should cover all aspects of cyber security awareness for the workforce, managers, and IT professionals. This program should also be a part of new employee onboarding. Another way to achieve this is by incorporating cyber security awareness into everyday business practices.

8. Strong password management

It is common knowledge that a strong password and passphrase should have not less than seven characters, which should comprise of alphanumeric characters. In addition, using unique characters and a combination of upper and lowercase letters can enhance password security. You should avoid using common phrases, words, or things such as birthdates or that have personal connection to you. It is also important to not reuse a password, and to require that passwords be changed every 90 days.

9. Teach employees to recognize phishing attempts

These days, Phishing attacks are one of the most common ways cyber criminals target organizations. By educating your employees to recognize what phishing is through appropriate training, it will help to prevent such damaging malicious attack. A phishing attempt that cyber criminals often try is creating emails that look like a legitimate communication. They often come camouflaged as something an employee might be expecting, like a password reset email, a notice from HR, or a shipping confirmation. Despite cybercriminals strong effort to disguise these emails, there are still several ways to identify phishing attempts. Some of which are;

  • Name check: it goes without saying that clicking on a link that is contained in an email from someone you don’t know is always a dangerous thing to do. No company will ever ask for sensitive information such as such as usernames or passwords, over insecure end-user messaging. Cyber criminals will go as far as using an email address that is very similar to a company’s official address, so closely checking who an email is from, is a critical practice.
  • Spelling and grammar: check the body of the email for unusual spelling or characters as this can be a good indicator of a phishing attempt, particularly, if the sender of the email is requesting sensitive information. Misspellings and grammar issues should be a red flag when seemingly coming from a credible source.
  • Intimidation tactics: Messages that start with “Urgent action required” or “Your account has been compromised” that require you to click on a link and enter sensitive information should be avoided. These intimidation and scare tactics are an attempt to get you to give up your credentials.
  • Links: you should never click on a link from an email that comes from someone whom you do not know. Even though the hyperlink in an email may appear to look legitimate, it’s important to hover over the hyperlink (without clicking) to see the real URL.
  • Reporting cyber security incidents: irrespective of the security training that a company will have, there is still a probability that a security incident can occur due to human error. When this happens, it is important that employees know how to report these incidents. By confronting a cyber-security issue as soon as possible, it can prevent it from escalating into something that is even more serious. Incident response training should be another integral part of your employee onboarding, and should be revisited company-wide on an annual basis. A good incident response plan includes the following; Preparation, Detection and Identification, Containment, Remediation, Recovery and Lessons Learned.

10. Mindfulness with safeguarding your Identity

An employees’ Corporate Identity is the critical component to safeguarding all valuable top secrets or highly classified documents, customer records, Intellectual Property, or design secrets. Hackers are known to go to any length in order to trick employees to steal their access credentials. This should not just be limited to regular update of password with strong alpha-numeric characters. A good rule of thumb is to treat all the files, folders, documents, social media, corporate websites you have been granted access to as would your own bank account. Would you share your bank account details with anyone else? In the same vein, sharing your corporate ID is never a good idea, even under temporary circumstances.

Always ask questions before disclosing private information about yourself or your employer, especially when you think the requested details are not necessary for the objective. Never disclose the requested details until you have been informed about how the information would be used and assured that it would be protected. If you are not satisfied with the answers given, don’t disclose your details.

It’s also a good idea from time to time to check with IT to see what exactly you have access to. Especially if you have been at the company for a long time. Do you really want access to systems you used 5 years ago? This only creates risk, and it’s OK to ask for a list of things you still may be able to access and request that access be removed.

11. Attribution of all Business Communications

Attribution involves, knowing the author of a message. It’s important to train yourself to get into the habit of verifying the author or creator of a digital communication to you (via email, text, social media, automated message, website alert/notification, et al.). It is easy to make this technique part of yourself as soon as you start to just ask the right question. With email, you can double-click on a name or hover your mouse on the from field and it will resolve to the actual email address. SPAM, Phishing attacks and Malicious Ransomware messages often resolve to a string of characters that are easily seen as suspicious. If the email doesn’t end in “companyname.com” you likely are being subjected to some sort of deceptive communication. The same is true of malicious URL’s. Instead of clicking on the link to find out what it resolves to, hover your mouse or right click to see what the whole string looks like. These changes in behavior can really make a difference beyond just updating antivirus, OS patching, and firewall security controls.

12. When Traveling

When travelling, it is not advisable to pack your laptops and tablets in checked luggage unless required to do so by airline security regulations. It is quite easy for these devices to be stolen from your checked luggage. Remember to retrieve devices at TSA checkpoints. Double-check that you have all of your belongings before walking away from the TSA checkpoint. You should never leave your devices unattended to when in the airport.

Don’t just assume that your bag will be safe if you quickly go to the restroom or buy something and leave your items unattended. Someone could easily watch you walk away and grab your items. When on the plane, secure your devices. Phones, tablets, and laptops can easily be stolen from the overhead bins or from your seat or seat pocket when you use the restroom. Before you leave the aircraft; double-check your seat area and seat pocket to make sure you did not leave any devices behind.

Each year, millions of devices are left behind on planes and stolen or never recovered. Never leave your computer bag or laptop unattended in a vehicle. Thefts from vehicles are one of the most common ways laptops are lost. If you are moving a computer bag to the trunk of your vehicle, do not do this in the same area where you plan to park. Criminals sit in parking lots watching specifically for this kind of activity. Whenever possible, lock your devices in the hotel safe when you are not in the room.

Each time you leave your hotel room, remember to pull the door closed and check to make sure it has locked. Hotel thieves walk down the halls pushing on doors to find doors that are not properly locked. If you device is stolen, make sure that you wipe it remotely and then report the theft to the police. If the device was issued by your employer, you should also notify them.

When on the move, it is easy to lose important items not just mobile devices and laptops. Take only the credit cards, identification and cash that you need with you, and minimize the total amount of items that you carry at once to reduce the possibility that you might lose track of them. Any important or expensive items that are not carried on you should be locked up in a hotel safe. This includes a backup payment method, such as an additional credit card, that can be used if you lose your other items. Copy your identification information and leave the copies in the safe for additional security.

13. Public and Free Wi-Fi

It is possible for Hackers to set up fake Wi-Fi networks that look like the legitimate local network for coffee shops, restaurants, hospitals, shopping malls, libraries, and other public locations you visit. As hackers turn to crypto currency mining to monetize their hacking, we are starting to see Wi-Fi hotspot hacking to install crypto-miner malware on devices of unsuspecting users. Never assume your devices are safe, even at your local coffee shop. It goes without saying that it is never safe to access your workplace remotely using public and free Wi-Fi without a VPN.

14. Guard your utterances on Social Media

You should bear in mind that whatever you post on social media is viewable by anyone and as such, you should not post anything about the organization without consent from the appropriate quarters. Even if your social media account is set as private, whatever you post can be shared on the internet and cannot be deleted once others have gotten hold of it and shared it. You should get written permission before you post anything online about a coworker, colleague, client, or anyone else attached to your organization.

15. Plugins Can Be Security Risks

Only Use The Plugins You Need. While plugins can make browsing easier, plugins can also represent security risks. Keep the amount of plugins you use at a minimum. Uninstall or disable any plugins that you are not using and keep the plugins that you do use updated often to protect yourself against security issues. Only install plugins from reputable companies.

16. Use company-provided VPN whenever available

You should always utilize the VPN while connected to public Wi-Fi. VPN software should be available for all corporate-supported devices. Use your phone tethering feature or cellular Internet service instead of free Wi-Fi whenever possible. Never conduct financial transactions, including any transaction requiring a debit or credit card, when using public or free Wi-Fi services. Consider changing your passwords after you travel in case they were compromised while you were traveling.

17. Protect your data with secure storage and transmission

A lot of people have information that is sensitive in nature in their computers. These information such as bank account information, personal information, and more can be used for malicious purposes in the wrong hands. In order to protect this data, you should always use the appropriate encryption protocols for both storage and transmission.

Encryption protocols seal stored data behind a virtual lock, protecting the data from hackers. Storage devices, such as a hard disk drive or a flash drive, should be encrypted and you should use secure Wi-Fi and SSL (secure socket layer) protection when transmitting sensitive information. Look for HTTPS in the web address to verify the data is being transmitted securely.

18. Always use your own device

Even though you may have “cleaned all your tracks” after using another computer, a keylogger (a program that logs all your key strokes) would easily disclose everything you did on the computer. If you would work with passwords or other sensitive information, use your own device (that you own and protect).

19. Never disclose passwords and PINs

Don’t ever be too trusting of your friends, relatives, or your colleagues at work. Always keep your passwords and PINs to yourself. The more you disclose your private information to others, the higher your risks of being burned.

20. Never open strange attachment and applications

According to research, one of the commonest ways by which worms and viruses are spread is through email attachments. So, avoid opening email attachments from unknown senders. Even if a mail from someone you know contains a weird-looking attachment, question the sender about it before opening it. File-sharing tools are other means by which you can get bad files on your computer

21. Reduced Manual Security Mechanism

It is very critical for the security manager to reduce the daily manual procedures of physical security and access control. Fully automated security mechanisms are more robust and foolproof when compared to manual ones.

22. No Exceptions in Access Control

This is one of the most important guidelines for workplace security geared towards managing both physical and logical security with more robustness. If for any reason an exception should be made, it should be based on proper protocol and must be traceable.

23. Reliance on Technology

All access controls, administrative controls and data controls should be properly powered by the modern and disruptive technologies to achieve the best workplace security. Technology is not biased, does not cheat or deceive; it always remains transparent and a lot more reliable than manual methods.

24. Don’t Assume, Always Explain

It a common practice for the management in some companies to assume that everyone that is working in the organization is aware of the security procedures and emergency steps to take and the end up paying dearly for this assumption. Even some things that you may think are obvious may not be obvious to some employees. Thus, regular training on security awareness is always important.

25. Monitor and Analyze Regularly

Always monitor the existing workplace security systems, procedures, policies and their outcomes on a regular basis. This is one of the best tips for maintaining the workplace security in the real sense. Never skip the defined procedures to monitor the security mechanism at the workplace.

26. Badge System

Implementing a badge system in your workplace can help you to keep the building safe and secure, while still providing you with other benefits as well. With a badge system in place, it will help to prevent unauthorized people from having access to the building and also protecting the office when no workers are present. Badge codes can be updated instantly to prevent former employees from entering the building.

Badge systems also can be integrated into a timekeeping system, making it easy for company managers to keep track of employees’ working hours. Even though Access Badge is commendable, they could also be used by a malicious insider. And as such, you must Always Know Where Your Badge Is.

Someone inside the organization, including both coworkers and visitors, could use your access badge to reach confidential organization data. In order to ensure that access badges are as effective as possible, you must always ensure your badge is on your person at all times. Wearing your badge at all times is the best way to avoid losing it. If for any reason your badge gets lost, you should report it to the appropriate quarters immediately. This is true even if you find your badge again later; the badge could be taken, used and then returned.

27. Don’t Display Sensitive Data on Your Screen in Public Places

Mobile device security goes beyond simply ensuring that your data is encrypted and your connections are secured. If you display sensitive data on your computer screen in a public place, it may be read by others. Confidential data should never be viewed in a public place in a way that it can potentially be seen by someone else. Instead, you should always view your sensitive data in private. If you must complete work in a public location, face your back to the wall.

28. Reducing Access to Your Files Keeps Them Safer

Use Access Control Lists to Ensure That Files Are Accessed On a Need to Know Basis. Access control lists allow you to control who can view your files and whether they can read, modify or delete them. Using access control lists will ensure that only those who need your files can view them and that they can’t do anything to the files that you don’t desire. By reducing the overall exposure of your files, you can decrease risk. You can also lessen the chance that files may be accidentally edited or deleted.

29. Don’t Allow Others to Follow You through Secure Entryways without Swiping Their Own Access Card

Before getting access to the working environment everyone must swipe their own ID access cards. If they still refuse to swipe their ID access card, notify security and provide them with the details of the event. Most of these entry control systems record an audit trail of who enters which door, and when.

30. Never Let a Stranger Use Your Computer

Strangers may attempt to gain access to your computer so that they can access sensitive or confidential documents. They may give you a reason that they need to use your computer, such as a personal favor. Anyone on your computer will have access to the files and systems that you have access to. You should never let a stranger access either your work or home computer.

31. Acceptable Use Still Applies At Home

Follow All Policies Even When Working Remotely. Acceptable use policies are designed to be used regardless of where you work. Whether you are working from home or on a business trip, you should still be following acceptable use policies to protect both yourself and the organization.

32. It’s Important to Password Protect All Sensitive Information

Create easy to remember but complex passwords. Longer, complex passwords are more difficult for a person to guess and thus will secure data much better than shorter, simpler passwords. Try to create password phrases and substitute letters for numbers and symbols to increase the complexity. A password phrase may be something as simple as “remember the list.” With substitutions and symbols, this becomes “R3m3mb3rdlISt.” This is a very difficult to guess but easy to remember password.

33. Do not install software on your work computer unless it has been approved and is authorized for your computer

Software that have not been authorized for use may contain virus and other types of malware and can cause conflict with other applications. The software must be properly accounted for and follow proper licensing requirements. If you need a software that is not approved or authorized for your computer, contact your supervisor or the IT department.

In addition, viruses and malware may link computers together to perform tasks. This can be damaging to your system and others. Some viruses and malware may not do anything perceivable to your computer but instead use your computer. A botnet is an amalgam of many computers that are linked together to complete a purpose, such as a malicious attack against a third-part target.

While these viruses and malware may not harm your system, they may be used to damage another system or to commit some form of crime. Signs that your computer may be in a botnet include the computer running sluggishly or transmitting data when it should not be. Your virus protection software should be kept current and always on to protect you from this.

34. Printed sensitive data should be shredded when it is being disposed of

It is not uncommon for attackers to root through the trash of their potential victim in search of sensitive and valuable information. The data classification policy describes what classifications of documents must be physically destroyed (shredded) prior to disposal.

35. Passwords Alone Cannot Always Provide Sufficient Protection

Two-factor authentication is a special type of security that involves two separate types and stages of authentication. Usually, two-factor authentication uses something you “have” along with something you “know”. ATMs use two-factor authentication by requesting your ATM card (what you have) and your PIN (what you know), while many online accounts require that you both have a password and verify your identity with your phone or another device. Other forms of two-factor security authentication might include a token or a removable media device, such as a USB drive.

36. USB Drives Can Carry Viruses

You should never plug in a Free or Found USB Drive into Your Computer. Once plugged into a computer, a USB drive can transfer a virus or other malware to your system. You should never plug in a USB drive that you have received for free or found somewhere in your office; even if the USB drive was found at work, it might still have a virus on it. Keep your USB drives clearly marked to prevent any confusion between you and your coworkers and always keep them in a specific place. In addition you should have a strong anti-virus that can scan a USB drive.

37. Always Follow Governmental Regulations and Policies on Retaining and Destroying Sensitive Data

Certain types of data must be stored securely for a set amount of time and then disposed of in a secure fashion. The amount of time for data retention varies from location to location and also depends on the nature of the information (such as medical or financial records). Always be aware of the data retention and destruction policies in your local jurisdiction as well as the information security policy. Determine whether data is public, private, or confidential when preparing it for storage and removal. Ask your supervisor for guidance whenever you are in doubt.

38. Don’t disable security tools

One popular mistake people that can make which exposes them and their computers to malicious attacks is turning off their anti-virus or firewall with the intention to trouble shoot a slow application. Most at times, they forget to switch it back on and this comes back to bite them.

39. Be wary of HTML emails

Even though it may not be obvious to you, some emails may contain embedded text that may be as dangerous as malicious attachments. Embedded HTML text and PDF can contain harmful codes. So, do not open any unsolicited emails.

40. Mind the websites you enter

Before you go ahead to browse through a website’s pages, read the privacy policy to know if some of your entered information would be shared. Only enter very confidential information on secure web pages (with “https” in the address bar).

41. Keep it fun

Even though security in the work place is a serious business, there are ways to get employees engaged and keep security awareness fun. You can start by making adoption and usage a contest.

42. Remember it is about human behavior

Security awareness, as a way to keep your company and its data more secure, involves something rather unique to the rest of the mix. It is not just technical. It is also emotional. It’s not about a router configuration. It’s about what people think and feel when they see your latest memo about don’t do this or do a lot more of that. It’s about how they process information, whether it be in 5-10 second intervals or sitting down for a long read.

One way to make the best connection is to bring in the outside world to help. Make security awareness not just about security at work, make it about security everywhere. You’ve got employees who are parents and trying to get better at dealing with cyber bullying. Make your program about protecting everything and everyone they care about. It’s already going to be about the stuff you care about – your IT assets, your IP, your yearly audits. What’s in it for them? If you expect your colleagues to give you a few minutes, return the favor and share how they can be safer online no matter the context.

43. Mistakes can be a chance to learn new things

Some employees may not be able to adopt all the security awareness practices immediately so you will have to exercise a bit of patience with them. If they make a mistake, and they will, make it a positive learning experience. Use a phishing simulator and test your colleagues to see if they click on links within emails that they shouldn’t. If they fail, give them the chance to learn on the spot and move on.

44. Password Management

In order to ensure maximum password safety, you should not write passwords on notes and place them by the computer. Hiding passwords notes under keyboards, tissue boxes, blotters, et al. is not security. Don’t share your passwords with anyone and make sure that no one is looking when you are typing in your password.

45. Social Engineering

You should not give out phone numbers or other personal information of fellow employees to people you don’t know. If a caller sounds suspicious, ask them for their name, company name and phone number to call them back.

46. Receptionist security

The receptionist in an organization should be trained on how to handle phone calls securely, admit visitors and securely admit employees who have forgotten their employee ID badge.

47. Disaster recovery plan

Every company should have a secure location off-site where it stores back-ups. There should be a laid down procedure in place so your company can bounce back if it suffers a disaster.

48. Lock your computer screen when temporarily not in use

Whenever you step away from your work computer, you should do well to lock it screen with a password screen saver which will keep secure your computer when not active. You can use the short cut (Windows + L) to quickly and easily lock the screen.

49. Don’t sell yourself short

Some people in an organization may believe that a security breach will not come through them. These people are naive enough to consider themselves unimportant to the extent that they will not take any precautionary measures to maintain their device security. It is up to the management to make everyone in the organization realize that they are potential targets of hackers as well.

In conclusion, it is a popular saying that security requires a combination of people, processes and technology. Therefore, it’s vital that security awareness is high among everyone in an organization so that everyone knows what part they have to play in maintaining effective security for their business.

Ajaero Tony Martins