logo

CIS Control 14: Security Awareness and Skills Training

CIS Control 14 concerns implementing and operating a program that improves the cybersecurity awareness and skills of employees. (Prior to CIS Critical Security Controls Version 8, this area was covered by CIS Control 17.)
This control is important because a lack of security awareness among people inside your network can quickly lead to devastating data breaches, downtime, identity theft and other security issues. For example, hackers often manipulate or trick employees into opening malicious content and give up protected information and then take advantage of poor corporate practices, like password sharing, to do further damage.

Why cybersecurity training is essential

Research reveals the following about the causes of data breaches:

  • Around 30% of incidents are due to human errors, such as sending sensitive information to the wrong person or leaving a computer unlocked in a place that enables unauthorized access to systems and data.
  • Another 28% of data breaches are due to phishing attacks, in which workers open emails with viruses or keyloggers.
  • Poor password policies are responsible for around 26% of all data breaches. For instance, using shared passwords and allowing simple passwords both significantly increase the risk of a data breach.

Unfortunately, less than 25% of organizations perform vulnerability assessments regularly,43% admit that they are unsure of what their employees do with sensitive data and other resources, and only 17% have an incident response plan. To protect itself, your organization needs to be able to:

  • Regularly conduct IT security tests
  • Detect data breaches in their early stages
  • Respond quickly to security incidents
  • Figure out the scope and impact of a breach
  • Have a plan for recovering affected data, services and systems

How CIS Control 14 Can Help

CIS Control 14 can help you strengthen cybersecurity and data protection in your organization, as well as pass compliance audits. It is based on the following steps:

14.1 Establish and Maintain a Security Awareness Program

Your security awareness program should ensure that all members of your workforce understand and exhibit the correct behaviors that will help maintain the security of the organization. The security awareness program should be engaging, and it needs to be repeated on a regular basis so that it is always fresh in workers’ minds. In some cases, annual training is sufficient, but when workers are new to the security protocols, more frequent refreshers might be needed.

14.2 Train Workforce Members to Recognize Social Engineering Attacks

The next best practice is to train your entire workforce to recognize and identify social engineering attacks. Be sure to cover the various types of attacks, including phone scams, impersonation calls and phishing scams.

14.3 Train Workforce Members on Authentication Best Practices

Secure authentication blocks attacks on your systems and data. Workforce members should understand the reason that secure authentication is important and the risk associated with trying to bypass corporate processes. Common types of authentication include:

  • Password-based authentication
  • Multifactor authentication
  • Certificate-based authentication

14.4 Train Workforce on Best Practices for Data Handling

Workers also need training on proper management of sensitive data, including  how to identify, store, archive, transfer and destroy sensitive information. For example, basic training may include how to lock their screens when walking away from a computer and erase sensitive data from a virtual whiteboard between meetings.

14.5 Train Workforce Members on Causes of Unintentional Data Exposure

Causes of unintentional data exposure include losing mobile devices, emailing the wrong person and storing data in places where authorized users can view it. Be sure your workers understand their publishing options and the importance of exercising care when using email and mobile devices.

14.6 Train Workforce Members on Recognizing and Reporting Security Incidents

Your workforce should be able to identify common indicators of incidents and know how to report them.  Who they call if they suspect they’ve received a phishing email or lost their corporate cell phone? To simplify the process, consider making one person the first point of contact for all incidents.

14.7 Train Users on How to Identify and Report if their Enterprise Assets are Missing Security Updates

Your workforce should be able to test their systems and report software patches that are out of date as well as problems with automated tools and processes. They should also know when to contact IT personnel before accepting or refusing an update to be sure that an update is needed and will work with the current software on the system.

14.8 Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Everyone should be aware of the dangers of connecting to insecure networks. Remote workers should have additional training to ensure that their home networks are configured securely.

14.9 Conduct Role-Specific Security Awareness and Skills Training

Tailoring your security awareness and skills training based on users’ roles can make it more effective and engaging. For example, consider implementing advanced social engineering awareness training for high-profile roles likely to be targeted by spear phishing or whaling attacks.

Summary

Establishing a security awareness and skills training as detailed in CIS Control 14 can help your organization strengthen cybersecurity. Indeed, providing effective and regular training can help you prevent devastating data breaches, intellectual property theft, data loss, physical damage, system disruptions and compliance penalties.

Dirk Schrader is a Resident CISO (EMEA) and VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC²) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. Dirk has worked on cybersecurity projects around the globe, starting in technical and support roles at the beginning of his career and then moving into sales, marketing and product management positions at both large multinational corporations and small startups. He has published numerous articles about the need to address change and vulnerability management to achieve cyber resilience.