Creating security awareness during onboarding procedure

Why is security awareness so important?

It is sometimes said that the greatest vulnerability in a computer system is the end user of that system. Therefore, humans are the last line of defence in ensuring that malicious content does not get into your network. Employees who are rather more lax about computer security make it very easy for cybercriminals: these individuals open attachments or click on links without thinking and, of course, this creates a great risk for your organisation.

Fortunately, many people are already aware that computer use and the internet pose some risks, yet it is not always clear what users can do to protect themselves.

This is why we feel it is important to make our employees fully aware of these risks as soon as an employee joins our organisation.

Cybersecurity crash course

When new employees join Belnet, they participate in sessions on the different departments within the organisation. This includes a session hosted by the security team. In this session, we initially delve into the operations and projects of the security team, but we also provide a 'Cybersecurity crash course'. This one serves to make new employees immediately aware of the risks of the internet, which enables them to adopt a safe way of working straight away when they start their job and so it becomes immediately routine.

In this training we cover several topics:

• Who does what?

In this section, we explain again who everyone is on the security team, what their role is and what language they speak. The latter is important because new employees then know who can be their point of contact in the language they are most proficient in.

• Passwords

In the second part of the training, we explain how employees can create secure passwords. We do this by using the password manager used within Belnet. Furthermore, we also explain why multi-factor authentication is important.

• Awareness platform

Next, we talk about the awareness training platform we use within Belnet. All new employees are immediately encouraged to complete a survey/training on the platform so that we can estimate their knowledge. This allows us to organise further training according to the needs of the employees.

• Phishing

Here we go over some examples of phishing and the idea is for employees to try to point out why they suspect an email to be phishing. We do this using screenshots of both real and simulated phishing emails. We also explain to employees that if phishing emails arrive in their mailbox, they can report them so we can remove these emails from other mailboxes as well. By adding that this contributes to the overall security of Belnet, employees are also more inclined to do this.

• QR-codes

The use of QR code phishing or 'Quishing' is also briefly touched upon. Here, we explain how employees can figure out which link is behind a QR code.

• Security incident & best practices

Finally, we explain to our employees how to report a security incident and also share some best practices. Some examples include locking their screen when they leave their laptop, refraining from plugging in unfamiliar USB sticks and putting internal information on public shares, and being careful with personal data on the Web.

Further training

Of course, creating awareness is not just a necessity during the onboarding process; it must be 'refreshed' regularly and we must also adapt our training to current events. For example, we use simulated phishing emails to keep our employees alert.

We also organise 'Lunch & Learn' sessions several times a year, in which we invite our employees to lunch and a presentation by an interesting speaker on a current topic. In the past, we have talked about the 'simplicity' of hacking a Windows system as well as scams via the internet or other forms of telecommunication.

The computer world does not stand still, and every day new vulnerabilities are discovered or new ways are developed to outwit computer systems and people. Therefore, creating awareness and continuing to do so is very important: as a reminder, but also whenever new risks or vulnerabilities emerge.