Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Why is this CIS Control Critical?
The actions of people play a critical part in the success or failure of an enterprise’s security program. It is easier for an attacker to entice a user to click a link or open an email attachment to install malware in order to get into an enterprise, than to find a network exploit to do it directly.
Users themselves, both intentionally and unintentionally, can cause incidents as a result of mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing a portable end-user device, using weak passwords, or using the same password they use on public sites.
No security program can effectively address cyber risk without a means to address this fundamental human vulnerability. Users at every level of the enterprise have different risks. For example: executives manage more sensitive data; system administrators have the ability to control access to systems and applications; and users in finance, human resources, and contracts all have access to different types of sensitive data that can make them targets.
The training should be updated regularly. This will increase the culture of security and discourage risky workarounds.
14.1: Establish and Maintain a Security Awareness Program <control-14.1> 14.2: Train Workforce Members to Recognize Social Engineering Attacks <control-14.2> 14.3: Train Workforce Members on Authentication Best Practices <control-14.3> 14.4: Train Workforce on Data Handling Best Practices <control-14.4> 14.5: Train Workforce Members on Causes of Unintentional Data Exposure <control-14.5> 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents <control-14.6> 14.7: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates <control-14.7> 14.8: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks <control-14.8> 14.9: Conduct Role-Specific Security Awareness and Skills Training <control-14.9>