Essentials of End User Security Training

No matter how secure your software, or how comprehensive your security policy, your organisation is put at risk each and every day. The culprit? Your employees.

No matter how secure your software, or how comprehensive your security policy, your organisation is put at risk each and every day. The culprit? Your employees: the people who use your software and implement your security policy.

To help reduce the human risk to security, I'm looking at 6 crucial components of an effective end user security training program.

1) Phishing Awareness

Phishing attacks harness the power of social engineering to trick end users into relinquishing sensitive information and login credentials. Whilst many phishing attacks rely on brute force (sending thousands of emails in the response of one or two responses), hackers are increasingly using 'spear phishing' attacks - faking personalised communication from trusted sources, in order to gain access to secure services and data. Spear phishing attacks are much harder to identify and avoid, so it's essential to raise awareness of the common characteristics and sources of phishing, including:

  • Email
  • Messaging apps
  • Intranet
  • Social media
  • Web browsers

2) Password Security

Passwords are the first layer of defense in many security systems, but unfortunately, they aren't infallible. Without the help of a password management system, it's left to the end user to choose a secure password and commit it to memory. As Adobe's famous data breach can testify to, this is easier said than done - with 5.96 million of their leaked login credentials appearing in a list of the top 100 most commonly used passwords. It's important to educate your users about the best practices of password security, and implement mandated measures to ensure that secure practices are always followed.

3) Shadow IT

Despite an organisation's best efforts, it's commonplace for the end users of an IT network to take it upon themselves to install and use unapproved software applications. This practice is known as Shadow IT, and with the growth of the Bring Your Own Device trend and cloud-based applications, it's easier than ever for employees to download and use insecure software.


The growing shift towards Bring Your Own Device working pose a unique set of risks. In order to protect your sensitive information, whether it's stored locally on a desktop PC, remotely in a cloud storage account, or accessed on a tablet or smartphone, it's important to educate end users about the best practices of secure remote working. This includes implementing a BYOD policy, preventing local storage of secure corporate data on personal devices, and protecting data-in-motion with some form of encryption.

5) WiFi Security

Whether employees work from home, the office, or even a local coffee shop, it's important for end users to understand the risks associated with wireless networks, particularly "evil twin" and "war driver" attacks. "Evil twin" attacks create fake WiFi networks with the same name and credentials as legitimate wireless networks. When an end-user connects to the fake network, the attacker can capture sensitive information and login credentials. "War driver" attacks compromise non-secure wireless networks, and intercept any information being exchanged in the network. This can be problematic when end users connect to your organisation's non-secure wireless networks (like a Guest WiFi account) instead of a password protected network, and use them to access and transfer sensitive information.

6) PCI Compliance

End users play a crucial role in ensuring compliance with essential regulations and legislation. Compliance with Digital Security Standards is required of all organisations that process debit and credit card information; and with each job function and role in your organisation engaging with payment information in a different way, it's essential for every end user to understand the principles of PCI DSS.

Get Switched on

Subscribe to our newsletter to keep ahead in the industry, and be the first to access new reports and white papers.