Implement a Security Awareness Program
CIS Control 17
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise: develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
Why is this Critical?
The biggest cybersecurity threats come from within your company. This CIS Control advocates for regular security skills assessments and security awareness training to educate employees about the potentially negative impact that their actions may have on the corporate network. Regardless of whether the root cause is an honest mistake, carelessness or malicious intent, organizations need to ensure that all employees are trained to acquire and apply the necessary knowledge and skills to defend their employer from phishing attacks, intrusions, and data theft. If gaps are identified, a comprehensive security policy and regular security awareness training that addresses social engineering, sensitive data handling, unintentional data exposure, secure authentication, and identifying and reporting incidents are recommended.