FRAMEWORKS AND STANDARDS

CIS Critical Controls 14 Explained

An overview of CIS control 14, its purpose, and how to implement the control.

Published Date: October 28, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators, Training Managers

Get your copy of the CIS Controls V8.1 here.

Why is Security Awareness Important?

The human element is a large factor in the success or failure of an organization's security. Attackers often exploit systems by tricking users into clicking malicious links or opening harmful email attachments. Incidents also occur when users mishandle sensitive data or use weak security practices.

A robust security awareness program addresses these vulnerabilities by educating employees at every level. Different roles—executives, system administrators, and others—have varying risks, and the training should reflect these specific vulnerabilities. Regular updates to training help build a culture of security and reduce risky behaviors.

Security Awareness Program Basics

An effective program should go beyond a yearly training video. Ongoing training includes topical messages aligned with current events, such as phishing surges during tax season or malicious emails disguised as package notifications during holidays. Training should also be role-specific, recognizing the unique threats faced by different departments, such as finance teams encountering Business Email Compromise (BEC) scams.

Security awareness training should address regulatory and organizational threats. For example, financial companies must focus on compliance training, while healthcare must emphasize handling patient data. Phishing tests and other social engineering tactics should be tailored to the specific risks faced by employees in different roles. 

Techniques to Create and Implement Security Training

• Establish and maintain a security awareness program: the program will work to educate employees about securely interacting with organization assets. 
• Conduct Role-Specific Security Awareness and Skills Training: customize training to specific roles or departments. 
  • Examples: OWASP training for web developers, secure system admin courses for IT, etc.

What Should Training Include

• Social engineering attacks: include education about phishing, pre-texting, tailgating, smishing, and more.
• Authentication best practices: educate employees about MFA, strong passwords, managing credentials… 
• Data handling best practices: train employees on proper storage, transfer, and deletion of sensitive information. 
  • Includes training on locking screens, erasing whiteboards…
• Unintentional data breach causes: ensure employees are aware of unintentional ways data can be exposed.
  • Examples: loss of end-user devices, publishing data to incorrect locations…
• How to identify incidents and reporting: validate employees understand what out of date software, device failure and more look like and how to report these issues to IT. 
• Connecting to and Transmitting Data over Insecure Networks: bring awareness to the dangers of using insecure network connections for enterprise activities. 
  • Include guidance on how to configure a secure home network.

Additional Resources to Help Build an Effective Program Include

• NIST SP 800-50 Rev 1: Building a Cybersecurity and Privacy Learning Program.   
• National Cyber Security Centre (UK) for user education tips.
• SANS for comprehensive training tools and resources.