CISO’s Checklist: How to Train Employees to be SaaS Cyber Aware
Published 01/23/2024
Originally published by AppOmni.
Written by Tamara Bailey, Content Marketing Specialist, AppOmni.
While no employee sets out to harm their company, end-user behaviors flaws are, by far, the primary cause behind SaaS data breaches and security incidents.
This checklist will walk you through practical tips to help your end-users detect and avoid falling for these common SaaS threats.
1. Enforce Robust Authentication
Phishing attempts have matured and it’s even harder for end-users to discern what’s authentic and not. Create a culture of “when in doubt, double-check” within your company to prevent a compromise.
- Provide in-depth training to SaaS app admins and users with highly privileged access as they’re more attractive targets to threat actors.
- Remind employees to never click on any URL from a suspicious source.
- Implement time-based, one time password tools (TOTP).
- Opt for hardware keys for critical systems and/or highly privileged users.
2. Be an Enabler of Workplace Productivity, Not a Roadblock to Innovation
Rather than planting roadblocks when ambitious employees connect shadow IT, understand their business perspective and communicate your security concerns. A high performer may pause to consider that a small learning curve for a second-choice tool beats introducing vulnerabilities into the SaaS ecosystem.
- Learn why end-users need a certain SaaS app. It may signal an unmet need with your current tech stack.
- Educate employees on the reality and risks of connecting shadow IT to SaaS systems.
- Meet with business leaders and their teams to know what their favored SaaS app provides that their current options lack.
3. Enforce Password Hygiene
Don’t think employees are the only ones saving time and effort with AI tools. Guess what, hackers are too. Hackers are capitalizing on AI to avoid the time-consuming work of personally guessing employees’ SaaS passwords.
- Train your employees to not include personal information like birthdays, family names, addresses, etc. in their passwords.
- Remind end-users about your master password system and how it can create unique, strong passwords that they don’t have to remember.
- Consistently check the password requirements across SaaS systems.
- Require long, complex passwords, ideally requiring a passphrase of 14 characters or more.
- If possible, enforce password rotation, where end-users change passwords every 90 days.
- Encourage all users (including contractors, partners, and guests) to change their SaaS security passwords if a breach or critical security incident occurs.
- Explore SSO and federated identity management options across your SaaS estate.
4. Set Guardrails About What Data AI Can Be Privy To
If your company uses generative AI, ensure employees understand not to share sensitive information, such as financial planning, product roadmaps, M&A strategy, with ChatGPT or its ilk.
- Ask end-users what tasks they want to outsource to AI and find safe solutions that help them achieve their goals.
- Use enterprise generative AI tools to address data exposure concerns, (including siloing your company’s inputs to ensure the information you share doesn’t contribute to a competitor’s content).
- Outline what type of data is shareable with AI.
5. Ensure End-Users Have Appropriate Permissions
Some end-users may invite colleagues, contractors, or customers to SaaS tools and grant them highly privileged roles, inadvertently creating attractive side doors to threat actors.
- Remind colleagues to adhere to least privilege access when using SaaS tools.
- Ensure someone from your team has admin access to every SaaS tool for periodic user permission checks and to make changes quickly in the event of an incident.
Related Articles:
Mitigating GenAI Risks in SaaS Applications
Published: 11/07/2024
Dispelling the ‘Straight Line’ Myth of Zero Trust Transformation
Published: 11/04/2024
Empowering Snowflake Users Securely
Published: 11/01/2024
Elevating Alert Readiness: A People-First Approach for CISOs
Published: 10/25/2024