Train Workforce Members on Authentication Best Practices
Description
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management.
Implementation Checklist
Tool Recommendations
Security awareness training platform with simulated phishing, interactive training modules, and compliance reporting
KnowBe4 · Per-user subscription
Adaptive security awareness and behavior change platform with targeted training based on real threat data
Proofpoint · Per-user subscription
Phishing simulation and security awareness platform with real-time threat intelligence and incident response
Cofense · Per-user subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Credential Stuffing Attack Using Reused Passwords
ConfidentialityAn attacker uses credentials leaked from a third-party breach to access enterprise accounts because employees were never trained on password uniqueness and the dangers of credential reuse across services.
MFA Bypass Through Social Engineering of Untrained User
ConfidentialityAn attacker tricks an employee into approving a fraudulent MFA push notification because the employee was never trained on how MFA fatigue attacks work or how to recognize unauthorized authentication requests.
Weak Password Compromise via Brute Force
ConfidentialityAn attacker successfully brute-forces an employee account using common password patterns because the workforce has not been educated on creating strong, unique passphrases or using credential managers.
Vulnerabilities (When Safeguard Absent)
Poor Password Hygiene Across Workforce
Without authentication best practices training, employees commonly reuse passwords, choose weak credentials, and store passwords insecurely, dramatically increasing the attack surface for credential-based attacks.
Misunderstanding of MFA Mechanisms
Employees who have not been trained on MFA best practices may share one-time codes, approve unsolicited push notifications, or fail to report suspicious authentication attempts.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Technical | MFA enrollment status and enforcement configuration | Reviewed monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |