The company should publish information to help users defend themselves against cybersecurity risks.
Elements:
- Does the company publish practical materials that educate users on how to protect themselves from cybersecurity risks relevant to their products or services?
Definitions:
Cyber security risks — Situations in which a user’s security, privacy, or other related rights might be threatened by a malicious actor (including but not limited to criminals, insiders, or nation states) who may gain unauthorized access to user data using hacking, phishing, or other deceptive techniques.
Indicator guidance: Because companies hold such vast amounts of data about users, they are often targets of malicious actors. We expect companies to help users protect themselves against such risks. This can include publishing materials on how to set up advanced account authentication or adjust privacy settings, how to avoid malware, phishing, and social engineering attacks, how to avoid or address bullying or harassment online, and what “safe browsing” means. Companies should present this guidance using clear language, ideally paired with visual materials, designed to help users understand the nature of the risks companies and users can face. These materials can take many forms including tips, tutorials, how-to guides, FAQs, or other resources presented in a way that users can easily understand.
Potential sources:
- Company security center
- Company help pages or community support page
- Company blog
No Comments