In 2022, users at over 130 organizations were duped into providing their credentials to a fake Single Sign-On page. The phishing campaign sent text messages urging recipients to verify their Multi-Factor Authentication (MFA) credentials via a link to a fake Okta Single Sign-On page. where attackers harvested credentials and bypassed MFA using adversary-in-the-middle techniques. The breach exposed sensitive customer data and disrupted operations. Post-incident analysis revealed that while technical controls were strong, employees lacked training to recognize sophisticated phishing attempts.
Post-incident analysis revealed a critical insight: technical controls were strong, but employees lacked the training to recognize and respond to advanced phishing attempts.
To mitigate such risks, the Center for Internet Security (CIS) Critical Security Controls developed Safeguard 14.1, to ensure organizations educate users on how to identify, avoid, and report social engineering attacks and other threats, creating a human firewall that complements technical defenses.
What Is CIS Safeguard 14.1?
Safeguard 14.1 is part of Control 14: Security Awareness and Skills Training in the CIS Controls framework:
“Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.”
Why This Safeguard Is Critical
The goal is to reduce human error and strengthen the organization’s overall security posture through continuous education.
- A 2025 Data Breach Investigation by Verizon found 60% of breaches start with some human element.
- Attackers exploit lack of awareness, not just technical gaps.
- Training empowers employees to identify and report threats before they escalate.
Organizations in Implementation Group 1 (IG1) should provide basic awareness training, while IG2 and IG3 should implement role-based and advanced training for technical staff and high-risk roles.
Threat Scenarios Addressed by 14.1
- Phishing & Smishing Attacks
Employees click malicious links or enter credentials into fake portals. - Business Email Compromise (BEC)
Attackers impersonate executives to trick staff into fraudulent payments. - Social Engineering via Phone or Chat
Attackers manipulate employees to disclose sensitive information. - Credential Harvesting
Fake login pages or MFA bypass techniques exploit user trust - Insider Threats
Lack of awareness about data handling policies leads to accidental leaks.
Implementing CIS Safeguard 14.1
- Develop a Formal Training Program
Cover phishing, password hygiene, MFA, secure remote access, and reporting procedures. - Use Role-Based Training
Tailor content for executives, IT admins, and third-party contractors. - Leverage Simulated Phishing Campaigns
Test and reinforce awareness in real-world scenarios. - Track and Measure Effectiveness
Use metrics like click rates, reporting rates, and completion scores. - Update Regularly
Incorporate emerging threats like MFA bypass and AI-driven phishing.
Supporting Safeguards
2.3 Address Unauthorized Software: Reinforces secure login practices taught in training.
3.3 Configure Data Access Control Lists: Training should cover proper handling of sensitive data and respecting access controls.
4.1 Secure Configuration of Enterprise Assets and Software: Awareness programs can teach why secure configurations matter and how misconfigurations lead to breaches.
5.2 Use Unique Passwords: Training should emphasize password uniqueness and managers.
6.3 Require MFA for Externally-Exposed Applications: Complements awareness by reducing credential compromise risk.
Resources
- CIS Controls v8.1](- [CIS Controls and Safeguards v8.1](https://www.cisecurity.org/controls/v8-1))
- [NIST Cybersecurity Framework (CSF) 2.0]([Cybersecurity Framework | NIST](https://www.nist.gov/cyberframework))
- [Verizon 2025 Data Breach Investigations Report]([2025-dbir-data-breach-investigations-report.pdf](https://www.verizon.com/business/resources/T5fa/reports/2025-dbir-data-breach-investigations-report.pdf?msockid=236fc54b2a356eee2e12d19d2bc56f2d))