Security Awareness Blog

Awareness Training for Those Marketing Folks

One of the challenges with awareness training is no single set of training will address all of your organization's needs. While almost all employees share some common human risks (email, social media, passwords, etc) there are specific roles that require additional or specialized training. One example is IT Staff, because of their privileged access they are require additional training, such as secure use of admin accounts, controls for making changes to systems, or how *not* to share sensitive information on public forums.

The more I work at this, the more I feel marketing needs to be added to that list of specialized roles. Think about it, these people are your public facing communicators, the last thing you need is for them to be sending marketing emails or posts that screams 'phish' to millions of your customers. Here are some common lessons for marketing that I think would be great.

  • EMAIL: Any URL's within a marketing email should be under the control of your organization. Nothing is more frustrating then getting an email from a legitimate organization, but all the link's in the email point to different domains you never heard of. In addition, be careful of campaign promotions. Sending out a marketing email to your customers advertising you have a Starbucks gift card attached and they need to open it right away is not a behavior you probably want.
  • TWITTER/FB: Do not post vague or generic posts, such as "New pics, click here!". Also, make sure that the Twitter/FB account is well protected with two factor authentication, making it more difficult for bad guys to hijack the accounts.

These are the most common issues I've seen, I'm sure I'm missing some other behaviors for marketing. Any suggestions for what should be added here?




Posted July 16, 2013 at 7:16 PM | Permalink | Reply


In regards to email, if the distribution records include the recipients name, it is probably a good idea to program your distribution program to include a salutation with the recipients name in the email if possible (I.e., Dear John:). This may provide some additional assurance that it is legitimate. A lot of phishermen may not have such information and/or are unlikely to take the time to personalize messages unless they are going after a specific target.

Posted July 16, 2013 at 7:19 PM | Permalink | Reply


I agree. The more details you include in an email the better. Today Marriott just sent out a notification to people about hacked Marriott Rewards passwords. The email failed this very blog post, the URL to change your password? A non-Marriott URL

Posted July 16, 2013 at 8:10 PM | Permalink | Reply


An companies that make Marriott's mistake contribute to the problem by desensitizing individuals to the risks.
This may be another good rule of thumb. If it is a security incident, do not even bother including a link. Ask the user to go directly to the company's site and change their password.

Posted July 17, 2013 at 8:26 PM | Permalink | Reply


Interesting timing, I wrote about this too [] but the truth is these things are very, very hard to get ''right'. Compounding the situation is the fact that most of the memos get written during the heat of an incident, and that is the absolute worst time to try and put one together.