Security Awareness Blog

1st Three Key Security Awareness Topics

Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine. Today we discuss the first three of those topics and why our Advisory Board selected them.

You Are A Target: If people do not understand they are a target, if they feel they are not at risk, they will never be engaged. Without engagement, your program will fail from the beginning. This topic ensures people understand they are target, at both work and at home. They understand how bad guys can make money from them, use their computer to stage attacks against their employer, hactivism, or various other motivations. This lack of awareness is often one of the biggest issues I still see at organizations, especially non-technical ones. People simply have no idea they are a target.

Social Engineering: There are many different approaches to hacking the human (phishing, phone calls, Twitter posts, etc). However the all share the same foundation, social engineering. People need to understand what this is, how it works, and the indicators of such an attack (sense of urgency, too good to be true, etc). Once people understand they are a target and once they understand the concepts of social engineering, you not only prepare people for today's attacks, but you prepare them for tomorrow's attacks that have not been thought of.

Email and IM: Phishing continues to be one of the top, if not THE top, human based attack. Its simple, effective and cheap, cyber attackers are no dummies. As such, this is one of the top human risks you want to address right away in any security awareness program. One of the most effective methods I have seen is not only teaching people about it, but actually testing them with phishing assessments.

 

 

3 Comments

Posted December 10, 2013 at 7:35 PM | Permalink | Reply

HJohn

In regards to email, I forward spam and phishing attempts to the FTC at the email address spam@uce.gov. UCE stands for unsolicited commercial email.
More about reporting here:
http://www.consumer.ftc.gov/blog/scammers-target-businesses-fake-emails
http://www.consumer.ftc.gov/articles/0003-phishing
I've reported to the FTC for years, and it seems to help. An individual or business may not have much power, but when dozens or hundreds report the same phishing email problem then government power may be useful.

Posted January 5, 2014 at 5:20 AM | Permalink | Reply

michael

might want to correct "TOPICS" in your post title.

Posted January 5, 2014 at 4:23 PM | Permalink | Reply

lspitzner

Dooh! Great point thanks