Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine. Today we discuss the first three of those topics and why our Advisory Board selected them.
You Are A Target: If people do not understand they are a target, if they feel they are not at risk, they will never be engaged. Without engagement, your program will fail from the beginning. This topic ensures people understand they are target, at both work and at home. They understand how bad guys can make money from them, use their computer to stage attacks against their employer, hactivism, or various other motivations. This lack of awareness is often one of the biggest issues I still see at organizations, especially non-technical ones. People simply have no idea they are a target.
Social Engineering: There are many different approaches to hacking the human (phishing, phone calls, Twitter posts, etc). However the all share the same foundation, social engineering. People need to understand what this is, how it works, and the indicators of such an attack (sense of urgency, too good to be true, etc). Once people understand they are a target and once they understand the concepts of social engineering, you not only prepare people for today's attacks, but you prepare them for tomorrow's attacks that have not been thought of.
Email and IM: Phishing continues to be one of the top, if not THE top, human based attack. Its simple, effective and cheap, cyber attackers are no dummies. As such, this is one of the top human risks you want to address right away in any security awareness program. One of the most effective methods I have seen is not only teaching people about it, but actually testing them with phishing assessments.