Earlier this week we discussed the importance of focusing your awareness training on a few, high-impact topics and then identified what we consider the top nine within the SANS Securing The Human library. Today we discuss the second set of three of those topics and why our Advisory Board selected them.
Browsing: Browsers are one of the primary ways people interface with the Internet today. If not configured and maintained properly, browsers are the hacker's gateway to any computer. This topic teaches the need for not only keeping browsers updated and current, but plugins as well. As many of us already know, its often plugins and not the browser that are the vulnerability (Java anyone?). This is also a great opportunity to teach people about warning banners for known, infected websites and how privacy options can work. Finally, you may want to discuss Cloud syncing (such as Google Chrome or Apple iCloud). If people are using the Cloud to sync their browsers, they need to be aware that the websites they visit at home or from their mobile devices may now appear in their browser tabs and history cache at work. Now, for larger organizations browsers may not be as important, as everyones' browser may be maintained and secured by IT. But for smaller organizations, or for personal home use, this is important to know.
Social Networking: When you bring up the topic of social networking or social media, the first concern that usually comes to mind is people posting confidential information about their employer. While this is a problem, what we are hearing from organizations is employees are posting far too much personal information about themselves. This makes it extremely easy for cyber attackers to create customized/targeted phishing attacks. This is not just an issue for defense or government but many other industries, including tech. Also, I've heard organizations say "We do not allow social media websites at work, so we do not need to teach employees about social media". Unfortunately, this topic is important regardless of your organization's policies, as people can and will access social media sites from their personal devices while at work, or from home.
Mobile Devices: BYOD, the growing tsunami that most organizations are bowing to sooner or later. BYOD makes good business sense as it reduces organizational costs and gives people what they want. But it does make for big security challenges. Its important that we teach people how they can protect their mobile devices, to include the use of a PIN code or lock, keeping the OS updated, downloading only apps you need and only from trusted sources,. Also, we need to teach people about any security software that may be required before they can connect to the company's network. Finally, most organizations have a policy in place that if a BYOD is lost, and it has organizational data, that device can and will be remotely wiped. BYOD use will only continue to grow, so to should its awareness.