One of the challenges with awareness training is no single set of training will address all of your organization's needs.  While almost all employees share some common human risks (email, social media, passwords, etc) there are specific roles that require additional or specialized training.  One example is IT Staff, because of their privileged access they are require additional training, such as secure use of admin accounts, controls for making changes to systems, or how *not* to share sensitive information on public forums. The more I work at this, the more I feel marketing needs to be added to that list of specialized roles.  Think about it, these people are your public facing communicators, the last thing you need is for them to be sending marketing emails or posts that screams 'phish' to millions of your customers.  Here are some common lessons for marketing that I think would be great.

  • EMAIL: Any URL's within a marketing email should be under the control of your organization.  Nothing is more frustrating then getting an email from a legitimate organization, but all the link's in the email point to different domains you never heard of. In addition, be careful of campaign promotions.  Sending out a marketing email to your customers advertising you have a Starbucks gift card attached and they need to open it right away is not a behavior you probably want.
  • TWITTER/FB:  Do not post vague or generic posts, such as "New pics, click here!". Also, make sure that the Twitter/FB account is well protected with two factor authentication, making it more difficult for bad guys to hijack the accounts.

These are the most common issues I've seen, I'm sure I'm missing some other behaviors for marketing.  Any suggestions for what should be added here?