This post is the second in a series of what I consider the top ten topics for any security awareness program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. I feel the topic of Social Engineering is one of the most important in your awareness arsenal and should be the second module you teach (after You Are The Target). The idea is that most attacks against humans today are based on some form of social engineering. By explaining what social engineering is and how it works, you lay the foundation for how employees can protect themselves. In addition, by understanding social engineering, you prepare end users for future attacks we are not even aware of yet, providing long term value. That is why I always like to teach social engineering first with a non-technical example. Specifically how attackers can trick you out of your credit card number when you are staying at a hotel. This example is something most non-technical users can identify with. Once they understand these concepts, it becomes much easier to teach the same lessons but for the cyber world. To see an example of how this can be communicated, check out this awareness video on Social Engineering.
Previous Topics
#1 You Are The Target
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.