Social insecurity - security awareness gets personal
The awareness topic for November is ‘social insecurity’, meaning information security and privacy risks, controls and incidents involving and affecting people:
- Social engineering scams and frauds, especially phishing and spear-phishing by email and phone;
- Harvesting of information and exploitation of people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
- The use of pretexts, spoofs, masquerading and coercion - social engineering tradecraft;
- Serious corporate risks involving blended/multimode attacks and insider threats e.g. the exploitation of colleagues through social engineering attacks by power-hungry assertive workers with personal agendas (aka “company politics”).
While technical measures (such as anti-spam utilities and email software that disables links and attachments in suspicious messages) help to some extent, security awareness and training are, of course, the primary means of control in practice, especially when it comes to more advanced attacks representing the greatest risks. Nothing beats having an alert, well-motivated workforce with the wherewithal to notice and react appropriately to suspicious goings-on.
Motivation is the key to making awareness programs effective. Going beyond merely making people aware of things, our aim is to make them think and most of all behave more securely, for instance spotting the warning signs of possible phishing attacks, and reacting appropriately instead of blithely clicking and jabbering away.
Rather than trotting out the same old same old, we deliver fresh perspectives every month, helping employees stay ahead of today’s security challenges. Having covered social engineering, social media and social networks a few times before, the awareness content was thoroughly revised and updated to pick up on current incidents and controls in this area, with an eye towards adverse trends and emerging threats.