Tag Archives: Information Security Awareness

Information Security Awareness – Educate, inform, secure

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Educate your employees about information security or all the security tokens in the world won’t save you.

A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.

Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.

Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and

Do I not entertain you?  – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.

Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.

Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.

Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.

Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.

In the very near future we will be offering a weekly information security email newsletter so stay tuned and stay secure!

Online Banking phishing scam – Information Security Awareness

I received this online banking phishing scam in my email account today so it provides a good example of what you need to be on the lookout for. This one was not ideally targeted for me since I do not bank at HSBC but no matter these type of scams impersonate all types of banks and online financial service accounts. If this had been from your bank what would you have done? If you clicked on it you would have likely been asked to provide your login and password information or your machine would have been infected with malware and in either scenario your account would be at extreme risk.

Here are some tips on dealing with phishing emails from banks or other financial companies requesting you to click on them:

1. Legitimate companies will not email you requesting you to take immediate action or threaten immediate suspension of your account. That is a threat that real businesses will not make so you should take that as a warning sign that this is a scam.

2. If you point your cursor over the intended link (but don’t click on it) you’ll notice it is often not the actual company it is pretending to be. I say often because there are techniques that will make it appear as such so do not use this as a fool proof measure.

3. If you do need to check on your account status never do it via an email link but instead do it from a saved link to the site that you know to be legitimate. In the example above that means having your own link to your HSBC account and not clicking on the link bait provided.

4. Always be skeptical of unsolicited emails and treat them as untrusted and revert to step 3 above for accessing sensitive accounts.

Don’t fall for the bait avoid phishing scams and keep your online accounts secure!