This awareness and training module concerns information risks, information security controls and incidents involving and affecting people:
- Social engineering attacks, scams and frauds, such as phishing, spear-phishing and whaling;
- Exploitation of information and people via social media, social networks and relationships, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
- The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineer’s tradecraft;
- Significant information risks involving blended or multimode attacks and insider threats.
Along with the conventional awareness stuff on phishing (of course) plus other scams, cons and frauds, this module explores how criminal black hats and other adversaries exploit both their own and our social networks.
- Explain what we mean by ‘protecting people’;
- Update workers on current information risks involving social engineering, social networking, social media, social apps, scams and frauds, in terms they understand and contexts that make sense, offering pragmatic advice;
- Particularly for management, emphasize the most serious of today’s risks such as spear phishing and whaling against prime targets, blended/multimode attacks and social engineering by malicious insiders;
- Using news reports concerning recent incidents, demonstrate that the dangers are genuine, the human and commercial impacts substantial – we’re not crying wolf here;
- Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
- Motivate workers to act more securely, for example spotting, rebuffing and reporting possible attacks.
Please think about the learning objectives for your organization. Which are the most relevant people-related concerns for the business? Have there been any recent/significant incidents or near-misses that make this topic especially pertinent? Are there particular awareness messages or themes you want to draw out?
People security awareness
This awareness and training module concerns humans being both information risks and information security controls - dual use you could say.