The sheer variety of social engineering scams, cons and frauds is one of the key messages in this awareness and training module.
This SecAware module concerns:
- Social engineering attacks including phishing, spear-phishing, Business Email Compromise and many more;
- The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft;
- Significant information risks involving blended or multimode attacks and insider threats.
The materials are designed to appeal to virtually everyone in the organization, regardless of their individual preferences and perspectives. A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic. The posters, for instance, are deliberately eye-catching and thought-provoking, puzzling even. Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually. We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning begins.
- Introduce/outline social engineering – a backgrounder on the wide variety of forms it takes, techniques used etc.;
- Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
- Motivate workers to be secure, for example spotting, rebuffing and reporting possible attacks.
Before pressing ahead, please think about your objectives. Which aspects or angles are the most relevant concerns for the business? Have there been any recent or significant incidents or near-misses that make it especially pertinent? Are there particular awareness messages or themes you want to draw out, or audience groups you need to concentrate on? The SecAware materials can set you off to a flying start but we enable and encourage you to customize and elaborate on the supplied content. Knock yourselves out. Make it 'yours'.
Social engineering awareness
The only practical way to tackle this growing threat is to ensure workers are well aware of the issues, motivating and guiding them to think critically, spotting and resisting attacks through effective security awareness and training. A few posters and an annual lecture won't get you anywhere.
Module updated December 2019