Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/17/2019
09:00 AM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

7 Tips for an Effective Employee Security Awareness Program

Breaches and compliance requirements have heightened the need for continuous and effective employee training, security experts say.
3 of 8

Focus on the Phishing

Employees who click on phishing emails are one of the most common reasons for data breaches these days. Teaching employees how to recognize and avoid such emails is fundamental to security, experts say. 'While social engineering, in general, must be addressed, phishing should be the primary example and focus,' says Anurag Kahol, CTO and co-founder of Bitglass.

Phishing attacks use impersonation and other deceitful tactics to trick users into surrendering their credentials or access to their accounts in other ways. So it's vital to emphasize the need for strong passwords and highlight the dangers of password reuse, especially across personal and corporate accounts, he says.

Even security-conscious organizations continue to be targeted by phishing attacks. 'Consequently, employees must be shown how to identify the signs of phishing, such as strange email domains, typos, unusual communications, and more,' Kahol notes.

Also important is the need to inform employees about how and why they could become targets based on their individual roles in the organization, says Vinay Pitahaya, director of security research at Menlo Security.

When training employees, provide examples of a phishing attack or a simulated attack that is representative of their day jobs to make them aware of the impact of their actions and how easy it is to be the first victim, he adds.

Image Source: Shutterstock

Focus on the Phishing

Employees who click on phishing emails are one of the most common reasons for data breaches these days. Teaching employees how to recognize and avoid such emails is fundamental to security, experts say. "While social engineering, in general, must be addressed, phishing should be the primary example and focus," says Anurag Kahol, CTO and co-founder of Bitglass.

Phishing attacks use impersonation and other deceitful tactics to trick users into surrendering their credentials or access to their accounts in other ways. So it's vital to emphasize the need for strong passwords and highlight the dangers of password reuse, especially across personal and corporate accounts, he says.

Even security-conscious organizations continue to be targeted by phishing attacks. "Consequently, employees must be shown how to identify the signs of phishing, such as strange email domains, typos, unusual communications, and more," Kahol notes.

Also important is the need to inform employees about how and why they could become targets based on their individual roles in the organization, says Vinay Pitahaya, director of security research at Menlo Security.

When training employees, provide examples of a phishing attack or a simulated attack that is representative of their day jobs to make them aware of the impact of their actions and how easy it is to be the first victim, he adds.

Image Source: Shutterstock

3 of 8
Comment  | 
Print  | 
Comments
Oldest First  |  Newest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/17/2019 | 10:36:38 AM
On training
It is amazing how many security breach issues are directly related to phishing.  Employees should know better by now but they still click on that invoice for something they never bought or an email from the chairman asking 5 min of their time.  Mis-spellings too.  All these are dead give-away signs that they ignore.  My rule: if you don't need it, don't read it, delete it.  Works fine.  Showing staff how complex and persistent threats are is great - stun and awe them.  And make learning fun - get pizza for a training session and jokes too.  You have to make it a smile event so they remember it.  And they HAVE TO REMEMBER it.  Office and home use too.    Humor - I toss in puzzle problems too.  Here are two great ones.

 5 US Presidents had last names that began with the letter H.  Name them.

 3 words ONLY begin with DW in the English language.  They are?

Users can be just curious.  I had one actuary (read that man with zero life) get the infamous Anna Kournikovia picture virus.  I confirmed that and then moron starts to move his mouse TO THE PICTURE.  If you click that i will terminate IT support for you for ever going foward!!!   And he said " then I shouldn't click it?"    EGAD they just want to see what it DOES!!!!    Curiosity killed the cat and data set. 
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.