It works….it really works!
User awareness training is one of those topics people have very strong feelings on. One school of thought is that users are their own worst enemy and will never be anything more than a liability. The other school of thought is that with proper awareness training the users can offer an additional layer of defense. While I have come across users that just don’t get it, as a whole I believe proper training can become a great addition to the security toolbox.
As an example, we recently did some training to users about electronic messaging security and what to look out for. We went over what phishing is, how to spot it, and what to do if you think an email is suspect. I won’t bore you with all the details, but we kept it short and sweet to get the point across without causing the users to glaze over. Unfortunately, user training is not one of those things that you finish and immediately see a ROI, you just hope it works.
Today, as I was leaving the office, one of the users grabbed me. They explained that they got an email that look suspicious and then went into further detail about why it looked suspicious. It was amazing. He was able to pick out four different reasons why the message was a phony.
1. It didn’t reference who it was from.
2. It had a web link directly to an .exe file.
3. It was not grammatically correct.
4. The link did not coincide with the company who supposedly sent the email.
He then told me that prior to our training he wouldn’t have though anything of it and would have followed the link. This particular message was sent only to him, but had it gone to everyone, or a group of users, I could have quickly scanned all mailboxes for the signature and wiped it. That is where the power is….it only takes one user paying attention to make a difference.
It was great to hear that he got it, and makes me want to get the next training in motion.
Filed under: Security, training | Leave a Comment
Tags: awareness training, phishing, training, users