In a recent Alert I quoted three experts from [Cisco Systems] as saying that end-user education about Internet-based scams is a vital part of corporate security defenses. The question is how to educate users to recognize and avoid these increasingly sophisticated Internet exploits. This is not easy for four reasons:
- First, business leaders' eyes glaze over when computer security is mentioned.
- Second, the audience reaction to the message is invariably, 'I'm too smart to be taken in by some stupid Internet scam.'
- Third, just informing people is not enough. The message has to be driven home through repetition so that users will stop and think rather than falling into the trap even when every instinct is screaming for them to act now, because that inner scream is exactly what the con artists behind those messages are doing their best to create, and their best is very good.
- And finally, you need to update the information you are giving them as new exploits appear and older ones are refreshed.
The first challenge, therefore, is to capture and hold your audience's attention. This requires delivering and reinforcing a strong, business-oriented message: data security is about protecting business and personal assets, and especially corporate and personal financial assets, from gangs of criminals operating beyond the law in foreign countries who are constantly looking for ways to rob you and your business. This message must be delivered in language the audience understands and must be reinforced with repetition in different media, similar to an advertising campaign for a new product. And just as with a sales or advertising campaign, the message must focus on answering the key question, “What's in it for me?”.
The answer to that question is simple: Falling for an Internet scam often results in having your personal savings and checking accounts emptied out. It also can mean that the business you work for can see its accounts emptied, which can have a negative impact on your career and job security. Variations on this basic message need to be delivered forcefully, with real-life examples cyber-thefts from people and organizations, to every employee of your company.
However, these messages must be tailored to the audience, and all organizations of any size include several such audiences. Therefore, a good security publicity campaign starts with audience segmentation. At the top is senior management, their direct reports, and divisional or subsidiary management. They are focused on business and financial strategy. Therefore, the message to deliver to this audience is that cyber-crime is a major threat to the business, that cyber-criminals are quit capable of cleaning out the corporate accounts, destroying its good will and reputation with customers and business partners by appropriating their online identities, and of robbing the CEO, CFO, and other senior officers and managers individually.
The second segment are business knowledge workers. They will respond most strongly to a more personal message: Cyber-criminals are constantly developing increasingly sophisticated methods to steal their online identities to gain access to their personal bank accounts. A second important message is that if the company is robbed by one of these gangs, it will have to cut costs which means layoffs or, in the worst case, it will be forced to shut down entirely, and people will lose their jobs.
The third segment is the IT staff. This requires a variation on the knowledge worker message because technical personnel often think they know enough to protect themselves already. But these scams focus on human nature rather than on sophisticated technical attacks. Even security experts are sometimes fooled, so no one is immune.
Once the audience is paying attention it is the time to deliver the second message – that a successful defense against this threat requires constant awareness of common cyber-scam tactics such as the false IRS e-mail uses very successfully in 2009 and similar strategies. By the way, no government agency contacts citizens about tax liabilities or other important issues vie e-mail or telephone. Governments use printed, signed, legal documents. So unless it comes in the mail, it is a scam. And it also requires good security software, which often can intercept attacks. Too often office workers regard security precautions as nuisances that just get in the way as they try to do their jobs. They need to understand that these precautions, including security software on their laptops and other procedures, are designed to protect them and their savings from very real threats.
These initial meetings then need to be followed up with the publication of specific recommended practices for specific scenarios. This should be the subject of follow-on presentations and should be published on the internal company Web site, where it can be used as a reference document by employees at any time.
This is not enough, however. Memories will fade, people's attention will shift to other concerns, and a month after the initial campaign everything will be back to “normal”. Success requires an ongoing program build around a catchy slogan that can be printed on posters and on coffee cups and given out to everybody. And it requires an ongoing information effort to update everyone on the changing nature of the threat, for instance as new exploits appear and as the focus of malware creators shifts from e-mail to social media and from Microsoft software to Adobe, both of which are generally expected trends for 2010. This information campaign needs to make heavy use of intranet-based media including printed documents, podcasts and videocasts, all of which can be made available through the internal Web site. And senior management needs to require that all employees review these. Follow up discussions should be made part of regular internal meetings to keep employees at all levels aware.
Action Item: A strong security posture is absolutely required in the business environment of 2010 and beyond. Security must be an integral part of company strategy and standard operating procedure at all levels and in all parts of the company, from IT to external sales, and not just be an afterthought. This requires an organized educational campaign that carries on throughout the year and involves people at all levels of the organization. Anything less leaves the organization vulnerable to cyber-crime that at its worst can do serious damage to the company and to individuals, including corporate officers.