Last month I was traveling to deliver some presentations about Migration to the Cloud and On-Premise Security. While traveling and talking to IT PROs I realized that the majority of the companies that I was exposed to during those conversations are not investing to make sure that their employees are well trained when the subject is security. In the past security awareness training was something that only large enterprises used to implement as part of the mandatory annual training calendar for all employees. This can’t be the case today, as a matter of fact small and medium business must develop a plan to spread the word about security for their employees.
As companies are moving to the cloud, Internet become even more crucial to their business, which means that users will be even more exposed to online resources. More businesses are using social networks to get closer to their customers and employees are using social networks for both purposes: personal and professional. There are many risks involved with social networks, but the growing one is called “Social Engineering”. This trend is exposed in the Microsoft’s Security Intelligence Report - Volume 10. The slide below summarizes that:
For more information about the the slide above watch the video below with a brief discussion about MS SIR Volume 10:
After watching this video you will also see that social engineering attack will take place in the online world via social networks, phishing e-mails and other venues. These type of social engineering attacks are getting high exposure in the news, recently I read an article that says:
“Defendants targeted university's databases of faculty, staff, alumni, and student information, and financial accounts with a social engineering scheme that used poisoned USBs, phishing emails”
I recommend you reading this article to really see the social engineering approach in this case and start thinking about this subject. What if this was with one of your employees? Are your employees trained to understand the security risks while dealing with similar situation? I guess that at this point in time we can easily answer the question that entitle this post.
What should I do?
A great way to start your security awareness program is by leveraging what is already available for you (for FREE). Microsoft has a security awareness program toolkit and guide that can assist you to kick off your security awareness initiative. You can download the content from the link below:
When you extract this content you will see the following structure:
The “how to guide” has the guidance that you need in order to use this material. This package includes training materials for risk management, security controls and incident response. It also includes templates for:
- E-Mail Invite
- Fact Sheet
- Slide deck (PPT)
- Quick Reference Card
In addition to that you can also download the Internet Safety for Enterprise & Organizations toolkit to help your employees learn the skills they need to work more safely on the Internet and better defend company, customer, and their own personal information.
In summary I want to conclude this post saying: while it is important to invest in technology to protect your assets it is also important to invest in education for your employees, a well trained employee can save you a lot time and money. Keep that in mind !