Welcome to the SecAware blog

I spy with my beady eye ...

1 Dec 2017

NBlog December 1 - social engineering module released

We close off the year with a fresh look at social engineering, always a topical issue during the holiday/new-year party season when we let our hair down.  Generally speaking, we are less guarded and more vulnerable than usual to some forms of social engineering.  The sheer variety of social engineering is one of the key messages in this month’s awareness materials. 
This module concerns:
  • Social engineering attacks including phishing and spear-phishing, and myriad scams, con-tricks and frauds;
  • The use of pretexts, spoofs, masquerading, psychological manipulation and coercion, the social engineers’ tradecraft;
  • Significant information risks involving blended or multimode attacks and insider threats.
The NoticeBored module is designed to appeal to virtually everyone in the organization,regardless of their individual preferences and perspectives.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the NoticeBored awareness materials as such, but perhaps a casual comment or oblique criticism from a peer or manager relating to the topic, which in turn was prompted by the NoticeBored content. 
The NoticeBored posters, for instance, are deliberately thought-provoking, puzzling even.  Rather than spoon-feeding people with lots of written information, we choose striking images to express various challenging and often complex concepts visually.  We hope people will notice the posters, wonder what they are on about, and maybe chat about them … which is where the learning happens.
Explore the thinking that went into these awareness materials, and by all means tag-along with us as we develop next month’s module, on the NoticeBored blog.

Learning objectives

December’s awareness materials are intended to:
  • Introduce/outline social engineering – a backgrounder on the wide variety of forms it takes, techniques used etc.;
  • Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
  • Motivate workers to act more securely, for example spotting, rebuffing and reporting possible attacks.
There are briefings, presentations, quizzes and competitions, checklists, posters and more in the new module - a wealth of creative materials all ready to use, straight out of the box (although we encouraged you to customize them if you have the time).
We’ve introduced a new A-to-Z-style awareness format this month with three briefings that work nicely together as a suite:
  1. A-to-Z of social engineering scams, con-tricks and frauds (FREE PDF) - what they do;
  2. A-to-Z of social engineering methods and techniques - how they do it;
  3. A-to-Z of social engineering controls and countermeasures - how to spot and stop them in their tracks.

Get this module

Subscribe to the NoticeBored service for December’s awareness module, plus InfoSec 101, a set of information risk and security policy templates, and further awareness modules on a huge range of information risk and security topics, something different every month. Email me to set the ball rolling.

Nurturing the corporate security culture through awareness

Subscribe to NoticeBored for fresh perspectives on information risk and security within the corporate context.  NoticeBored picks up on the strategic, governance, compliance and business aspects, particularly in the management stream of course but the principles underpin the general staff and professional streams too.  Information is a valuable and yet vulnerable asset that needs to be protected and legitimately exploited for sound business reasons - not just for compliance purposes or because we say so!  Properly done, information risk management is a business enabler, with security awareness a vital part of the approach - particularly, of course, in topics such as social engineering and fraud.

No comments:

Post a Comment