Our security awareness topic for February will be malware, malicious software - viruses, Trojans, worms, crytpminers, APTs, ransomware, spyware and Tupperware.
Well OK, maybe not all of them: viruses are vanishingly rare these days.
An increasingly important part of the malware problem is the wetware: we humans evidently find it hard to sense and react appropriately to the dangers presented by infected messages, web pages and apps. Addressing that is a key objective of the awareness module, and quite a challenge it is given that the bad guys are forever coming up with new ways to conceal their intentions or trick us into doing something inappropriate.
Digging a little deeper, I feel we also need to explain why we can't rely on antivirus software etc. to save the day because the baddies are also finding novel ways to evade the technological controls, despite the best efforts of the good guys in IT.
One screamingly-obvious lesson from the rash of ransomware incidents is that we need to anticipate malware infections when the preventive controls fail, which means strengthening the security protecting our business-critical systems and being ready to recover IT services and data efficiently following incidents. Another less-obvious lesson from incidents such as cryptominers, spyware, Vendor Email Compromises and Advanced Persistent Threats is that detecting infections in progress is harder than it appears ... and, again, it makes sense not to over-depend on detection.
Taking that to its logical conclusion, what could/should we do if we presume the organization is currently infected by some sneaky malware? I'm talking about the malware element of counter-espionage, for example deliberately seeding false information, or creating situations designed to reveal 'moles in the camp'.
There we are then: malware issues to discuss with general employees, tech/specialists and management, respectively. Now all I need to do is prepare the content for those three streams and Bob's yer uncle!