Training is a key component in the defense of cyber attacks. Training is effective because so many of today’s exploits target people. A quick review of many of the attacks that have occurred over the last few years show one common link: the use of social engineering.
- Apple attacked by Java exploit that exploited the behavior of specific employees
- RSA targeted via e-mail with malicious attachments
- Ghostnet attacked users with spoofed e-mails that had malicious PDFs attached
- Google targeted with e-mails attempting to lure users to malicious URLs
The common element in each of these attacks is that people are targeted. That’s why it’s so important that businesses teach employees the basics of Internet security. This type of training should include:
- Danger in opening suspicious e-mails
- Not visiting questionable websites
- Be careful not to provide too much information on social network sites
- Recognize when social engineering is occurring
- Importance of never giving out sensitive information without permission
This type of training should be periodic so that it’s repeated over time. While some companies use training to combat social engineering, it must be followed up with periodic testing. Such testing can be used to further reduce the effectiveness of social engineering. While you may not be able to prevent all social engineering attacks you can greatly reduce the threat with periodic training and testing. It’s a cost effective component to add to any security program.