If you can make just one New Year's resolution - Make it Cyber Awareness This Year
The Harsh Facts
While attending an ISACA event, this December, one of the items discussed was the fact that about 90% of data breaches hitting US government started by an employee interacting with fraudulent email. This is a 2016 staggering statistics and there is nothing to suggest 2017 will be much better.
It may have been a link, hijacking their browser or that they ran an attached malicious app etc. The bottom line is that an employee opened the door to an outside attacker and once the attacker was in - it was all but GAME OVER.
9 out of every 10 successful attacks started with an unaware employee. This means that the vast majority of data breaches could have been prevented if employees were better informed, more aware and were trained better to fend off this kind of attacks. As 2017 is winding down and we're all looking at what new cyber attacks 2018 might have in store for us all, one thing is certain - Raising your employees' awareness to cyber crime will dramatically increase your ability to successfully block cyber criminals' #1 vector of attack.
Despite common belief (shared by most IT and information security personnel) users will cooperate and help, given sufficient knowledge and tools for action. Tell employees about the dangers of mail based attacks. Show them how easy it is to penetrate and take control of a device or an entire network after the door has been opened by the wrong click on the wrong email.
Show employees how they should compare the hyperlink at the bottom of their screen to the one shown. Show them how they can view sender details to challenge the sender's declared identity. Explain why a yahoo.com domain is not a valid email domain for a bank representative to use. Emphasize these rules also apply to private use of the internet. This usually drives the point home.
This is by far the most important step you can take towards harnessing the organization's workforce to defending its information assets. Make sure all employees (including yourself) remember that in spite of all technological tools available, their decision to click (or not) on that link or attached file may be the last line of defense the organization has.
This is a case of "anything goes": Awareness campaigns, contests, prizes, lectures etc. Really - anything you can think of that will raise awareness is a good step in the right direction.
2. Practice & Test
Once word is out that clicking unknown links is a no-no, challenge your employees. Initiate benign attacks on your employees and track response. Reward those who stand the test and educate those who don't. Track your progress.
There are plenty of good, inexpensive automated and customizable tools out there. Use them.
Inform management and show your progress over time. By gaining management support you not only gain recognition to the program (and yourself) but further increase awareness through managerial ranks who are prone to clicking malicious links and attachments just like any other employee (if not more)
3. Be Patient and Persistant
As any other effort in Cyber Security Strategy, awareness is a process not an event. Listen to employees' concerns and difficulties. Reward success and encourage progress. Share success stories and publish anonymous 'lessons learned'.