In an earlier article, I wrote about security in an age of constant connection. I wrote about how cyber criminals don’t necessarily need to target you for your business name; they’re simply targeting anyone that has a vulnerability. Today, I’m going to write about a different type of vulnerability – you (or your employees).
The Evolution of the “Nigerian Prince”
Think back to your first personal email account. In the early years of the internet, people were far more trusting. Optimism was high, you could communicate with anyone around the world, become friends or pen pals with someone that is states away, and join legions of people with shared interests in online chatrooms. As usage became more ubiquitous, opportunistic criminals realized that this faceless communication method was prime for exploitation.
Around this time, the world was introduced to “The Nigerian Prince,” the son of the unfairly deposed king of Nigeria. You see, “The Nigerian Prince” needed to transfer his family fortune out of the country or it would be unjustly seized by the illegitimate government. If the prospect of helping someone in need wasn’t enough, in exchange for your assistance, you would be richly rewarded. What did you need to do? Simply wire the good prince $10,000 (or some other amount of money) to help pay for the funds to be transferred. Unfortunately, many people have fallen for this.
While “The Nigerian Prince” lives on as a meme, few would fall for the numerous misspellings and broken English today. However, as Internet users have gotten more sophisticated, so have the scammers. Today’s scam emails are much harder to distinguish from many other emails that fill up your inbox. Most scam emails use something called “DNS Spoofing” to make the email appear as if it originated from a legitimate company – like FedEx or eFax. Smarter scammers have improved the spelling and grammatical errors and even matched graphics, font, and communication method with companies that we commonly work with – like Apple or Bank of America. How can non-technical employees hope to avoid becoming a victim? Security Awareness Training.
A Little Education Goes a Long Way
Security Awareness Training is exactly what it sounds like – educating yourself and your employees to be able to identify emails that are potentially dangerous. Training can be delivered in many different ways – security awareness manuals, email reminders, in-person classes – but we have found the most effective training to have the following elements:
- Courses – Web-based security courses allow users to look at sample emails and determine if they are safe, in a secure environment. Most importantly, employees also learn what clues should tip them off to a malicious email.
- Testing – Test your user population with fake malicious emails. Using certain programs, you can track who clicked a link or opened an attachment.
- Multi-media – Everyone learns differently. Supply written, visual, and audial guidance helps ensure that everyone understands.
- Repetition – Security awareness needs to be reinforced on a regular basis. This cadence can be determined by your business, but common plans include monthly, quarterly, and bi-annually.
For organizations that see the value and want to pursue a Security Awareness Program, there are a couple ways that this can be approached: you can build it from the ground up, using the guidance provided above and having your technical team deliver the content, or you can rely on an outside vendor that provides web-based training, testing, and reporting for your employees.
Whichever path you choose, I can help guide you along the way. If you have questions about building or implementing Security Awareness Training, I can help. You can reach me at firstname.lastname@example.org or 630.592.6252.