3. Change how your message is communicated
Some people learn visually, others learn audibly and for many, it's a combination of both. Change how your security message is delivered to employees. Start with a monthly email, webinar and Intranet post. Switch it up with in-person trainings and videos. Using these different mediums will help your message resonate with more employees. Remember, you will need to communicate a message multiple times for it to stick.
4. Make security relevant to them
Just asking employees to watch out for suspicious-looking emails doesn't drive home the urgency of spear-phishing. Rip it from the headlines. When a large company makes headlines for a data breach, because an employee opened an infected email, immediately communicate how something like that could happen to your employee base. It's well-timed, newsworthy and will be on your executives' radar.
5. Reward good behavior
IT security is known for doom and gloom, but what if you change that perception? Start rewarding your employees for a "Catch of the Day." Start an internal contest that asks employees to forward suspicious emails they receive (both from their personal and work accounts). Pick your "Catch of the Week" every Friday, reward the employee with a $100 gift card to Starbucks, and publicize the spear-phishing attempt for other employees to see.
3 things to never post on social media
Social networks are gold mines of personal information for cybercriminals, especially for targeted spear-phishing emails. Below are three things IT security professionals shouldn't discuss online.
1. Any birthdays/addresses/other items that are used for your network passwords
We know you use these for passwords despite our best advice. Don't also advertise them on social media.
2. Your vacation schedule and home photos
It's like an advertisement for when you will be out of town, while doing reconnaissance for the criminals.
3. Your phone number
Cybercriminals are getting more creative. More and more criminals are calling targeted employees and asking for information. For example, some criminals call and pretend they are from their help desk and need to reset passwords. When in doubt, go with your gut. If something seems off or you don't know the person, ask for their contact information and look into it. Ultimately, its better to be safe than polite.
Phishing isn't going anywhere. As long as people use social networks and email continues to be a key workplace communication channel, spear-phishing will be a weapon of choice for cybercrime.
Sign up for CIO Asia eNewsletters.