- Educate end users on the reasons behind corporate security policies and the nature of social engineering to help reduce risky behavior.
- Ensure end users understand corporate policies around the use of personal smartphones and tablets for accessing corporate resources.
With this year’s huge rise in the awareness of advanced persistent threats (APTs), now would be a good time to focus on educating employees not only about corporate policies and government mandates, but also about the growing risk that these APTs pose to the organization. By educating end users about the reasons behind the policies, as well as the nature of such attacks, security professionals can get better buy-in from those end users, increasing the likelihood of changing risky end user behavior. Given the focus of these APTs on gaining entry through more sophisticated spear phishing attempts, encouraging a heightened vigilance among end users could be an additional tool in the security practitioner’s toolbox. With attackers’ proclivity for identifying users within the organization which have the credentials to access systems with sensitive data, and then sending e-mails that appear to be legitimate and contain links to sites with malicious code or attached documents infected with malware, end users become the weak link in the chain of trust. In addition, the combination of the growing BYOD phenomenon and the upcoming Christmas shopping season makes this an ideal time to remind end users of the dangers of careless Internet usage as well as corporate policies regarding smartphones and tablets.