Email is one tool that can be used to attack an organization, and it’s also a key means of communication. From the information security perspective, there are three main areas of concern: email as a vector for malicious code; email as a data leakage mechanism; and unauthorized access within the email system itself. While each of these issues deserves its own article, this article will focus on justifying the importance of email security awareness training.
Email as an Attack Vector
Most information security professionals are familiar with the concept of a Trojan horse. Imagine someone walking into your office and handing you something that looks like a gift or a newsletter (i.e., it has some kind of cover). The thing inside the package, however, is not what it appears to be. In this article I’ll assume that the attack will be a malicious email attachment; one that could potentially infect your computer with a virus or worm (i.e., malware).
One of the biggest problems in dealing with these types of attacks is that users can be tricked into doing the wrong thing and then can’t understand why the “gift” or the “newsletter” is now causing a problem. Other times users can be tricked into clicking on links or download files from an email when they really shouldn’t have done that. These types of emails are so convincing that even security professionals get suckered in from time to time. So what can we do?
Email Security Awareness Training: The First Line of Defense
If an organization has a solid overall information security training program, many of the malicious emails will be caught before they ever get delivered to individual users. While I don’t have statistics on hand that demonstrate this, my personal experience tells me that if an organization has a well-planned and implemented information security awareness training program, it will see a lower rate of infection.
In addition to teaching about basic virus protection techniques, organizations can teach employees about the following:
What email content is likely to be fraudulent or malicious in nature;
When they should report suspicious emails to the help desk;
When they should delete emails and not open any attachments; and,
How to report fraudulent activity when it is suspected.
Why Should Employees be Trained?
The first question that might come up is, “If employees receive security training today, why do they need a special email security awareness program? Won’t that cover everything?” The answer is, “No.”
For example, if an employee receives information security training on avoiding phishing attacks (i.e., emails that pretend to be coming from a legitimate source when in fact they are not), this doesn’t really help with malicious attachments or deceptive links. In these cases, employees need a special awareness program.
In addition, most organizations have found that training on malicious attachments is more relevant if the same content is also included in an email security awareness campaign. The reason for this is that employees will likely get multiple emails about “avoiding” attachments before they actually become infected with malware through an attachment. In these cases, the odds are that employees will actually pay attention to the instructions if they see them in multiple places.
Getting Employees on Board
Another reason why email security awareness training is so important is because many of these attacks rely on social engineering techniques, meaning that attackers try to trick people into doing things that they shouldn’t do. Most users want to do the right thing, but may be unsure of how to do so.
For example, if I receive a suspicious email claiming to be from my bank and someone has attempted to withdraw money or change my password, I probably won’t report this activity unless it seems weird. However, with training about what type of emails should be reported (e.g., someone trying to “change” my password or get access to my account), I might have a better idea of what is going on.
If an employee receives security training that describes these types of phishing attacks, and they also receive regular information security awareness emails from their organization, this may increase the odds that employees will report suspicious email activity.
Types of Email Security Awareness Training and the Best Practices
There are many different types of email security awareness training available, but they generally fall into one or more of the following categories:
Email-borne threats overview : provides an overall description of what is happening in the world and why employees need to be aware;
Source identification : links specific attacks with their sources and provides tips on how to avoid phishing or other types of email-borne threats.
The best approach is to have a combination of both types in your training program. An organization’s security team should perform an analysis on what the current trends are in the industry and then use the information from this analysis to develop the content. This will provide an organization with a training program that is tailored directly to their environment and the threats they are currently facing.
Below are some tips for making email security awareness training as effective as possible:
Make sure employees know why you’re sending them information about security and what they can do.
Be specific rather than general. This will help employees remember the training.
Use lots of examples with screen shots or actual email messages they can refer to later on.
Test employees’ knowledge after you have trained them to see what they retained from your training.
In addition, some other common best practices for effective security awareness training are:
Don’t send too much information all at once. This will make it hard for employees to process what they have learned. Instead, consider breaking up the information over several emails or sending a monthly newsletter that covers security topics.
Send emails on specific topics when there is news (e.g., CEO fraud). Then, make sure to follow up over time so employees can remember what they learned and how it relates to current events.
Use examples of actual phishing attacks in your security awareness training program. This is particularly effective because employees will better remember these emails if they have seen them before.