Regardless of the systems we put into place, our final line of defense will always be end-users. I’ve stated for years that my real job is behavior modification, trying to increase security awareness through a series of email messages with information on the latest scams, zero-day exploits, and general horror stories about the impact of blindly clicking simply because a message or web site tells them to. Unfortunately, I’ve discovered that many within the organization tend to ignore any email coming from IT.
We all go to events, conferences and vendor showcases, and generally return with more promotional items than we could ever use. I’ve started dropping a paragraph into my security messages telling staff to respond to the message before than the close of business on a given date to be entered into the drawing to win some ‘fabulous’ prize. I follow up with an All Staff message slugged ‘We Have A Winner’ to announce our lucky employee.
Of course, someone generally complains that they never received any notification of the contest. When I show them the unopened email in their inbox they’re suitably chagrined, and I know that I have yet another person who will be reading every word of anything regarding security.