Phishing and social engineering continue precisely because they are so effective!
Sophisticated User: If you are the vice president of customer service and you receive an email purportedly from the Better Business Bureau that contains a link to Complaint #67587 about one of your products, how do you not click through on that embedded link?
Unsophisticated User: If you are an 80-something grandmother and a scary red screen pops up on your browser that looks superficially like it is from Microsoft and telling you that your system has been compromised, how do you not click on the embedded URL?
My brother has a great sense of humor, but knows nothing about computer security. It takes discipline not to click on the embedded links he sends from my work computer to a joke or video even though I completely trust the source.
Here are a few tips to follow:
- Develop an appropriate use policy that spells out how corporate IT resource can and cannot be used. For example, don’t visit shady web sites at work.
- Don’t click on embedded hyperlinks in an incoming email message from someone you don’t know and trust. Too often, it is a malware vector.
- Don’t share passwords – IT should set minimum password quality standards.
- Don’t ever download software onto a work machine when a web site request you to do so – your browser has all the software you need. Let the IT professionals take care of any software updates or upgrades.
- Don’t copy data from a controlled production environment (like and HR application or accounting system) to an uncontrolled device like a thumb drive or to a spreadsheet.
- Employee security awareness must be a compulsory part of onboarding every employee and those responsibilities should be formally acknowledged annually.