![CarmeloWalsh[.]com](https://www.carmelowalsh.com/wp-content/themes/twentyten/images/headers/sunset.jpg)
The best defense a company can have against cyber and social engineering attacks is have educated people.
People who know how to manage systems, people who know how to be cautious, people who know when they need to escalate and report.
When the population of your company gets company email in regards to security awareness, it is important for executives, management, and supervisors to promote the material and for the staff to want to read it. On the same note, it is important to make the material fun, simple, to the point.
A great publication to read is NIST 800-50, which focuses on people and awareness.
Below are some of the topics that are listed. I’m thinking about writing some articles based on them, perhaps open articles that can be used for businesses. Perhaps.
• Password Usage and Management
• Protection from Malware
• Policy: Implications of non-compliance
• Unknown email and attachments
• Web Usage
• Spam
• Social Engineering
• Incident Response
• Shoulder Surfing
• Changes in system environment – increases in risks to systems and data (e.g., water, fire, dust or dirt, physical access)
• Inventory and property transfer – identify responsible organization and user responsibilities (e.g., media sanitization)
• Personal use and gain issues – systems at work and home
• Handheld device security issues – address both physical and wireless security issues
• Use of encryption and the transmission of sensitive/confidential information over the Internet – address agency policy, procedures, and technical contact for assistance
• Laptop security while on travel – address both physical and information security issues
• Personally owned systems and software at work
• Timely application of system patches
• Software license restriction issues
• Supported/allowed software on organization systems
• Access control issues
• Individual accountability
• Use of acknowledgement statements – passwords, access to systems and data, personal use and gain
• Visitor control and physical access to spaces – discuss applicable physical security policy and procedures, e.g., challenge strangers, report unusual activity
• Desktop security – discuss use of screen-savers, restricting visitors’ view of information on screen (preventing/limiting “shoulder surfing”), battery backup devices, allowed access to systems
• Protect information subject to confidentiality concerns – in systems, archived, on backup media, in hard-copy form, and until destroyed
• E-mail list etiquette – attached files and other rules.
